Migrate to new private endpoints

Important

This article covers migrating private endpoints for governance solutions from the classic governance portal (https://web.purview.azure.cn) to the Microsoft Purview portal (https://purview.microsoft.com/). If you're building your private endpoint connections for the first time, follow the full private endpoints article instead.

Note

Currently, Azure Data Factory, Azure Machine Learning, and Azure Synapse connections are not supported with the platform private endpoint, and might not work after switching.

Microsoft Purview now supports platform private endpoints for your organization-level account. You can follow these steps to migrate your existing Microsoft Purview account private endpoints to the new platform private endpoints.

Migrate your existing private endpoints

Screenshot of the private endpoint migration experience in the Azure portal.

  1. In the Azure portal, search for and open your Microsoft Purview account.
  2. Select the Networking page.
  3. If it's not already open, select the Upgrade to platform PE tab.
  4. Set up your platform private endpoints
  5. Create managed private endpoint connections to platform private endpoints
  6. Switch your Microsoft Purview API endpoint

Set up your platform private endpoints

For every account private endpoint you'll need to set up a platform private endpoint. All the account private endpoints you have are listed under the step. For each existing endpoint:

  1. In the Azure portal, search for and open your Microsoft Purview account.

  2. Select the Networking page.

  3. If it's not already open, select the Upgrade to platform PE tab.

  4. Select the + Create platform private endpoint button.

  5. In the Create a private endpoint - Basics tab, enter or select the following information:

    Settings Value
    Project details
    Subscription Select your Azure Subscription
    Resource group Select your resource group.
    Instance details
    Name Create a unique name.
    Network Interface Name Filled automatically by the instance name.
    Region Selected automatically based on your resource group.
  6. Once that information is complete, select Next: Resource and in the Create a private endpoint - Resource page, enter or select the following information:

    Settings Value
    Connection method Select connect to an Azure resource in my directory
    Subscription Select your subscription
    Resource type Select Microsoft.Purview/accounts
    Resource Select your Microsoft Purview resource
    Target subresource Platform
  7. Once that information is properly input, select Next: Virtual Network and enter or select the following information:

    Settings Value
    NETWORKING
    Virtual network Select your existing virtual network.
    Subnet Select your existing subnet
    PRIVATE IP configuration Select Dynamically allocate IP address.
  8. Select Next: DNS and enter the following information:

    Settings Value
    Integrate with private DNS zone Select Yes
    Subscription Select your subscription where your DNS zone is configured.
    Resource group Select the resource group where your DNS zone is configured.
  9. Select Next: Tags and on the tags page you can optionally add any tags your organization is using in Azure.

  10. Select Next: Review + create which displays the Review + create page where Azure validates your configuration. When you see the Validation passed message, select Create.

  11. If you configured firewall allowlist rules for your account endpoints ({account-name}.purview.azure.cn), you need to update your firewall configuration for the new platform private endpoints: {tenant id}-api.purview-service.microsoft.com, api.purview-service.microsoft.com

Create managed private endpoint connections to platform private endpoints

  1. In the Microsoft Purview portal open the Microsoft Purview Data Map.

  2. Navigate to Source management, and select Managed private endpoints.

  3. Select the pop-up link at the to that says, 'Click here to provision platform managed PE for all your managed VNets'.

  4. Microsoft Purview will create managed platform private endpoints for all your existing managed account endpoints.

  5. Select each approval link to approve the endpoints, or approve them directly by:

    1. In the Azure portal search for your Microsoft Purview account and open it.
    2. Select Networking
    3. Select Private endpoints
    4. Approve the new list of private endpoints.

Switch your Microsoft Purview API endpoint

Now that you've created the required private endpoints, connected your resources, and recreated your scans, you can update your API endpoint. On the networking page, select the Switch endpoint button to switch to the new Microsoft Purview API endpoint for scanning and tenant account access.

The new API endpoint you'll be using is either:

https://api.purview-service.microsoft.com/

https://{your-tenant-id}-api.purview-service.microsoft.com/

Note

The old endpoint will be operational in parallel for users with access to the classic portal. Scans that were already running will continue to use the existing endpoint until they finish. New scans will use the new platform endpoint.

Remove account endpoints

Once all your currently running scans have completed, remove your existing account endpoints to switch completely to your new platform private endpoints.