Unable to update or modify Azure Purview account tags using Terraform

Nikhil Raj 20 Reputation points
2024-12-03T05:50:46.4466667+00:00

I am attempting to update or modify Azure Purview account tags using Terraform, but I am encountering an error indicating that an Azure policy is blocking the operation. We want to identify the deny policy using a Kusto query or data explorer. Could you guide me on how to frame this query effectively?

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
544 questions
Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,355 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Ganesh Gurram 3,270 Reputation points Microsoft Vendor
    2024-12-03T19:34:19.4733333+00:00

    Hi @Nikhil Raj

    Thanks for the question and using MS Q&A forum.

    To identify the Azure policy that is blocking your operation, you can query the Azure Activity Log using Azure Data Explorer (ADX) or Kusto Query Language (KQL). Azure Activity Logs can provide insights into policy evaluations and their outcomes.

    Here's how you can frame a Kusto query to find the deny policy:

    You might need to configure diagnostic settings to send Activity Logs to a Log Analytics workspace, which can then be queried using KQL.

    Use the following Kusto query to search for deny actions related to your Azure Purview account:

    
    // Change 'YourLogAnalyticsWorkspace' to the name of your Log Analytics workspace
    let startTime = ago(1d); // Adjust the time range as needed
    let endTime = now();
    let resourceId = "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Purview/accounts/<purview-account-name>";
    
    ActivityLogs
    | where TimeGenerated between (startTime .. endTime)
    | where ResourceId == resourceId
    | where OperationNameValue == "Microsoft.Authorization/policies/audit/action"
    | where StatusValue == "Deny"
    | project TimeGenerated, ResourceId, OperationNameValue, StatusValue, Properties
    | extend PolicyDetails=parse_json(Properties)
    | project TimeGenerated, ResourceId, OperationNameValue, StatusValue, PolicyDetails.PolicyAssignmentName, PolicyDetails.PolicyDefinitionName, PolicyDetails.PolicyDefinitionId, PolicyDetails.PolicyAssignmentId
    | order by TimeGenerated desc
    
    1. Replace the parameters: <subscription-id>: Your Azure subscription ID, <resource-group-name>: The resource group containing your Azure Purview account, <purview-account-name>: The name of your Azure Purview account.
    2. The query filters the Activity Logs for the specified resource (your Purview account). It looks for operations related to policy audits and specifically those with a "Deny" status. It extracts relevant details about the policy assignment and definition that caused the deny action.
    3. Run the query in Azure Data Explorer or Log Analytics workspace: Navigate to your Log Analytics workspace in the Azure portal, Open Logs under General settings, Paste the query and run it to get the results.
    4. The output will provide you with the details of the policy assignment and definition, including names and IDs, which can help you identify the specific policy causing the issue.

    By running this query, you should be able to identify the deny policy that is blocking your Terraform operation. Once identified, you can review and modify the policy as necessary to allow the desired operation.

    For more details refer to this: https://learn.microsoft.com/en-us/purview/register-scan-azure-multiple-sources#policies
    https://learn.microsoft.com/en-us/purview/register-scan-azure-multiple-sources#policies

    Hope this helps. Do let us know if you have any further queries.


    If this answers your query, do click `Accept Answer` and `Yes` for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.