Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,358 questions
Scan ingested assets from other data sources then specified within the scan
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 3%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Markova, Monika
0
Reputation points
Hi, I have upgraded Microsoft Purview to enterprise this week - so with ingestion storage account (we have never used free purview within this tenant). I have registered Azure Data Lake Storage Gen2 source and run first full scan. I am using managed vnet IR. Scan is still running (more than 18 hours) and I can see that it ingested also assets which are not in scope of the scan - fabric items, all azure subscriptions, etc. Seems like the first scan goes through the whole Azure tenant. How is it possible even without having appropriate permissions for Purview MSI to another data sources ? Is that a new feature? Can you share a link where this behavior is described? Thanks Monika
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 61%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
phemanth 13,300 Reputation points Microsoft Vendor2025-01-24T04:06:05.5666667+00:00 Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!
It seems like you're experiencing an unexpected behavior with your Microsoft Purview scan. Typically, when you register a data source and run a scan, it should only ingest metadata from the specified source
However, there are a few scenarios that might explain why you're seeing assets outside the scope of your scan:
- Default Scanning Scope: Sometimes, the initial scan might have a broader default scope, especially if it's the first scan after an upgrade. This could include additional assets like fabric items and Azure subscriptions
- Managed Identity Permissions: Even if you haven't explicitly granted permissions, the Managed Identity (MSI) used by Purview might have inherited permissions that allow it to access other data sources within your Azure tenant
- Configuration Settings: There might be specific settings or configurations that need to be adjusted to limit the scope of the scan to only the desired data sources
For more detailed information and best practices on scanning data sources in Microsoft Purview, please refer to the following resources:
- Scans and ingestion in Microsoft Purview
- Best practices for scanning data sources
- How to scan sources
I hope this information helps. Please do let us know if you have any further queries.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
Thank you.
-
Markova, Monika 0 Reputation points
2025-01-24T19:56:35.1933333+00:00 Hi, thanks for the response.
Could you please explain deeply, or refer to the specific article? I went through all the resources you mentioned, but no explanation for such behavior.
Regarding to your response:
- "Sometimes, the initial scan might have a broader default scope" - what does it mean "sometimes"? in which cases it can happen? what is the reason of a broader default scope? How can I influence that?
- "Even if you haven't explicitly granted permissions, the Managed Identity (MSI) used by Purview might have inherited permissions" - Inheritance is from parent to child, correct? So if i granted permissions for one adls storage account permissions could be inherited to file systems/folders within this adsl storage account. But it can not be inherited from one adsl storage account to e.g. fabric workspace or azure sql database, right? if I am correct about inheritance, so this could not be the reason. Or there is some hidden permissions by default??? Can I somehow check all permissions for MSI including inherited permissions?
- "There might be specific settings or configurations" - could you specify? The scan was limited to 2 folders in one specific adls1 storage account. From this storage account only assets from those 2 folders were ingested. This is correct. But it doesn't explain why scan ingested also azure sql server, fabric items, etc.
Regards, Monika
-
phemanth 13,300 Reputation points Microsoft Vendor
2025-01-27T07:09:21.9733333+00:00 Thanks for your information!
I understand your need for a deeper explanation. Let's address each of your points in detail:
Broader Default Scope
When I mentioned that the initial scan might have a broader default scope, it refers to the possibility that the first scan after an upgrade or a new setup might include additional assets beyond the specified ones. This can happen due to:
- Default Configuration: The initial scan might be configured to capture a wide range of metadata to ensure comprehensive coverage. This is often a default setting to help users get a complete view of their data landscape1.
- Upgrade Behavior: During an upgrade, the system might reset or expand the scanning scope to include new features or data sources that were not previously covered1.
To influence this behavior, you can:
- Review and Adjust Scan Settings: Before running the scan, ensure that the scope is correctly set to include only the desired data sources. You can customize the scan settings to limit the scope1.
- Check for Default Rules: Verify if there are any default rules or configurations that might be causing the broader scope and adjust them accordingly1.
Managed Identity Permissions
Regarding the Managed Identity (MSI) permissions, inheritance typically works from parent to child within the same data source. However, there are a few points to consider:
- Inherited Permissions: Permissions can be inherited within the same data source, such as from a storage account to its containers and files. However, they should not cross over to entirely different data sources like Azure SQL Database or Fabric Workspace unless explicitly granted2.
- Default Permissions: Sometimes, MSIs might have default permissions that allow broader access. It's essential to review and manage these permissions to ensure they are restricted to the intended scope2.
To check all permissions for the MSI, including inherited ones:
- Azure Portal: Navigate to the Azure portal, select the MSI, and review its permissions under the "Access control (IAM)" section. This will show you all the roles and permissions assigned to the MSI2.
- Audit Logs: Use Azure's audit logs to track any unexpected access or permissions granted to the MSI2.
Specific Settings or Configurations
For the specific settings or configurations that might affect the scan:
- Scan Rules: Ensure that the scan rules are correctly configured to limit the scope to the specified folders or data sources
- Integration Runtime: Verify that the integration runtime settings are correctly set up to access only the intended data sources
- Authentication Methods: Check the authentication methods used for the scan. Managed Identity is preferred, but ensure it has the correct permissions
For more detailed information, please refer to the following articles:
-
phemanth 13,300 Reputation points Microsoft Vendor
2025-01-28T03:47:29.8533333+00:00 @Markova, Monika We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Markova, Monika 0 Reputation points
2025-01-28T14:59:51.0066667+00:00 Hi, yep, I have found it - it is a new feature called Live view - probably from DEC25 in preview. https://learn.microsoft.com/en-us/purview/live-view. So really pity that there is no mention about such important functionality in the What's new section :-(
Sign in to comment
Sign in to answer