Does Purview can grant and revoke accesses to Azure Resources

Ali Daebis 0

A user "A" that doesn't have access to an Azure storage account, can I grant access to that user through Purview access policy?
or it is only working with in the purview environment?

phemanth 11,465 Reputation points Microsoft Vendor

2024-11-12T16:56:43.6966667+00:00

@Ali Daebis Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

2 answers

phemanth 11,465 Reputation points Microsoft Vendor

2024-11-12T03:50:17.24+00:00
@Ali Daebis

Thanks for reaching out to Microsoft Q&A.

Yes, Microsoft Purview can indeed grant and revoke access to Azure resources, including Azure storage accounts. However, it’s important to note that Purview primarily manages access within its own governance framework and data catalog.

Key Points:

Access Management: You can use Purview’s data owner policies to grant access to Azure AD identities (users, groups, or service principals) for specific datasets or resources. This can be done at various levels, from fine-grained (like individual files) to broader scopes (like entire resource groups or subscriptions) .

Integration with Azure: While Purview can manage access to data assets, the actual permissions for Azure resources (like storage accounts) are typically managed through Azure Role-Based Access Control (RBAC). Therefore, if a user doesn’t have access to an Azure storage account, you would generally need to set that up through Azure’s access management tools as well.

In summary, while Purview can facilitate access management for data governance, you may still need to use Azure’s native tools for broader resource access.

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Please sign in to rate this answer.
phemanth 11,465 Reputation points Microsoft Vendor

2024-11-14T18:49:18.4633333+00:00

@Ali Daebis It looks like you’ve taken the right steps by creating and publishing the policy statement for Sohaila. However, if she still doesn’t have access to the Azure Resource Group (RG), there are a few things you might want to check:

Azure RBAC Permissions: Ensure that the Azure Role-Based Access Control (RBAC) permissions are correctly set for the resource group. Purview policies manage data access, but Azure RBAC controls access to the resources themselves.

Policy Scope: Verify that the policy is correctly scoped to the specific resource group and that there are no conflicting policies that might override it.

Principal Identity: Double-check that the principal (Sohaila) is correctly identified in the policy. Sometimes, discrepancies in user names or IDs can lead to access issues.

Propagation Time: Although changes are usually effective immediately, there can be occasional delays in policy propagation. If it’s been a while, this is less likely to be the issue, but it’s worth considering.

Audit Logs: Review the audit logs in Azure to see if there are any errors or warnings related to access attempts by Sohaila. This can provide insights into what might be going wrong.

Policy Version: Ensure that the policy version is up to date and that there haven’t been any changes to the underlying resources that might affect access.

If you’ve checked all these aspects and the issue persists please do let us know

Ali Daebis 0 Reputation points

2024-11-17T09:33:29.1066667+00:00

@phemanth
still doesn't work

I gave the purview resource the following privileges to the OrionDataWarehouse-Fabric RG and still Sohaila can't see the RG in Azure after the purplish
-Owner, Contributor, Role Based Access Control Administrator, User Access Administrator, Reader

phemanth 11,465 Reputation points Microsoft Vendor

2024-11-19T17:09:33.5866667+00:00

@Ali Daebis

please check the Troubleshooting Steps and confirm us

Azure RBAC Propagation: Sometimes, changes in Azure RBAC can take a little time to propagate. If you just made the changes, it might be worth waiting a bit and then checking again.

Principal Identity Verification: Double-check that Sohaila’s Azure AD identity is correctly referenced in the permissions. Ensure there are no typos or discrepancies in her user ID or email.

Scope of Permissions: Make sure that the permissions you assigned are scoped correctly to the OrionDataWarehouse-Fabric resource group. If the permissions are set at a higher level (like the subscription) but not explicitly for the resource group, that could cause issues.

Access Policies in Purview: Ensure that the Purview access policies are correctly configured and that they align with the Azure RBAC settings. Sometimes, conflicting policies can lead to access issues.

Audit Logs: Check the Azure audit logs for any errors or warnings related to Sohaila’s access attempts. This can provide insights into what might be going wrong.

Role Conflicts: If there are any other roles assigned to Sohaila that might conflict with the permissions you’ve set, it could prevent her from seeing the resource group
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Ali Daebis 0 Reputation points

2024-11-13T13:44:54.5266667+00:00

Hi @phemanth
thanks for your response,
I have created the following Policy statement and already published it for Sohaila which doesn't have access for the following RG, and long time it still doesn't have access for the Azure RG

Have I missed anything?
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Does Purview can grant and revoke accesses to Azure Resources

2 answers

Your answer