Microsoft Purview

Microsoft Purview is a unified data governance and compliance platform that provides APIs for managing data assets across hybrid and multi-cloud environments. Purview supports automated data discovery, classification, and lineage tracking to maintain a centralized metadata catalog, and it integrates with compliance and security services to enforce policies such as data classification, access control, and Data Loss Prevention (DLP).

More information can be found at Microsoft Purview Website page.

Integration Method: API Ingest

Tables: Entity Management (3004), Scan Activity (6007), Cloud Resource Inventory info (5023)

This integration supports the following events.

Note:

This feed must be initially onboarded to the staging environment prior to production. Contact your support team for questions

Prerequisites

• The user should have access to the Azure portal with an account that has the Global Administrator privileges

• The user should have access to the DataBee console

Configuration Overview

1. Create an application with the required roles to fetch the data. 

2. Create Microsoft Purview Feed in the DataBee console with the required Client credentials. 

   DataBee Parameter	Azure Parameter
   Client Key	Application (client) ID
   Client Secret	Client Secret Value
   Token URL(<tenant_id>)	Directory (Tenant) ID

Azure Configuration

Create an application

1. Log on to Azure portal with an account that has the Global Administrator privileges.   

2. In the search bar, search for App registrations and select it.
     

3. On the App registrations page, select New registration, the Register an application window will appear. 
     

4. On the Register an application window: 

   Under Name, enter your Application Name then click on Register to create the application.

   
     

5. On the app Overview page, copy the Application (client) ID and Directory (tenant) ID for later use. 
      

Create the Client Secret 

The final step in accessing the APIs is creating a Client Secret. To create it from the Azure Portal:   

1. Select the application created above. 

2. Under Manage, click Certificates & secrets, and then Client secrets.  
     

3. Click New client secret. Then Add a client secret window appears.  
     

4. On Add a client secret window: 

   Enter a Description for this client secret and select the desired expiry period from the Expires drop-list. 

   Then click on Add to create the client secret. 
    

   Note:

   The user needs to re-create the client secret when it expires.

5. Copy the Value fields for later use.
    

Add Roles

Once the application is created in the Microsoft Azure Portal, it must be granted the appropriate roles in Microsoft Purview to access and retrieve data from endpoint. Assigning roles to the application’s service principal ensures it has the necessary roles to interact with Purview endpoints. The following section outlines how to configure and assign the required roles within Purview.

Granting Roles

Log in into your Microsoft Purview Portal:

1. Navigate to Settings → Account and copy the Resource Name. This value should be used as the domain in the Microsoft Purview endpoint.

   

2. Select the data map icon on left.

3. Then navigate to Collection. Click on Role assignments.

4. Select Collection admins and Data source admins roles from the drop down. Both roles are assigned to provide full access to collection data and scan/data source operations in Microsoft Purview.

5. Search the application name created on previous step in the dialogue box on left, then click Ok.

   

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    

2. Search for the Microsoft Purview and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and scroll down.
    

5. This feed is currently in BETA. Set the environment to Staging. Contact DataBee support for more information.

   

6. In the configuration section, enter the following: 

   • Authorization Method: OAuth2 

   • API Base URL: Replace the <domain> with the domain name in purview portal.

   • Client Key: Paste the Client ID generated earlier in the Azure portal. 

   • Client Secret: Paste the Client Secret value generated earlier in the Azure portal. 

   • Token URL: Replace <tenant_id> with your Directory (Tenant) ID.

   • Event Types: Preselected for all the event types that integration pulls.
      

7. Click on Test Connection, once the connection is successful, as shown below. Click Submit.

   

Troubleshooting Tips

• If you are facing an invalid client or unauthorized client error, this might be possibly due to incorrect credentials. Ensure the client key, client secret and Tenant ID are pasted correctly. Since you cannot view the client secret after the 1st time, re-create it, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed. 

• If you are facing a 403-response code, this might be possibly due to missing roles. Ensure that all the required roles are assigned correctly as per the above-mentioned steps.