Microsoft Purview · Tenant-Level Governance

Data Source Administrators (role group)

Tenant-level role group to manage data sources and scans across Microsoft Purview Data Map, including registration, scanning, and integration runtime management.

Scope: Organization-wide data source registration and scanning management across all collections

Permissions

  • Register and manage data sources across all collections in Data Map
  • Create and manage scans for Azure, on-premises, and multi-cloud data sources
  • Configure and manage self-hosted integration runtimes (SHIR)
  • Manage scan rule sets and classification rules
  • Configure managed private endpoints for secure data access
  • Set up Azure Integration Runtime and Managed Virtual Network Integration Runtime
  • Manage data source credentials and authentication methods in Azure Key Vault
  • Monitor scan status and troubleshoot scanning issues organization-wide

Common use cases

  • Registering Azure SQL, Storage, Synapse, Fabric, and other Azure data sources
  • Scanning on-premises SQL Server, Oracle, Teradata via self-hosted integration runtime
  • Configuring multi-cloud data sources (AWS S3, Google BigQuery)
  • Setting up automated scanning schedules for data discovery
  • Implementing classification and sensitivity labeling through scans
  • Managing integration runtimes for secure data source connectivity
  • Troubleshooting scan failures and connectivity issues
  • Implementing metadata extraction across hybrid data estates

Best practices

  • Coordinate with Data Curators to ensure scan rules capture needed metadata
  • Use Managed Identity (MSI) authentication whenever possible for Azure sources
  • Store credentials in Azure Key Vault, not directly in Microsoft Purview
  • Test scans with limited scope before full production rollout
  • Document data source registration rationale and business ownership
  • Schedule scans during off-peak hours to minimize source system impact
  • Monitor scan history and remediate failures promptly
  • Use incremental scans instead of full scans when possible
  • Implement tagging strategy to organize registered sources
  • Coordinate with network security teams on private endpoint configuration

Security considerations

  • Can access connection information and credentials for all registered data sources
  • Scanning can impact source system performance if not configured carefully
  • Must coordinate with data owners before registering and scanning sources
  • Self-hosted integration runtime requires secure VM configuration
  • Credentials stored in Key Vault must follow least-privilege principles
  • Scan service accounts should have read-only permissions on data sources
  • Private endpoints require coordination with network security teams
  • Monitor for unauthorized data source registrations or scan configurations

Official Microsoft Learn documentation →

Open the interactive RBACMap →