Microsoft Purview · Tenant-Level Governance
Data Source Administrators (role group)
Tenant-level role group to manage data sources and scans across Microsoft Purview Data Map, including registration, scanning, and integration runtime management.
Scope: Organization-wide data source registration and scanning management across all collections
Permissions
- Register and manage data sources across all collections in Data Map
- Create and manage scans for Azure, on-premises, and multi-cloud data sources
- Configure and manage self-hosted integration runtimes (SHIR)
- Manage scan rule sets and classification rules
- Configure managed private endpoints for secure data access
- Set up Azure Integration Runtime and Managed Virtual Network Integration Runtime
- Manage data source credentials and authentication methods in Azure Key Vault
- Monitor scan status and troubleshoot scanning issues organization-wide
Common use cases
- Registering Azure SQL, Storage, Synapse, Fabric, and other Azure data sources
- Scanning on-premises SQL Server, Oracle, Teradata via self-hosted integration runtime
- Configuring multi-cloud data sources (AWS S3, Google BigQuery)
- Setting up automated scanning schedules for data discovery
- Implementing classification and sensitivity labeling through scans
- Managing integration runtimes for secure data source connectivity
- Troubleshooting scan failures and connectivity issues
- Implementing metadata extraction across hybrid data estates
Best practices
- Coordinate with Data Curators to ensure scan rules capture needed metadata
- Use Managed Identity (MSI) authentication whenever possible for Azure sources
- Store credentials in Azure Key Vault, not directly in Microsoft Purview
- Test scans with limited scope before full production rollout
- Document data source registration rationale and business ownership
- Schedule scans during off-peak hours to minimize source system impact
- Monitor scan history and remediate failures promptly
- Use incremental scans instead of full scans when possible
- Implement tagging strategy to organize registered sources
- Coordinate with network security teams on private endpoint configuration
Security considerations
- Can access connection information and credentials for all registered data sources
- Scanning can impact source system performance if not configured carefully
- Must coordinate with data owners before registering and scanning sources
- Self-hosted integration runtime requires secure VM configuration
- Credentials stored in Key Vault must follow least-privilege principles
- Scan service accounts should have read-only permissions on data sources
- Private endpoints require coordination with network security teams
- Monitor for unauthorized data source registrations or scan configurations
Common questions
When should I assign the Data Source Administrators (role group) role?
Assign Data Source Administrators (role group) when you need to: Registering Azure SQL, Storage, Synapse, Fabric, and other Azure data sources; Scanning on-premises SQL Server, Oracle, Teradata via self-hosted integration runtime; Configuring multi-cloud data sources (AWS S3, Google BigQuery); Setting up automated scanning schedules for data discovery; and Implementing classification and sensitivity labeling through scans. It is part of Microsoft Purview and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the Data Source Administrators (role group) role do?
The Data Source Administrators (role group) role grants permissions including: Register and manage data sources across all collections in Data Map; Create and manage scans for Azure, on-premises, and multi-cloud data sources; Configure and manage self-hosted integration runtimes (SHIR); Manage scan rule sets and classification rules; Configure managed private endpoints for secure data access; and Set up Azure Integration Runtime and Managed Virtual Network Integration Runtime. See the Permissions section above for the full list.
What are the security risks of the Data Source Administrators (role group) role?
Key considerations when assigning Data Source Administrators (role group): Can access connection information and credentials for all registered data sources; Scanning can impact source system performance if not configured carefully; Must coordinate with data owners before registering and scanning sources; and Self-hosted integration runtime requires secure VM configuration. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.