Power BI Governance, Good Practices: Setting up Azure Purview for Power BI

Microsoft newly announced a piece of very exciting news that Azure Purview now supports Power BI. This is massive news from a data governance point of view. Azure Purview is the next generation of Azure Data Catalog with more metadata discovery power and the ability to use sensitivity labels. After reading the news, I immediately decided to set up my test environment and give it a go. I followed the steps mentioned in this article on the Microsoft documentation website but I faced some difficulties to get it to work. And here we are, another blog post to help you to set up the Azure Purview for Power BI.

Note: In this blog post I am not intending to explain what Azure Purview is. You can find heaps of useful information here.

Creating an Azure Purview Resource

We first need to have an Azure subscription, if you don’t have, don’t worry, you can start your Azure free trial subscription here. The following steps explain how to set up Azure Purview for Power BI:Login to the Azure Portal

1. Click Create a resource button

2. Type in Purview in the search box

3. Click Azure Purview

4. Click the Create button

5. Select your Subscription

6. Select a Resource group or Create new if you don’t have any

7. Type in a name in the Purview account name text box

8. Select the Location

9. Click Review + Create (if you require to do more configurations click Next:Configuration > button)

At this point, Azure validates the configurations and requirements. You may get an error message like below:

Validation failed with error: The template deployment 'Microsoft.AzurePurviewGalleryPackage-purviewpurview' is not valid according to the validation procedure. The tracking id is 'xxx'. See inner errors for details.
Detailed error(s):
21005 - The resource providers Microsoft.Storage and Microsoft.EventHub are not registered for subscription xxx.

If that’s the case as per the error message, you have not registered a Storage and an EventHub resources for the selected subscription. In my case, it was a missing EventHub registration only. The Purview service requires a registered EventHub to be able to run scheduled scans. So we first need to register the missing resources before we can proceed with the Purview registration process. If this is not the case, then go to step 10.

So, open another tab in your browser and navigate to the Azure Portal again and follow the steps below:

A. Click Subscriptions

B. Select the desired subscription

C. Click Resource providers

D. Search for EventHub

E. Select Microsoft.EventHub

F. Click the Register button

After registration is succeeded, go back to your Purview page in your browser and click the Previous button then click Create once again. This time you have to pass the validation.

10. Click the Create button

11. Now the Purview deployment process starts. Wait for the deployment to complete then click Go to resource button.

We are now successfully created the Purview service. Before we start using the service by clicking Open Purview Studio, we need to go through some other settings to make the Purview able to discover our Power BI assets.

Registering and Scanning Power BI Tenant in Azure Purview

So far we successfully created a new instance of Azure Purview service. But the Purview service needs to access our Power BI tenant to be able to discover the assets. A part of the process of creating a new instance of Azure Purview is creating a new service principal. To make sure that the Purview service can access our Power BI tenant we need to go through some more configuration steps:

• Creating a new security group in Azure Active Directory or within the M365 Admin Centre. If you desire to use an existing security group simply skip this step
• Adding the service principal created for the Purview to the security group
• Allowing service principals to use Power BI APIs in Power BI Admin Portal
• Registering Power BI Tenant within Azure Purview and Scan

Create a new security group in Azure Active Directory

As mentioned above we can also create a new security group from the M365 Admin Centre which you may choose to use if you are an M365 administrator. Again, if you would like to use an existing security group skip this section.

The following steps show how to create a new security group in Azure Active Directory:

1. In Azure Portal click Azure Active Directory
2. Click Groups
3. Click New group
4. Select Security from the Group type
5. Type in a Group name
6. Click Create

Adding the Purview Service Principal as a Member in a Security Group

1. After the security group is created click on it
2. Click Members
3. Click Add members
4. Search for the service principal created for Purview; its name must be the same as your Purview instance. In my case it is purview-for-powerbi
5. Click to select the service principal
6. Click the Select button

Allowing service principals to use Power BI APIs in Power BI Admin Portal

So far we created a new security group and added the Purview service principal as a member of the security group. We now require to allow service principals to use Power BI API. This is a setting available within the Power BI Admin Portal. You require to be a Power BI administrator to be able to access the Power BI Admin Portal as explained below:

1. Login to your Power BI Service using a Power BI Administrator account then click Settings
2. Click Admin portal
3. Click Tenant settings
4. Scroll down to find Developer settings section
5. Expand the Allow service principals to use Power BI APIs
6. Enable the toggle
7. Click Specific security groups
8. Enter the name of the new security group created earlier
9. Click Apply
10. Expand the Allow service principals to use read-only Power BI Admin APIs
11. Enable the toggle
12. The Specific security group is already selected
13. Enter the name of the new security group created earlier
14. Click Apply

Registering Power BI Tenant within Azure Purview and Scan

Now that we have come this far it is time to use the Purview and register the Power BI Tenant, get it scanned and see its discovery power. Follow the steps below to register and scan your Power BI Tenant:

1. From the Azure Portal click the Purview resource
2. Click Open Purview Studio. This opens the Purview Studio in a new tab in your browser. You can also open the Purview Studio directly in the browser using the https://web.purview.azure.com/ URL
3. Click Register sources

4. Click Register (you can click a collection by clicking the New collection button)
5. Select Power BI from the list
6. Click Continue

7. Enter a Name for the resource
8. Note that your Power BI Tenant ID is already detected
9. Click Finish (you can select a collection if you already have one or you can create a collection from the Select a collection dropdown. But this is not mandatory, so I leave it empty)

10. This creates a Power BI source, click New Scan
11. Enter a Name
12. Note that the only Authentication method is Managed Identity. This is because my Power BI tenant exists in the same Azure subscription
13. Click Continue

14. You can now schedule a recurring scan or create a full scan by selecting once (I select once)
15. Click Continue

16. Click Save and Run

Now we have to wait till the scan is completed. After completion:

17. Click Home
18. Click Browse assets
19. Click Power BI

20. You can see a list of all your Workspaces, click a Workspace
21. Click a dataset Asset to see the details

22. From here you have a couple of options, you can see the Lineage, which is my favourite, you can see Contacts or Related assets by clicking a corresponding tab. The following image shows the Lineage tab:
23. You can click the Open in Power BI button to open the asset in Power BI Service

Check this out if you are wondering how much Azure Purview costs you.

As always, I am happy to read your feedbacks, so share your thoughts with me in the comments section below.