Power BI Governance, Good Practices: Setting up Azure Purview for Power BI

Power BI Governance, Good Practices: Setting up Azure Purview for Power BI

Microsoft newly announced a piece of very exciting news that Azure Purview now supports Power BI. This is massive news from a data governance point of view. Azure Purview is the next generation of Azure Data Catalog with more metadata discovery power and the ability to use sensitivity labels. After reading the news, I immediately decided to set up my test environment and give it a go. I followed the steps mentioned in this article on the Microsoft documentation website but I faced some difficulties to get it to work. And here we are, another blog post to help you to set up the Azure Purview for Power BI.

Note: In this blog post I am not intending to explain what Azure Purview is. You can find heaps of useful information here.

Creating an Azure Purview Resource

We first need to have an Azure subscription, if you don’t have, don’t worry, you can start your Azure free trial subscription here. The following steps explain how to set up Azure Purview for Power BI:Login to the Azure Portal

  1. Click Create a resource button
Creating Azure Purview resource in Azure Portal
Creating Azure Purview resource in Azure Portal

2. Type in Purview in the search box

3. Click Azure Purview

Searching for Purview resource in Azure Portal
Searching for Purview resource in Azure Portal

4. Click the Create button

5. Select your Subscription

6. Select a Resource group or Create new if you don’t have any

7. Type in a name in the Purview account name text box

8. Select the Location

9. Click Review + Create (if you require to do more configurations click Next:Configuration > button)

Creating Azure Purview Account
Creating Azure Purview Account

At this point, Azure validates the configurations and requirements. You may get an error message like below:

Validation failed with error: The template deployment 'Microsoft.AzurePurviewGalleryPackage-purviewpurview' is not valid according to the validation procedure. The tracking id is 'xxx'. See inner errors for details.
Detailed error(s):
21005 - The resource providers Microsoft.Storage and Microsoft.EventHub are not registered for subscription xxx.
Azure Purview validation failed
Azure Purview validation failed

If that’s the case as per the error message, you have not registered a Storage and an EventHub resources for the selected subscription. In my case, it was a missing EventHub registration only. The Purview service requires a registered EventHub to be able to run scheduled scans. So we first need to register the missing resources before we can proceed with the Purview registration process. If this is not the case, then go to step 10.

So, open another tab in your browser and navigate to the Azure Portal again and follow the steps below:

A. Click Subscriptions

B. Select the desired subscription

C. Click Resource providers

D. Search for EventHub

E. Select Microsoft.EventHub

F. Click the Register button

Registering EventHub in Azure Subscription
Registering EventHub in Azure Subscription

After registration is succeeded, go back to your Purview page in your browser and click the Previous button then click Create once again. This time you have to pass the validation.

10. Click the Create button

Purview validation passed
Purview validation passed

11. Now the Purview deployment process starts. Wait for the deployment to complete then click Go to resource button.

Purview deployment process completed
Purview deployment process completed

We are now successfully created the Purview service. Before we start using the service by clicking Open Purview Studio, we need to go through some other settings to make the Purview able to discover our Power BI assets.

Opening Purview Studio
Opening Purview Studio

Registering and Scanning Power BI Tenant in Azure Purview

So far we successfully created a new instance of Azure Purview service. But the Purview service needs to access our Power BI tenant to be able to discover the assets. A part of the process of creating a new instance of Azure Purview is creating a new service principal. To make sure that the Purview service can access our Power BI tenant we need to go through some more configuration steps:

  • Creating a new security group in Azure Active Directory or within the M365 Admin Centre. If you desire to use an existing security group simply skip this step
  • Adding the service principal created for the Purview to the security group
  • Allowing service principals to use Power BI APIs in Power BI Admin Portal
  • Registering Power BI Tenant within Azure Purview and Scan

Create a new security group in Azure Active Directory

As mentioned above we can also create a new security group from the M365 Admin Centre which you may choose to use if you are an M365 administrator. Again, if you would like to use an existing security group skip this section.

The following steps show how to create a new security group in Azure Active Directory:

  1. In Azure Portal click Azure Active Directory
  2. Click Groups
  3. Click New group
  4. Select Security from the Group type
  5. Type in a Group name
  6. Click Create
Creating a new security group in Azure Active Directory
Creating a new security group in Azure Active Directory

Adding the Purview Service Principal as a Member in a Security Group

  1. After the security group is created click on it
  2. Click Members
  3. Click Add members
  4. Search for the service principal created for Purview; its name must be the same as your Purview instance. In my case it is purview-for-powerbi
  5. Click to select the service principal
  6. Click the Select button
Adding the Purview Service Principal as a Member in a Security Group
Adding the Purview Service Principal as a Member in a Security Group

Allowing service principals to use Power BI APIs in Power BI Admin Portal

So far we created a new security group and added the Purview service principal as a member of the security group. We now require to allow service principals to use Power BI API. This is a setting available within the Power BI Admin Portal. You require to be a Power BI administrator to be able to access the Power BI Admin Portal as explained below:

  1. Login to your Power BI Service using a Power BI Administrator account then click Settings
  2. Click Admin portal
  3. Click Tenant settings
  4. Scroll down to find Developer settings section
  5. Expand the Allow service principals to use Power BI APIs
  6. Enable the toggle
  7. Click Specific security groups
  8. Enter the name of the new security group created earlier
  9. Click Apply
  10. Expand the Allow service principals to use read-only Power BI Admin APIs
  11. Enable the toggle
  12. The Specific security group is already selected
  13. Enter the name of the new security group created earlier
  14. Click Apply
Allowing service principals to use Power BI APIs in Power BI Admin Portal
Allowing service principals to use Power BI APIs in Power BI Admin Portal

Registering Power BI Tenant within Azure Purview and Scan

Now that we have come this far it is time to use the Purview and register the Power BI Tenant, get it scanned and see its discovery power. Follow the steps below to register and scan your Power BI Tenant:

  1. From the Azure Portal click the Purview resource
  2. Click Open Purview Studio. This opens the Purview Studio in a new tab in your browser. You can also open the Purview Studio directly in the browser using the https://web.purview.azure.com/ URL
  3. Click Register sources
Navigating to Purview Studio
Navigating to Purview Studio
  1. Click Register (you can click a collection by clicking the New collection button)
  2. Select Power BI from the list
  3. Click Continue
Registering Power BI Tenant in Purview
Registering Power BI Tenant
  1. Enter a Name for the resource
  2. Note that your Power BI Tenant ID is already detected
  3. Click Finish (you can select a collection if you already have one or you can create a collection from the Select a collection dropdown. But this is not mandatory, so I leave it empty)
Registering Power BI Tenant in Purview
  1. This creates a Power BI source, click New Scan
  2. Enter a Name
  3. Note that the only Authentication method is Managed Identity. This is because my Power BI tenant exists in the same Azure subscription
  4. Click Continue
Creating a new Scan for a Power BI source in Azure Purview
Creating a new Scan for a Power BI source in Azure Purview
  1. You can now schedule a recurring scan or create a full scan by selecting once (I select once)
  2. Click Continue
Selecting scheduling options to trigger a Purview scan
Selecting scheduling options to trigger a Purview scan
  1. Click Save and Run
Save and run the Purview scan
Save and run the Purview scan

Now we have to wait till the scan is completed. After completion:

  1. Click Home
  2. Click Browse assets
  3. Click Power BI
Browsing Assets in Purview
Browsing Assets in Purview
  1. You can see a list of all your Workspaces, click a Workspace
  2. Click a dataset Asset to see the details
Browsing a Power BI Workspace in Azure Purview
Browsing a Power BI Workspace in Azure Purview
  1. From here you have a couple of options, you can see the Lineage, which is my favourite, you can see Contacts or Related assets by clicking a corresponding tab. The following image shows the Lineage tab:
  2. You can click the Open in Power BI button to open the asset in Power BI Service
Lineage view in Azure Purview
Lineage view in Azure Purview

Check this out if you are wondering how much Azure Purview costs you.

As always, I am happy to read your feedbacks, so share your thoughts with me in the comments section below.

5 thoughts on “Power BI Governance, Good Practices: Setting up Azure Purview for Power BI

    1. Hi Jerry,

      Thanks for sharing your thought.
      Yes, that would be a good feature to have.
      In the meantime, if you’d like to see visual to/from data model objects, have a look at my tool, Power BI Documenter.
      It is not necessarily a lineage tool, but you may find it helpful as it detects which measures/columns are used in which visuals and more.

      Cheers.

  1. Hi Soheil,

    We worked with MSFT a bit on our setup and still encountered problems with scans where they got halfway through and/or failed, but it’s interesting that some of the steps were different than what you’re mentioning. They kept pointing us back to this document: https://docs.microsoft.com/en-us/azure/purview/tutorial-scan-data which we followed to a T a few times already and the differences I see from your instructions and what they wrote are:

    According to them you shouldn’t have to create an explicit Service Principal and instead just add the the catalog name to the security group (in our case we named it “xyz Purview”) where xyz is our company initials.
    We definitely strayed away from enabling the first options for Allow service principals to use Power BI APIs since we use this for other purposes to write and would be afraid if somehow the software encountered a bug and could generate workspaces or reports for any reason.

    We’ve had MSFT engineering on with us and the demo team on with us twice and each time there were stumbles unfortunately so I’m hoping it gets better. 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.