Moving from the classic Azure Purview governance portal to the new unified Microsoft Purview experience is a key upgrade for Azure Synapse administrators. The unified portal (available at purview.microsoft.com) consolidates data governance and compliance into one interface, bringing new features and a streamlined workflowjamesserra.comjamesserra.com. This guide provides an overview of the differences and benefits, and a step-by-step walkthrough to “start fresh” in the new Purview portal. We assume you do not need to migrate existing catalog data (scans, classifications, glossaries, etc.), so the focus will be on cleaning up the old environment and configuring the new one from scratch.
Classic vs. New Purview Portal: What’s the Difference?
Classic Purview Portal: In the classic setup, Azure Purview’s data catalog lived in a separate governance portal (e.g. web.purview.azure.com
), completely distinct from the Microsoft 365 compliance center. Data governance (data catalog, classification, glossary, etc.) was siloed from compliance solutions like DLP, records management, and so onjamesserra.com. You would manage data sources, scans, and glossary in the Purview Studio (governance portal), while other compliance features lived in a different portal.
New Unified Purview Portal: The new experience (GA in Aug 2024) unifies Azure Purview (data governance) with the Microsoft Purview compliance portal into a single web portal at purview.microsoft.com
jamesserra.com. This “single pane of glass” provides one place to govern data and manage data security and compliance policiesjamesserra.comcoreview.com. The UI is redesigned with an integrated menu for all Purview solutions (Data Map, Data Catalog, Information Protection, Risk, etc.), making it easier to navigate. Notably, previously separate features like business domains, data products, data quality, and data estate insights are now available in the unified portaljamesserra.com. In short, the new portal breaks down the silos between data governance and compliance, offering a cohesive experience for administrators and data users.
Status of Old vs. New: Microsoft has started deprecating the standalone portals in favor of the unified experience. For example, the compliance portal began deprecation in late 2024 (with a 36-month read-only availability)jamesserra.com. The classic Purview governance portal remains available for now (no immediate retirement date announcedjamesserra.com), but all new features will appear only in the unified portallearn.microsoft.com. Administrators are encouraged to switch to the new experience to take advantage of upcoming enhancements.
Why Move to the New Purview? – Key Benefits for Synapse Data Governance
Upgrading to the unified Purview portal brings several benefits, especially for organizations using Azure Synapse:
- Unified Governance and Compliance: A single, organization-wide Purview instance is a prerequisite to unified governance across data assets and compliance policieslearn.microsoft.com. This means you can manage Synapse metadata, apply sensitivity labels, and define access policies all in one place. For Synapse admins, this unification simplifies oversight of data classification, lineage, and access control alongside compliance requirements.
- Improved User Experience: The new portal features a more streamlined and intuitive UI, making it easier to discover and manage data assetslearn.microsoft.com. For example, the integrated search can surface data assets from Synapse across the enterprise catalog, and the new navigation makes it faster to switch between governance tasks (catalog, scans, policies, etc.).
- Enhanced Features: Upgrading unlocks new capabilities that were not available in the classic portal. This includes features like Live Data Views, preset scan configurations, business Domains, data product catalogs, and data quality metricslearn.microsoft.com. These can enrich your Synapse data governance by enabling dynamic views of data and quality checks. Microsoft will be rolling out many more features under Purview, and these will only be accessible in the new unified portallearn.microsoft.com.
- Centralized Management: Administrators benefit from a centralized management interface for all Purview resourceslearn.microsoft.com. Instead of juggling an Azure Purview account and separate compliance settings, you manage everything through one portal. This consolidation is especially useful for Synapse governance, since data from Synapse (e.g. SQL pools, Spark tables, pipelines) often ties into compliance (sensitivity labels, retention) – the unified view helps ensure nothing is overlooked.
- Scalability and Enterprise-readiness: The unified Purview runs in “enterprise” mode, meaning the Purview Data Map (the underlying metadata store) uses an elastic capacity model for scaling and is linked to your Azure subscription for billingdocs.azure.cn. This ensures that as your Synapse environment grows, Purview can scale to catalog thousands of datasets and petabytes of data, with predictable billing (via capacity units). In contrast, the classic experience often ran in a limited free mode. Upgrading ensures you have the throughput and storage to govern a large Synapse data estate.
In summary, moving to the new Purview experience sets the stage for unified data governance that is more powerful and future-proof. Next, we’ll walk through how to perform this transition step by step, starting fresh with a new catalog in the unified portal.
Step-by-Step Guide: Moving from Classic Purview to the New Unified Portal
If you’ve decided to start with a clean slate in the new Purview portal, the migration process involves: cleaning up old metadata, enabling the new Purview enterprise account, and re-configuring your scans, sources, and permissions. Below is a detailed walkthrough:
Figure: The Data sources list in Purview (new portal, Data Map) – switching to “Table view” reveals action icons to edit, scan, or delete each source.
1. Delete Old Purview Metadata (Classic Portal Cleanup) – Begin by purging the existing metadata in your classic Purview account so it doesn’t carry over. In the classic Purview Studio (web.purview.azure.com
), navigate to Data Map > Sources. Switch to the Table view (toggle at top-right) to see a list of registered sources and hover over each source to reveal action icons. Delete each data source by clicking the trash bin icon. This will remove the source and any configured scans for it. Keep in mind that deleting a data source does not automatically delete all the cataloged assets from that source; you may need to manually remove or purge those assets from the catalog if they remain visiblelearn.microsoft.com. Next, if you were using the Business Glossary in Purview, you should delete those terms as well (under Glossary section in the classic portal) – especially since you intend to start fresh. There is no automated “wipe” function, so this may involve manually deleting glossary terms (consider exporting them first if you might need them later). The goal is to have no registered sources, scans, or glossaries left in the old Purview account, effectively clearing the slate. (If instead you choose to completely delete the Purview resource in Azure and create a new one, that’s another way to start fresh. However, as of late 2024 Microsoft may restrict creating multiple Purview accounts in a tenantlearn.microsoft.com. In most cases, it’s simplest to reuse your existing Purview account, but with its metadata cleared as described.)
Figure: Upgrading a free Purview account to Enterprise – in the new portal’s Settings > Account page, an Upgrade button is available to link the Purview Data Map to an Azure subscription.
2. Link the Purview Account to a Subscription (Enable Data Map Billing) – The new Purview portal operates in enterprise mode, which requires your Purview account to be linked to an Azure subscription and resource group for billing. If your organization’s Purview was running in the free tier (or if this is a first-time setup), you’ll need to perform an upgrade. In the Microsoft Purview portal (purview.microsoft.com
), ensure you’re signed in as a Purview Administrator or Azure owner. On the top menu or in Settings, look for an “Upgrade” option (the UI may show a rocket icon in the ribbon bar). Click Upgrade, and you’ll be prompted to select an Azure Subscription and Resource Group to link your Purview accountlearn.microsoft.comdocs.azure.cn. Choose the subscription that should cover Purview’s costs (typically the same subscription your Synapse workspace uses, or a central IT subscription for governance) and a resource group (you might use an existing RG or create one for Purview). Confirm the region (it will remain the same as your existing Purview account’s region) and accept the terms, then proceed with Upgradelearn.microsoft.com. This process effectively converts your Purview account to an Enterprise account backed by Azure resources. The Data Map capacity billing will start (remember that you get 1 free capacity unit, and beyond that you pay per additional storage/throughput unitlearn.microsoft.com). After a brief wait, your Purview account is upgraded – you should see Account type: Enterprise in the Settings. (If the account was brand new, it might have auto-upgraded; but using the manual upgrade ensures the subscription link is in place.) This step is crucial because without linking to a subscription, you won’t be able to run scans or use the Data Map beyond the free limits.
3. Grant Admin Consent for the Purview Data Map Application – Once your Purview account is enterprise-enabled, there is an Azure Active Directory enterprise application that represents your Purview Data Map in your tenant. Granting Admin Consent to this app ensures Purview can properly authenticate and scan resources in your organization. To do this, an Azure AD administrator should open the Microsoft Entra admin center (Azure AD portal) and navigate to Enterprise Applications. Change the application filter to “All Applications” and search for your Purview account’s name or for “Microsoft Purview Data Map” – the exact name may include your Purview instance. Select this enterprise application, go to Permissions or API permissions, and if any permissions are listed that require admin consent (e.g. Microsoft Graph or other APIs used by Purview), click Grant admin consent for the tenant. (This step allows the Purview service to perform actions like scanning certain Azure or M365 data sources that require tenant-wide permissions. For example, scanning Power BI or Microsoft 365 data may require delegated Graph API permissions which the Purview app uses on behalf of the organization.) If you skip this step, you might encounter errors when setting up scans for certain sources that rely on Purview’s service principal. It’s best to proactively grant the needed consents now. Consult your directory’s security policies before consenting; the permissions are typically standard read/access for scanning, but you should review them. Once granted, you’ve essentially authorized Purview to function fully within your tenant.
4. Set Up New Scans and Catalog Sources in the Unified Portal – With the groundwork laid, you can now register your data sources in the new Purview portal and configure scans to populate the catalog. In the Purview portal, navigate to Data Map > Data Sources. Here you’ll register the same sources you previously cataloged (or any new sources you want to govern). For each data source (e.g. an Azure Synapse Analytics workspace, Azure Data Lake Storage, SQL databases, etc.), click Register and follow the prompts to add it. You’ll choose the source type from Purview’s supported list (for Synapse, you might register the Synapse workspace itself, as well as underlying storage accounts or databases)learn.microsoft.com. Provide a meaningful name and the required connection details or credentials. Purview will ask you to assign the source to a collection – you can use a default collection or organize sources into collections/domains (for example, you might have a collection for “Analytics” where Synapse sources reside). After registering a source, you can set up a Scan. In the Data Sources list, find your source and click the “New scan” (play) icon next to it【50†】. Configure the scan with the necessary details: choose or create a scan rule set (which can include classification rules), specify the integration runtime if needed (the default Azure-hosted integration runtime works for most Azure sources; use a self-hosted IR if scanning on-prem or if network-isolated), and set a schedule (e.g. daily or weekly scans, or just run once on-demand). Be sure to provide or select credentials for the scan – for many Azure sources, the easiest method is to use the Purview’s managed identity for scanning, which means you must grant that identity the necessary read access to the data (see next section on access control). Alternatively, you can supply explicit credentials (e.g. SQL login, service principal secret, etc.) saved in Purview’s credential store. Test the connection and then save & run the scan. Repeat this for each data source you need in the catalog. For example, to fully cover an Azure Synapse workspace, you might register and scan the Synapse workspace (which can enumerate its SQL pools and Spark databases), the ADLS Gen2 account that stores Synapse data (for lake-based data), and any other linked data sources used by Synapse. After scans complete, verify that your Synapse assets (tables, files, pipelines, etc.) appear in the Catalog (Unified Data Catalog) with the expected metadata and classifications. Going forward, these scans can be scheduled to keep the catalog in sync.
pgsqlCopyEdit- *Tip:* If you have a **Power BI** environment connected to Synapse or other Microsoft SaaS sources, you can also register those (e.g. register a Power BI tenant via the **Fabric** data source type) and run scans. The new Purview portal can integrate with Power BI to catalog datasets and even **capture lineage** from Power BI into Synapse (and vice versa), providing end-to-end data lineage in the unified catalog. This might require additional setup (such as enabling the Power BI admin settings for service principal scanning), but it’s a powerful benefit of the unified Purview for organizations using Synapse + Power BI.
5. Assign Appropriate RBAC Roles for Users – With your new Purview Data Map populated, it’s crucial to set up role-based access control (RBAC) so the right people have appropriate permissions in the Purview portal. Microsoft Purview’s governance roles span two levels: tenant-level role groups (which grant broad administrative capabilities) and collection/domain-level roles (which grant access within specific scope of the Data Map)learn.microsoft.comlearn.microsoft.com. As a Synapse admin, you likely are a Purview administrator as well, but you may need to delegate certain responsibilities:
- Tenant-Level Roles: In the Purview portal, under Settings > Roles and scopes, you can manage role group assignments. Key roles include Purview Administrator, Data Source Administrator, and Data Governance Administratorlearn.microsoft.comlearn.microsoft.com. The Purview Administrators role group allows creating/editing governance domains and managing role assignments (this is essentially the super-admin for Purview)learn.microsoft.com. The Data Source Administrators role group can register and manage data sources and scans in the Data Maplearn.microsoft.com – you might assign your data platform team here so they can onboard new sources. The Data Governance Admin role (often given via “Catalog Data Governance Administrator”) delegates top-level access needed to create governance domains and manage the unified catalog settingslearn.microsoft.com. To assign these, you must be a Global Admin or have the Purview Role Management rolelearn.microsoft.com. Follow the principle of least privilege – only give users the admin roles they needlearn.microsoft.com. For instance, a user who only needs to curate metadata should not be a Purview Administrator at tenant level.
- Data Map Scope Roles: Purview still uses collections (and now domains) to scope access to data assetslearn.microsoft.com. By default, your upgraded account may have a root domain (sometimes called “Main Domain” or similar) containing a hierarchy of collections. Within this structure, you can assign classic Purview roles like Collection Admin, Collection Curator (Data Curator), Data Reader, etc., just as in the classic portallearn.microsoft.com. For example, if you have a collection for “Finance Data”, you might assign a data steward as Collection Admin of that collection so they can manage sub-collections and assign roles further. Data Curators (also known as Data Catalog Contributors) can edit asset metadata in the collection (add descriptions, tags, etc.), and Data Readers can view the assets. You should add your Synapse subject matter experts to these roles depending on whether they will govern (curate) the data or just consume it. In the new portal, domains add an additional layer – a Governance Domain is a grouping of collections/assets often aligned to business areas or data domains. You can designate Governance Domain Owners who have oversight of all data products and assets in that domain, and Data Product Owners/Stewards who manage specific data products within the domainlearn.microsoft.comlearn.microsoft.com. These concepts might be new if you’re coming from classic Purview, but they offer more granular governance control. Initially, you might keep things simple: use a single domain (the primary one) and manage collections within it as you did before, then evolve into domain-based governance as needed.
- Synapse Integration: Don’t forget to also consider Azure-level access related to Purview. The Purview account’s managed identity likely needs Reader permissions on your Synapse workspace and related resources for scanning. Ensure that identity (or whatever credential you used in scans) has the appropriate Azure RBAC on data sources (e.g. Storage Blob Data Reader on data lakes, or Synapse Administrator/Contributor role if needed for certain metadata). Additionally, within Synapse Studio you can connect to the Purview catalog (via “Manage > Microsoft Purview” in Synapse), which may require you (or a service principal) to have the Purview Data Reader role to browse the catalog. Double-check that Synapse workspace integration is set up with the new Purview account (you may need to disconnect any old Purview linkage in Synapse Studio and connect the new one).
By the end of this step, your Purview environment should be secured and delegated: users have the roles they need to either administer the catalog, curate metadata, or simply discover data through the Purview portal or Synapse Studio. Always follow least-privilege practices and use Azure AD groups to assign Purview roles (create groups for “PurviewAdmins”, “PurviewCurators”, etc., and assign those groups in the Purview roles UI – this makes management easier as your team grows).
Best Practices for Access Control and Security Configuration
When configuring the new Purview for your Synapse environment, consider these additional recommendations to strengthen security and manage access:
- Use Managed Identities for Scanning: Whenever possible, rely on the Purview managed identity for scanning Azure sources instead of embedding credentials. This identity (a system-assigned managed identity on the Purview resource) can be granted read access to data sources. For example, to scan an Azure Data Lake, grant the Purview managed identity the Storage Blob Data Reader role on the storage account. To scan an Azure Synapse workspace’s SQL pools, you can create a login for the Purview identity in each database and add it to the db_datareader rolelearn.microsoft.com. This avoids sharing static credentials and leverages Azure AD for auth. (For scanning on-premises sources, use a self-hosted IR with windows auth or service accounts as needed – still apply least privilege on those credentials.)
- Secure Your Purview Account: Treat the Purview account as a sensitive resource. Only give Subscription Owner/Contributor access to those who must manage the resource (the Purview account is an Azure resource itself). You may also apply an Azure Policy to prevent accidental deletion of the Purview account (e.g. a policy to deny the delete action on Microsoft.Purview/accounts resources)learn.microsoft.comlearn.microsoft.com, especially if this is now a mission-critical catalog for your org. Enable Purview’s diagnostic logging to capture audit logs of activities (scans started, role assignments, etc.) if available, and monitor those logs.
- Network Isolation (if required): By default, Purview’s scanning service runs as a multi-tenant Azure service. If your Synapse and data sources are in a private network (no public endpoint access), you have options to ensure Purview can still scan them securely. One option is to use Purview Managed Network (managed private endpoints) when creating the Purview account – this puts the scanning integration runtime in a managed VNet and you establish private link connections to your data sources. Another option is using a Self-Hosted Integration Runtime (SHIR) on a VM that has network access to the data, and configure Purview scans to use that SHIR. For Synapse specifically, make sure “Allow trusted Azure services…” is enabled on Synapse’s firewall if using the default IRlearn.microsoft.comlearn.microsoft.com. If using private endpoints, set those up for Purview (the documentation “Use private endpoints for Microsoft Purview” provides guidance). The bottom line: ensure the connectivity for scans is configured according to your network security posture, so that Purview can reach the Synapse assets without exposing endpoints in an insecure manner.
- Sensitivity Labels and Access Policies: One powerful aspect of the new Purview integration is the ability to enforce data security policies. Microsoft Purview (unified) allows creation of Purview Data Policies that can, for instance, control access to SQL datasets across your estate from a single place. It also integrates with Microsoft Information Protection (MIP) labels – Purview can scan and automatically classify sensitive data and even apply labels if configuredjamesserra.comjamesserra.com. As a best practice, define who can view sensitive classification results in the catalog (by default, Purview Data Readers can see classification tags on assets). You might restrict some roles if necessary for privacy. Additionally, consider using Purview’s ability to mask or restrict data access via policies: e.g. a policy that only approved users can query certain sensitive Synapse tables (this feature uses the Purview Data Policy app and requires that the Synapse workspace is registered for policy management). If you plan to use this, ensure that you’ve granted the Purview service the necessary permissions to create data policies on Synapse (this might involve another admin consent or adding Purview as a Directory reader). Always test these policies in a dev environment first.
- Monitoring and Alerts: After setting everything up, leverage Purview’s Data Estate Insights and scanning reports to monitor your Synapse data estate. Set up Purview scan notifications or use Azure Monitor to alert on scan failures, so you know if a scheduled scan misses (for example, if credentials expire or permissions change). Regularly review the Insights dashboards for any anomalies in data classification or data inventory – this can help catch if something in Synapse was not scanned or if a new sensitive dataset appears unexpectedly.
By following these best practices, you’ll ensure that your new Microsoft Purview setup not only provides rich data governance for Azure Synapse, but does so in a secure and well-controlled manner. The unified Microsoft Purview experience is a significant step forward in governing data across the enterprise, and as a Synapse administrator you now have a more powerful toolset at your disposal. Good luck with your Purview upgrade and enjoy the unified data governance journey!
Sources:
- James Serra’s Data Platform Blog – Microsoft Purview FAQjamesserra.comjamesserra.comjamesserra.com
- Microsoft Learn – Upgrading to the new Microsoft Purview governance experiencelearn.microsoft.comlearn.microsoft.com
- Microsoft Learn – Upgrade from free to enterprise version of Purviewlearn.microsoft.comdocs.azure.cn
- Microsoft Learn – Manage data sources in Microsoft Purview Data Maplearn.microsoft.comlearn.microsoft.com
- Microsoft Learn – Data Governance roles and permissions in Purviewlearn.microsoft.comlearn.microsoft.comlearn.microsoft.com
- Microsoft Learn – Connect to and manage Azure Synapse (scan setup)learn.microsoft.comlearn.microsoft.com