Skip to content

Configuring Microsoft Purview for Privacera PolicySync Connectors

This guide describes how to use Microsoft Purview with Privacera PolicySync access connectors.

Microsoft Purview is a data governance and catalog service. When Purview integration is enabled on a connector, the connector can pull classifications and tags from Purview and create the corresponding tags and tag-resource mappings in OMNI Metadata Service (MDS), and keep them synchronized so you do not have to recreate that metadata manually in Privacera for assets already governed in Purview.

OMNI requirement

Purview tag sync to MDS is designed to work with OMNI metadata features. Complete Configuring OMNI for PolicySync Connectors for your environment before enabling Purview on a connector.

Supported connectors

Microsoft Purview tag sync is supported for:

Prerequisites

Before configuring a PolicySync connector for Microsoft Purview, complete the following in Microsoft Entra ID and Microsoft Purview (shared by MSSQL and Databricks Unity Catalog).

Check the Prerequisites section on Microsoft Learn before you continue.

Register the application (Microsoft Entra ID)

  1. Sign in to the Azure portal, search for and open Microsoft Entra IDApp registrationsNew registration.
  2. On Register an application:
  3. Enter a Name for the application (this becomes the service principal display name).
  4. Under Who can use this application or access this API?, choose Accounts in this organizational directory only if only users in your tenant will use this integration (single-tenant is typical for PolicySync).
  5. Under Redirect URI (optional), choose Web and enter a placeholder URI (for example https://exampleURI.com). It does not need to be a real endpoint.
  6. Select Register.
  7. On the app Overview page, copy Application (client) ID and Directory (tenant) ID for ranger.policysync.connector.0.purview.client.id and ranger.policysync.connector.0.purview.tenant.id.

Create a client secret (Microsoft Entra ID)

  1. In the app registration, open Certificates & secrets.
  2. Under Client secrets, select New client secret, set a Description and Expires, then Add.
  3. On Client secrets, copy the Value of the new secret immediately—it is shown only once. Use it for ranger.policysync.connector.0.purview.client.secret.

Assign Purview Data Map roles to the service principal

Assign Data Map collection roles so the app's service principal can read the catalog scope you need. For role names and the portal flow, see Assign Azure roles using the Microsoft Purview governance portal and Access control in Microsoft Purview.

  1. Open the Microsoft Purview governance portalData mapCollections.
  2. Select the collection to scope reads (often the root collection). Subcollections limit catalog scope to that branch.
  3. Role assignments → add your app as a Service principal → assign Catalog read access (for example Data Curator per Microsoft’s role guidance). If role names differ in your portal, use the Access control link above.

Role assignment permission

Collection Admin assigns these roles.

Microsoft SQL Server (MSSQL)

For Microsoft SQL Server, Purview can scan and catalog databases, schemas, tables, and columns so you can assign and manage tags on those assets in Purview.

When this integration is enabled, the MSSQL PolicySync connector pulls those tags through Purview and creates the corresponding tags and tag-resource mappings in OMNI Metadata Service (MDS), and keeps them synchronized.

MSSQL PolicySync custom properties

Add these as custom PolicySync properties for the MSSQL connector:

Property Privacera Manager Variable Description Default value
ranger.policysync.connector.0.purview.tag.sync.enabled CONNECTOR_PURVIEW_TAG_SYNC_ENABLED Set to true to enable periodic tag sync from Purview. true
ranger.policysync.connector.0.purview.tag.sync.interval.sec CONNECTOR_PURVIEW_TAG_SYNC_INTERVAL_SEC Interval between tag sync runs in seconds. 30
ranger.policysync.connector.0.purview.tag.sync.at.restart.enable CONNECTOR_PURVIEW_TAG_SYNC_AT_RESTART_ENABLE When true, run tag sync when the connector starts. true
ranger.policysync.connector.0.purview.endpoint CONNECTOR_PURVIEW_ENDPOINT Purview account URL. https://<your-account>.purview.azure.com
ranger.policysync.connector.0.purview.tenant.id CONNECTOR_PURVIEW_TENANT_ID Microsoft Entra ID Directory (tenant) ID from the app registration Overview. <AZURE_TENANT_ID>
ranger.policysync.connector.0.purview.client.id CONNECTOR_PURVIEW_CLIENT_ID Microsoft Entra ID Application (client) ID from Overview; the same app's service principal needs a Purview collection role (see Assign Purview Data Map roles to the service principal). <AZURE_CLIENT_ID>
ranger.policysync.connector.0.purview.client.secret CONNECTOR_PURVIEW_CLIENT_SECRET Client secret from Certificates & secrets. <AZURE_CLIENT_SECRET>
ranger.policysync.connector.0.purview.allowed.entity.types CONNECTOR_PURVIEW_ALLOWED_ENTITY_TYPES Comma-separated Atlas entity types for Azure SQL / SQL Server assets in Purview. azure_sql_db,azure_sql_schema,azure_sql_table,azure_sql_table_column

Example (MSSQL)

Note

Replace placeholders with your values.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/mssql/instance1/vars.connector.mssql.yml

  3. Set the following properties:

    YAML
    1
2
3
4
5
6
7
8
    CONNECTOR_PURVIEW_TAG_SYNC_ENABLED: "true"
CONNECTOR_PURVIEW_TAG_SYNC_INTERVAL_SEC: "30"
CONNECTOR_PURVIEW_TAG_SYNC_AT_RESTART_ENABLE: "true"
CONNECTOR_PURVIEW_ENDPOINT: "https://<your-purview-account>.purview.azure.com"
CONNECTOR_PURVIEW_TENANT_ID: "<AZURE_TENANT_ID>"
CONNECTOR_PURVIEW_CLIENT_ID: "<AZURE_CLIENT_ID>"
CONNECTOR_PURVIEW_CLIENT_SECRET: "<AZURE_CLIENT_SECRET>"
CONNECTOR_PURVIEW_ALLOWED_ENTITY_TYPES: "azure_sql_db,azure_sql_schema,azure_sql_table,azure_sql_table_column"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install
  1. In PrivaceraCloud, navigate to SettingsApplications.
  2. On the Connected Applications screen, select MSSQL.
  3. Click the pen icon or the Account Name to modify the settings.
  4. On the Edit Application screen, go to Access ManagementADVANCED.

  5. Under Add New Custom Properties, add the required Purview properties shown below.

    Properties
    1
2
3
4
5
6
7
8
    ranger.policysync.connector.0.purview.tag.sync.enabled=true
ranger.policysync.connector.0.purview.tag.sync.interval.sec=30
ranger.policysync.connector.0.purview.tag.sync.at.restart.enable=true
ranger.policysync.connector.0.purview.endpoint=https://<your-purview-account>.purview.azure.com
ranger.policysync.connector.0.purview.tenant.id=<AZURE_TENANT_ID>
ranger.policysync.connector.0.purview.client.id=<AZURE_CLIENT_ID>
ranger.policysync.connector.0.purview.client.secret=<AZURE_CLIENT_SECRET>
ranger.policysync.connector.0.purview.allowed.entity.types=azure_sql_db,azure_sql_schema,azure_sql_table,azure_sql_table_column

  6. Click SAVE to apply the changes.

Databricks Unity Catalog

For Azure Databricks Unity Catalog, Purview can register and scan metastores, catalogs, schemas, tables, and columns so you can assign and manage tags on those assets in Purview. See Connect to and manage Azure Databricks Unity Catalog in Microsoft Purview on Microsoft Learn for catalog scanning prerequisites and behavior.

When this integration is enabled, the Databricks Unity Catalog PolicySync connector pulls those tags through Purview and creates the corresponding tags and tag-resource mappings in OMNI Metadata Service (MDS), and keeps them synchronized.

Databricks Unity Catalog PolicySync custom properties

Add these as custom PolicySync properties for the Databricks Unity Catalog connector:

Property Privacera Manager Variable Description Default value
ranger.policysync.connector.0.purview.tag.sync.enabled CONNECTOR_PURVIEW_TAG_SYNC_ENABLED Set to true to enable periodic tag sync from Purview. true
ranger.policysync.connector.0.purview.tag.sync.interval.sec CONNECTOR_PURVIEW_TAG_SYNC_INTERVAL_SEC Interval between tag sync runs in seconds. 30
ranger.policysync.connector.0.purview.tag.sync.at.restart.enable CONNECTOR_PURVIEW_TAG_SYNC_AT_RESTART_ENABLE When true, run tag sync when the connector starts. true
ranger.policysync.connector.0.purview.endpoint CONNECTOR_PURVIEW_ENDPOINT Purview account URL. https://<your-account>.purview.azure.com
ranger.policysync.connector.0.purview.tenant.id CONNECTOR_PURVIEW_TENANT_ID Microsoft Entra ID Directory (tenant) ID from the app registration Overview. <AZURE_TENANT_ID>
ranger.policysync.connector.0.purview.client.id CONNECTOR_PURVIEW_CLIENT_ID Microsoft Entra ID Application (client) ID from Overview; the same app's service principal needs a Purview collection role (see Assign Purview Data Map roles to the service principal). <AZURE_CLIENT_ID>
ranger.policysync.connector.0.purview.client.secret CONNECTOR_PURVIEW_CLIENT_SECRET Client secret from Certificates & secrets. <AZURE_CLIENT_SECRET>
ranger.policysync.connector.0.purview.workspace.id CONNECTOR_PURVIEW_WORKSPACE_ID Azure Databricks workspace resource ID (GUID) for the workspace Purview scans for Unity Catalog. Use the value from the workspace's Azure resource Properties (Resource ID) or from the Databricks account / URL context your team uses for Purview registration. Required for Databricks tag sync so Purview assets resolve to the correct workspace scope. <DATABRICKS_WORKSPACE_RESOURCE_ID>
ranger.policysync.connector.0.purview.allowed.entity.types CONNECTOR_PURVIEW_ALLOWED_ENTITY_TYPES Comma-separated Atlas entity types to process. Align this list with the Unity Catalog asset types present in your Purview catalog (for example after an Azure Databricks Unity Catalog scan). databricks_catalog,databricks_schema,databricks_table,databricks_table_column

Example (Databricks Unity Catalog)

Note

Replace placeholders with your values.

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to open the .yml file to be edited.

    If you have multiple connectors, then replace instance1 with the appropriate connector instance name.

    Bash
    1
    vi ~/privacera/privacera-manager/config/custom-vars/connectors/databricks-unity-catalog/instance1/vars.connector.databricks.unity.catalog.yml

  3. Set the following properties:

    YAML
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    CONNECTOR_PURVIEW_TAG_SYNC_ENABLED: "true"
CONNECTOR_PURVIEW_TAG_SYNC_INTERVAL_SEC: "30"
CONNECTOR_PURVIEW_TAG_SYNC_AT_RESTART_ENABLE: "true"
CONNECTOR_PURVIEW_ENDPOINT: "https://<your-purview-account>.purview.azure.com"
CONNECTOR_PURVIEW_TENANT_ID: "<AZURE_TENANT_ID>"
CONNECTOR_PURVIEW_CLIENT_ID: "<AZURE_CLIENT_ID>"
CONNECTOR_PURVIEW_CLIENT_SECRET: "<AZURE_CLIENT_SECRET>"
# Databricks workspace scope (Azure resource ID of the Databricks workspace)
CONNECTOR_PURVIEW_WORKSPACE_ID: "<DATABRICKS_WORKSPACE_RESOURCE_ID>"
CONNECTOR_PURVIEW_ALLOWED_ENTITY_TYPES: "databricks_catalog,databricks_schema,databricks_table,databricks_table_column"

  4. Once the properties are configured, run the following commands to update your Privacera Manager platform instance:

    Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh setup
    Step 2 - Apply the Privacera Manager helm charts.
    Bash
    1
2
    cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
    Step 3 - (Optional) Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on. This step is not required if you are updating only connector properties.

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install
  1. In PrivaceraCloud, navigate to SettingsApplications.
  2. On the Connected Applications screen, select Databricks Unity Catalog.
  3. Click the pen icon or the Account Name to modify the settings.
  4. On the Edit Application screen, go to Access ManagementADVANCED.

  5. Under Add New Custom Properties, add the required Purview properties shown below.

    Properties
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    ranger.policysync.connector.0.purview.tag.sync.enabled=true
ranger.policysync.connector.0.purview.tag.sync.interval.sec=30
ranger.policysync.connector.0.purview.tag.sync.at.restart.enable=true
ranger.policysync.connector.0.purview.endpoint=https://<your-purview-account>.purview.azure.com
ranger.policysync.connector.0.purview.tenant.id=<AZURE_TENANT_ID>
ranger.policysync.connector.0.purview.client.id=<AZURE_CLIENT_ID>
ranger.policysync.connector.0.purview.client.secret=<AZURE_CLIENT_SECRET>
# Databricks workspace scope (Azure resource ID of the Databricks workspace)
ranger.policysync.connector.0.purview.workspace.id=<DATABRICKS_WORKSPACE_RESOURCE_ID>
ranger.policysync.connector.0.purview.allowed.entity.types=databricks_catalog,databricks_schema,databricks_table,databricks_table_column

  6. Click SAVE to apply the changes.

Logs to check

Use these commands when validating tag sync and Metadata Service updates for any connector.

PolicySync log file

  • Log file: policy-sync.log
  • On Kubernetes-based deployments, logs are usually under /workdir/policysync/logs on the connector pod. Open a shell on the pod, then cd there.
  • The same layout is used when troubleshooting other connectors; adjust the path if your environment mounts logs elsewhere.

Logger used for Purview tag sync (PolicySync base)

  • Logger name: com.privacera.policysync.core.tags.TagSyncLoader
  • Typical messages include Tag sync started (connector=...), Tag sync: no work to queue (connector=...), Tag sync completed (connector=..., stats=...), Tag sync interrupted (connector=...), and Tag sync failed (connector=...).

To follow Purview tag sync lines in real time:

Bash
1
2
cd /workdir/policysync/logs
tail -f policy-sync.log | grep TagSyncLoader

Run a one-time search in the current log:

Bash
1
grep TagSyncLoader ./policy-sync.log
  • If tag sync fails silently, verify that the app registration can access Purview.
  • Confirm purview.endpoint and purview.allowed.entity.types match your Purview catalog, for example databricks_table_column vs databricks_column depending on what your Purview tenant exposes.
  • For Databricks, confirm purview.workspace.id matches the workspace Purview is scanning.