Merge pull request #231144 from inward-eye/main

updates for Storage account with ZRS

Author: Stacyrch140

articles/purview/how-to-policies-data-owner-arc-sql-server.md

@@ -6,7 +6,7 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 03/17/2023
 ms.custom: references_regions, event-tier1-build-2022
 ---
 # Provision access by data owner for Azure Arc-enabled SQL Server (preview)
@@ -76,49 +76,14 @@ Follow this link for the steps to [update or delete a data owner policy in Micro
 
 ## Test the policy
 
-The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.
+After creating the policy, any of the Azure AD users in the Subject should now be able to connect to the data sources in the scope of the policy. To test, use SSMS or any SQL client and try to query. Attempt access to a SQL table you have provided read access to.
 
-### Force policy download
-It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
+If you require additional troubleshooting, see the [Next steps](#next-steps) section in this guide.
 
-```sql
--- Force immediate download of latest published policies
-exec sp_external_policy_refresh reload
-```  
+## Role definition detail
+This section contains a reference of how relevant Microsoft Purview data policy roles map to specific actions in SQL data sources.
 
-### Analyze downloaded policy state from SQL
-The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
-
-```sql
-
--- Lists generally supported actions
-SELECT * FROM sys.dm_server_external_policy_actions
-
--- Lists the roles that are part of a policy published to this server
-SELECT * FROM sys.dm_server_external_policy_roles
-
--- Lists the links between the roles and actions, could be used to join the two
-SELECT * FROM sys.dm_server_external_policy_role_actions
-
--- Lists all Azure AD principals that were given connect permissions  
-SELECT * FROM sys.dm_server_external_policy_principals
-
--- Lists Azure AD principals assigned to a given role on a given resource scope
-SELECT * FROM sys.dm_server_external_policy_role_members
-
--- Lists Azure AD principals, joined with roles, joined with their data actions
-SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions
-```
-
-
-
-## Additional information
-
-### Policy action mapping
-
-This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure Arc-enabled SQL Server.
-
-| **Microsoft Purview policy action** | **Data source specific actions**     |
+| **Microsoft Purview policy role definition** | **Data source specific actions**     |
 |-------------------------------------|--------------------------------------|
 |||
 | *Read* |Microsoft.Sql/sqlservers/Connect |
@@ -132,4 +97,5 @@ This section contains a reference of how actions in Microsoft Purview data polic
 Check blog, demo and related how-to guides
 * [Concepts for Microsoft Purview data owner policies](./concept-policies-data-owner.md)
 * [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)
-* [Enable Microsoft Purview data owner policies on an Azure SQL DB](./how-to-policies-data-owner-azure-sql-db.md)
+* [Enable Microsoft Purview data owner policies on an Azure SQL Database](./how-to-policies-data-owner-azure-sql-db.md)
+* Doc: [Troubleshoot Microsoft Purview policies for SQL data sources](./troubleshoot-policy-sql.md)

articles/purview/how-to-policies-data-owner-azure-sql-db.md

@@ -6,7 +6,7 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: how-to
-ms.date: 10/31/2022
+ms.date: 03/17/2023
 ms.custom: references_regions, event-tier1-build-2022
 ---
 # Provision access by data owner for Azure SQL Database (preview)
@@ -35,6 +35,7 @@ After you've registered your resources, you'll need to enable Data Use Managemen
 Once your data source has the **Data Use Management** toggle *Enabled*, it will look like this screenshot. This will enable the access policies to be used with the given Azure SQL server and all its contained databases.
 ![Screenshot shows how to register a data source for policy.](./media/how-to-policies-data-owner-sql/register-data-source-for-policy-azure-sql-db.png)
 
+[!INCLUDE [Access policies Azure SQL Database pre-requisites](./includes/access-policies-configuration-azure-sql-db.md)]
 
 ## Create and publish a data owner policy
 
@@ -57,48 +58,14 @@ Follow this link for the steps to [unpublish a data owner policy in Microsoft Pu
 Follow this link for the steps to [update or delete a data owner policy in Microsoft Purview](how-to-policies-data-owner-authoring-generic.md#update-or-delete-a-policy).
 
 ## Test the policy
+After creating the policy, any of the Azure AD users in the Subject should now be able to connect to the data sources in the scope of the policy. To test, use SSMS or any SQL client and try to query. Attempt access to a SQL table you have provided read access to.
 
-The Azure AD Accounts referenced in the access policies should now be able to connect to any database in the server to which the policies are published.
+If you require additional troubleshooting, see the [Next steps](#next-steps) section in this guide.
 
-### Force policy download
-It is possible to force an immediate download of the latest published policies to the current SQL database by running the following command. The minimal permission required to run it is membership in ##MS_ServerStateManager##-server role.
+## Role definition detail
+This section contains a reference of how relevant Microsoft Purview data policy roles map to specific actions in SQL data sources.
 
-```sql
--- Force immediate download of latest published policies
-exec sp_external_policy_refresh reload
-```  
-
-### Analyze downloaded policy state from SQL
-The following DMVs can be used to analyze which policies have been downloaded and are currently assigned to Azure AD accounts. The minimal permission required to run them is VIEW DATABASE SECURITY STATE - or assigned Action Group *SQL Security Auditor*.
-
-```sql
-
--- Lists generally supported actions
-SELECT * FROM sys.dm_server_external_policy_actions
-
--- Lists the roles that are part of a policy published to this server
-SELECT * FROM sys.dm_server_external_policy_roles
-
--- Lists the links between the roles and actions, could be used to join the two
-SELECT * FROM sys.dm_server_external_policy_role_actions
-
--- Lists all Azure AD principals that were given connect permissions  
-SELECT * FROM sys.dm_server_external_policy_principals
-
--- Lists Azure AD principals assigned to a given role on a given resource scope
-SELECT * FROM sys.dm_server_external_policy_role_members
-
--- Lists Azure AD principals, joined with roles, joined with their data actions
-SELECT * FROM sys.dm_server_external_policy_principal_assigned_actions
-```
-
-## Additional information
-
-### Policy action mapping
-
-This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure SQL DB.
-
-| **Microsoft Purview policy action** | **Data source specific actions**     |
+| **Microsoft Purview policy role definition** | **Data source specific actions**     |
 |-------------------------------------|--------------------------------------|
 |||
 | *Read* |Microsoft.Sql/sqlservers/Connect |
@@ -112,3 +79,4 @@ Check blog, demo and related how-to guides
 * [Concepts for Microsoft Purview data owner policies](./concept-policies-data-owner.md)
 * [Enable Microsoft Purview data owner policies on all data sources in a subscription or a resource group](./how-to-policies-data-owner-resource-group.md)
 * [Enable Microsoft Purview data owner policies on an Azure Arc-enabled SQL Server](./how-to-policies-data-owner-arc-sql-server.md)
+* Doc: [Troubleshoot Microsoft Purview policies for SQL data sources](./troubleshoot-policy-sql.md)

articles/purview/how-to-policies-devops-authoring-generic.md

@@ -82,6 +82,8 @@ To delete a DevOps policy, ensure first that you have the Microsoft Purview Poli
 ## Test the DevOps policy
 After creating the policy, any of the Azure AD users in the Subject should now be able to connect to the data sources in the scope of the policy. To test, use SSMS or any SQL client and try to query some DMVs/DMFs. We list here a few examples. For more, you can consult the mapping of popular DMVs/DMFs in the [Microsoft Purview DevOps policies concept guide](./concept-policies-devops.md#mapping-of-popular-dmvs-and-dmfs)
 
+If you require additional troubleshooting, see the [Next steps](#next-steps) section in this guide.
+
 ### Testing SQL Performance Monitor access
 If you provided the Subject(s) of the policy SQL Performance Monitor role, you can issue the following commands
 ```sql
@@ -113,9 +115,9 @@ SELECT * FROM [databaseName].schemaName.tableName
 
 
 ## Role definition detail
-This section contains a reference of how actions in Microsoft Purview data policies map to specific actions in Azure SQL MI.
+This section contains a reference of how relevant Microsoft Purview data policy roles map to specific actions in SQL data sources.
 
-| **DevOps role definition** | **Data source specific actions**     |
+| **Microsoft Purview policy role definition** | **Data source specific actions**     |
 |-------------------------------------|--------------------------------------|
 |                                     |                                      |
 | *SQL Performance Monitor* |Microsoft.Sql/sqlservers/Connect |

articles/purview/how-to-policies-devops-azure-sql-db.md

@@ -6,7 +6,7 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: how-to
-ms.date: 03/10/2023
+ms.date: 03/17/2023
 ms.custom:
 ---
 # Provision access to system metadata in Azure SQL Database (preview)
@@ -34,6 +34,8 @@ After you've registered your resources, you'll need to enable Data Use Managemen
 Once your data source has the **Data Use Management** toggle *Enabled*, it will look like this screenshot. This will enable the access policies to be used with the given data source
 ![Screenshot shows how to register a data source for policy.](./media/how-to-policies-data-owner-sql/register-data-source-for-policy-azure-sql-db.png)
 
+[!INCLUDE [Access policies Azure SQL Database pre-requisites](./includes/access-policies-configuration-azure-sql-db.md)]
+
 ## Create a new DevOps policy
 Follow this link for the steps to [create a new DevOps policy in Microsoft Purview](how-to-policies-devops-authoring-generic.md#create-a-new-devops-policy).
 

articles/purview/includes/access-policies-configuration-azure-sql-db.md

@@ -0,0 +1,22 @@
+---
+author: inward-eye
+ms.author: vlrodrig
+ms.service: purview
+ms.subservice: purview-data-policies
+ms.topic: include
+ms.date: 03/17/2022
+---
+
+Return to the Azure portal for Azure SQL Database to verify it is now governed by Microsoft Purview
+1. Sign in to the Azure portal through [this link](https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Sql%2Fservers)
+
+1. Select the Azure SQL Server that you want to configure.
+
+1. Go to **Azure Active Directory** on the left pane.
+
+1. Scroll down to **Microsoft Purview access policies**.
+
+1. Select the button to **Check for Microsoft Purview Governance**. Wait while the request is processed. It may take a few minutes.
+   ![Screenshot that shows Azure SQL is governed by Microsoft Purview.](../media/how-to-policies-data-owner-sql/check-governed-status-azure-sql-db.png)
+
+1. Confirm that the Microsoft Purview Governance Status shows `Governed`. Note that **it may take a few minutes** after you enable *Data use management* in Microsoft Purview for the correct status to be reflected.

articles/purview/includes/access-policies-prerequisites-storage.md

@@ -4,7 +4,7 @@ ms.author: vlrodrig
 ms.service: purview
 ms.subservice: purview-data-policies
 ms.topic: include
-ms.date: 12/01/2022
+ms.date: 03/16/2023
 ms.custom: references_regions
 ---
 
@@ -49,6 +49,6 @@ If the output is *Registering*, wait at least 10 minutes, and then retry the com
     - East Asia
     - Japan East
     - Japan West
-- Only **new** Storage accounts with zone-redundant storage (ZRS) are supported. That is, Storage accounts created in the subscription **after** the feature *AllowPurviewPolicyEnforcement* is *Registered*.
+- Only **new** Storage accounts with zone-redundant storage (ZRS) are supported. That is, Storage accounts created in the subscription **after** the feature *AllowPurviewPolicyEnforcement* is *Registered*. Note, ZRS Storage accounts will start enforcing policies from Microsoft Purview within 2 hours.
 
 If needed, you can also create a new Storage account by [following this guide](../../storage/common/storage-account-create.md).

articles/purview/media/how-to-policies-data-owner-sql/check-governed-status-azure-sql-db.png

@@ -6,7 +6,7 @@ ms.author: athenadsouza
 ms.service: purview
 ms.subservice: purview-data-map
 ms.topic: how-to
-ms.date: 02/16/2023
+ms.date: 03/17/2023
 ms.custom: template-how-to, ignite-fall-2021, references_regions
 ---
 # Connect to Azure Data Lake Storage in Microsoft Purview
@@ -358,7 +358,7 @@ Once your data source has the  **Data Use Management** option set to **Enabled**
 
 ### Create a policy
 To create an access policy for Azure Data Lake Storage Gen2, follow this guide:
-* [Data owner policy on a single storage account](./how-to-policies-data-owner-storage.md#create-and-publish-a-data-owner-policy)
+* [Provision read/modify access on a single storage account](./how-to-policies-data-owner-storage.md#create-and-publish-a-data-owner-policy)
 
 To create policies that cover all data sources inside a resource group or Azure subscription you can refer to [this section](register-scan-azure-multiple-sources.md#access-policy).
 

articles/purview/register-scan-adls-gen2.md

@@ -209,8 +209,8 @@ Before you can create policies, you must register the Azure Arc-enabled SQL Serv
 
 To create an access policy for Azure Arc-enabled SQL Server, follow these guides:
 
-* [DevOps policy on a single Azure Arc-enabled SQL Server instance - GA](./how-to-policies-devops-arc-sql-server.md#create-a-new-devops-policy)
-* [Data owner policy on a single Azure Arc-enabled SQL Server instance - Public Preview](./how-to-policies-data-owner-arc-sql-server.md#create-and-publish-a-data-owner-policy)
+* [Provision access to system health, performance and audit information in SQL Server 2022](./how-to-policies-devops-arc-sql-server.md#create-a-new-devops-policy)
+* [Provision read/modify access on a single SQL Server 2022](./how-to-policies-data-owner-arc-sql-server.md#create-and-publish-a-data-owner-policy)
 
 To create policies that cover all data sources inside a resource group or Azure subscription, see [Discover and govern multiple Azure sources in Microsoft Purview](register-scan-azure-multiple-sources.md#access-policy).
 

articles/purview/register-scan-azure-arc-enabled-sql-server.md

@@ -354,7 +354,7 @@ Once your data source has the  **Data Use Management** option set to **Enabled**
 ![Screenshot shows how to register a data source for policy with the option Data use management set to enable](./media/how-to-policies-data-owner-storage/register-data-source-for-policy-storage.png)
 
 ### Create a policy
-To create an access policy for Azure Blob Storage, follow this guide: [Data owner policy on a single storage account](./how-to-policies-data-owner-storage.md#create-and-publish-a-data-owner-policy).
+To create an access policy for Azure Blob Storage, follow this guide: [Provision read/modify access on a single storage account](./how-to-policies-data-owner-storage.md#create-and-publish-a-data-owner-policy).
 
 To create policies that cover all data sources inside a resource group or Azure subscription you can refer to [this section](register-scan-azure-multiple-sources.md#access-policy).