|
1 | 1 | --- |
2 | 2 | title: Planning for an Azure Storage Discovery deployment |
3 | 3 | titleSuffix: Azure Storage Discovery |
4 | | -description: Considerations and best-practices while deploying Azure Storage Discovery service |
5 | | -author: pthippeswamy |
| 4 | +description: Considerations and best-practices for deploying the Azure Storage Discovery service |
| 5 | +author: fauhse |
6 | 6 | ms.service: azure-storage-mover |
7 | 7 | ms.topic: overview |
8 | 8 | ms.date: 08/01/2025 |
9 | | -ms.author: shaas |
| 9 | +ms.author: fauhse |
10 | 10 | --- |
11 | 11 |
|
12 | | -# Azure Storage Discovery: Regional availability and planning guide |
| 12 | +# Planning for an Azure Storage Discovery deployment |
13 | 13 |
|
14 | | -Azure Storage Discovery empowers organizations to gain deep, actionable insights into their storage estate—across subscriptions, regions, and scopes. This article outlines the regional availability of Azure Storage Discovery, explains how to select regions for your workspace, and clarifies how regional aggregation of insights work. |
| 14 | +Before you continue, be sure to get an [overview of the Storage Discovery service](overview.md) and the value it can provide to you. |
15 | 15 |
|
16 | | -## Workspace Region Availability |
| 16 | +## Make sure the service works for your scenario |
17 | 17 |
|
18 | | -Azure Storage Discovery Workspaces (ASDW) are the foundational resource for configuring and visualizing your storage insights. |
19 | | -[!INCLUDE [control-plane-regions](includes/control-plane-regions.md)] |
| 18 | +Azure Storage Discovery currently surfaces insights for resources of the Azure Blob Storage service. |
| 19 | +Coverage also includes storage accounts configured with the [hierarchical namespace feature](../storage/blobs/data-lake-storage-namespace.md) to enable [Azure Data Lake Storage](../storage/blobs/data-lake-storage-introduction.md). |
| 20 | + |
| 21 | +Discovery currently doesn't work for [Azure Files](../storage/files/storage-files-introduction.md) or other storage types. |
| 22 | + |
| 23 | +## Deployment basics |
| 24 | + |
| 25 | +Your Azure Storage resources (like storage accounts) experience no transactions or performance impact when analyzing them with Azure Storage Discovery. |
| 26 | + |
| 27 | +Deploying the service means deploying and configuring a *Storage Discovery workspace resource* into a resource group in one of your subscriptions. |
| 28 | +The Discovery service works to compute and store insights about your Azure Blob Storage estate. These computed insights are stored in the region of the workspace you created. Other than the Storage Discovery workspace, no other infrastructure needs to be deployed. |
| 29 | + |
| 30 | +The workspace can be configured to aggregate insights across any subscriptions in the Azure tenant the workspace is deployed in. |
| 31 | +To generate insights about Azure Storage resources, such as storage accounts, you need to be a member of the RBAC (Role Based Access Control) Reader role for every storage resource. |
| 32 | + |
| 33 | +> [!IMPORTANT] |
| 34 | +> To get accurate insights, you need to configure your workspace for resources you have permissions to.<br> The [permissions section](#permissions) in this article has important details you should review. |
| 35 | +
|
| 36 | +## Getting your subscription ready |
| 37 | + |
| 38 | +You need to choose a subscription governed by the same Azure tenant as the Azure Storage resources (such as storage accounts) you want to receive insights for. When you decided on an Azure subscription and resource group for your Storage Discovery workspace, review the following sections to ensure your subscription is prepared. |
| 39 | + |
| 40 | +### Resource provider namespace |
| 41 | + |
| 42 | +Before a service is used for the first time in an Azure subscription, its resource provider namespace must be registered once with the chosen subscription. Azure Storage Discovery has the same requirement. A subscription *Owner* or *Contributor* can perform this action. Performing this registration action before the actual Storage Discovery workspace deployment enables admins with fewer rights to deploy and use the Storage Discovery service. |
| 43 | + |
| 44 | +> [!IMPORTANT] |
| 45 | +> The subscription must be registered with the resource provider namespaces *Microsoft.StorageDiscovery*. |
| 46 | +
|
| 47 | +Register a resource provider: |
| 48 | + |
| 49 | +- [via the Azure portal](../azure-resource-manager/management/resource-providers-and-types.md#azure-portal) |
| 50 | +- [via Azure PowerShell](../azure-resource-manager/management/resource-providers-and-types.md#azure-powershell) |
| 51 | +- [via Azure CLI](../azure-resource-manager/management/resource-providers-and-types.md#azure-cli) |
| 52 | + |
| 53 | +> [!TIP] |
| 54 | +> When you deploy a Storage Discovery workspace as a subscription *Owner* or *Contributor* through the Azure portal, your subscription is automatically registered with this resource provider namespace. You only need to perform the registration manually when using Azure PowerShell or CLI. |
20 | 55 |
|
21 | | -### What This Means for You |
| 56 | +Once a subscription is enabled for this resource provider namespace, it remains enabled until manually unregistered. You can even delete the last Storage Discovery workspace and your subscription still remains enabled. Subsequent Storage Discovery workspace deployments then require reduced permissions from an admin. The following section contains a breakdown of different management scenarios and their required permissions. |
22 | 57 |
|
23 | | -The region where your discovery workspace is deployed determines where the control plane for your discovery experience resides. This includes: |
| 58 | +### Decide on the number of workspaces you need |
24 | 59 |
|
25 | | -- **Latency**: Choosing a region close to your operational base can improve dashboard responsiveness. |
26 | | -- **Compliance**: Some organizations may have regulatory requirements that dictate where data must reside. |
| 60 | +A Storage Discovery workspace needs to be configured with *scopes*. The management components article shares [details about workspace scopes](management-components.md). |
| 61 | +Scopes are logical groups of storage resources. For instance, a scope can refer to all the storage resources of a specific workload or department that you want to get insights for separately. |
27 | 62 |
|
28 | | -### Planning Guidance |
| 63 | +Since you can only configure a limited number of scopes in a workspace, you may need more than one workspace to cover your insights reporting needs. |
29 | 64 |
|
30 | | -When selecting a region for your workspace: |
| 65 | +If a workspace is to be used for higher-level insights, you can create one with one scope for your entire Azure Storage estate and then add scopes for each department. |
| 66 | +If a workspace is designated to provide insights for specific workloads, then you can create a workspace containing a scope for each workload. |
31 | 67 |
|
32 | | -- **Proximity**: Choose a region geographically close to your primary operations or data sources. |
33 | | -- **Compliance**: Ensure the region aligns with your data residency and compliance policies. |
34 | | -- **Preview Availability**: Confirm that the region is supported in the current release phase (e.g., public preview). |
| 68 | +> [!IMPORTANT] |
| 69 | +> During the Azure Storage Discovery preview period, the Discovery service covers only storage accounts located in select regions. <br>The [Understand region limitations](#understand-region-limitations) section in this article has details. |
35 | 70 |
|
36 | | -## Regions for Storage Insights Aggregation |
| 71 | +### Review your Azure resource tags |
37 | 72 |
|
38 | | -While the workspace defines where your Discovery resource resides, the actual data being analyzed comes from storage accounts across multiple regions. |
| 73 | +You can select which storage resources are included in a [workspace scope](management-components.md) by first selecting specific subscriptions or resource groups, and then filtering the storage resources within them by [Azure resource tags](../azure-resource-manager/management/tag-resources.md). |
| 74 | +It's important that you familiarize yourself with the available resource tags on your storage resources. Ensure they're consistently applied and then catalog them for building the scopes in your workspace. Plan the scopes you need in order to have insights available per department, workload, or other grouping you have a use for. |
| 75 | + |
| 76 | +## Select an Azure region for your deployment |
| 77 | + |
| 78 | +When you deploy a Storage Discovery workspace, you need to choose a region. The region you select determines where the computed insights about your Azure Storage resources are stored. You can still capture insights for Azure Storage resources that are located in other regions. A general best practice is to choose the region for your workspace according to metadata residency requirements that apply to you and in closer proximity to your location. Visualizing your insights from a workspace closer to you can have a slight performance advantage. |
| 79 | + |
| 80 | +Storage Discovery workspaces can be created in the following regions. More regions are added throughout the preview period. |
| 81 | + |
| 82 | +[!INCLUDE [control-plane-regions](includes/control-plane-regions.md)] |
| 83 | + |
| 84 | +## Understand region limitations |
| 85 | + |
| 86 | +While a Storage Discovery workspace can cover storage accounts from other subscriptions and resource groups, and even other regions, there's an important region limitation you need to be aware of for a successful Storage Discovery deployment. |
| 87 | + |
| 88 | +The Discovery service covers only storage accounts located in the following regions: |
| 89 | +<br><br> |
39 | 90 | [!INCLUDE [data-plane-regions](includes/data-plane-regions.md)] |
| 91 | +<br> |
| 92 | + |
| 93 | +> [!WARNING] |
| 94 | +> The Discovery service currently can't consider storage accounts located in regions not included in the previously listed locations. Including storage accounts from unsupported regions in a scope can lead to an incomplete set of insights. A short-term limitation of the preview period. |
| 95 | +
|
| 96 | +## Permissions |
| 97 | + |
| 98 | +Permissions are managed via the familiar Azure [Role Based Access Control](../role-based-access-control/overview.md) (RBAC). |
| 99 | +This sections covers: |
| 100 | +* Permission to the storage resources you want to get insights for from the Discovery service. |
| 101 | +* Permission considerations for a workspace resource. |
| 102 | + |
| 103 | +### Permissions to your storage resources |
| 104 | + |
| 105 | +During the creation of a Storage Discovery workspace, you configure the [workspace root](management-components.md). The [management components](management-components.md) article provides more details for this configuration. |
| 106 | +In the workspace root, you list at least one and at most 100 Azure resources of different types: |
| 107 | +- subscriptions |
| 108 | +- resource groups |
| 109 | +- storage accounts |
| 110 | + |
| 111 | +The person deploying the workspace must have at least the RBAC role assignment *Reader* for every resource in the workspace root. |
| 112 | +*Reader* is the minimum permission level required. *Contributor* and *Owner* are also supported. |
| 113 | + |
| 114 | +It's possible that you see a subscription listed in the Azure portal, for which you don't have this direct *Reader* role assignment. When you can see a resource you don't have a role assignment to, then most likely you have permissions to a sub resource in this subscription. In this case, the existence of this "parent" was revealed to you, but you have no rights on the subscription resource itself. This example can be extended to resource groups as well. Missing a *Reader* or higher direct role assignment disqualifies an Azure resource from being the basis (root) of a workspace. |
40 | 115 |
|
41 | | -### What This Means for You |
| 116 | +Permissions are only validated when a workspace is created. Any change to permissions of the Azure account that created the workspace, including its deletion, has no effect on the workspace or the Discovery service functionality. |
42 | 117 |
|
43 | | -This means that even if your workspace is deployed in a limited set of regions, you can still gain visibility into storage accounts located in a broader set of Azure regions. The service collects and aggregates metrics such as: |
| 118 | +### Permission considerations for a workspace resource |
44 | 119 |
|
45 | | -- **Capacity trends** |
46 | | -- **Activity and transaction volumes** |
47 | | -- **Configuration and security settings** |
48 | | -- **Cost and consumption breakdowns** |
| 120 | +The Azure Storage Discovery workspace stores the computed insights for your storage estate. You can access reports in the Azure portal, or use these insights via the Azure Copilot. In order to access insights stored in a workspace, a user must have at least the RBAC role *Reader* on the workspace. *Contributor* and *Owner* role assignments also work. You can provide insights-access to another user by assigning them one of the three previously listed roles on the workspace. |
49 | 121 |
|
50 | | -These insights are then visualized in your Discovery reports, enabling centralized visualization of a globally distributed storage estate. |
51 | 122 |
|
52 | | -## Best Practices for Regional Planning |
| 123 | +|Scenario |Minimal RBAC role assignments needed | |
| 124 | +|:--------|--------------------------------------------------------------------------------:| |
| 125 | +|Register a resource provider namespace with a subscription| Subscription: `Contributor` | |
| 126 | +|Deploy a Storage Discovery workspace <br>*([Resource provider namespace already registered](#resource-provider-namespace))*| Resource group: `Contributor` | |
| 127 | +|Share the Storage Discovery insights with another person | Storage Discovery workspace: `Reader`| |
| 128 | +|Enable a person to make changes to the workspace configuration| Storage Discovery workspace: `Contributor`| |
| 129 | +|Enable a person to share these insights with others | Storage Discovery workspace: `Owner`| |
53 | 130 |
|
54 | | -To maximize the value of Azure Storage Discovery: |
| 131 | +> [!CAUTION] |
| 132 | +> When you provide other users access to a workspace, you're disclosing all insights of the workspace. Other users might not be privileged to know about the existence of the Azure resources or insights about the data they store. Providing access to a workspace doesn't provide access to an individual storage account, resource group, or subscription. Individual resources remain governed by RBAC. |
55 | 133 |
|
56 | | -1. **Deploy your workspace in a supported region**: Ensure your chosen region is enabled for workspace creation. |
57 | | -2. **Define scopes strategically**: Use tenant, subscription, or resource group levels to group storage accounts logically. |
58 | | -3. **Use tags for filtering**: Apply Azure tags to storage accounts to selectively include them in your discovery scope. |
59 | | -4. **Verify access**: Ensure users have Reader access to the ASDW resource to view reports. |
60 | | -5. **Allow time for data to populate**: Metrics typically begin appearing within 24 hours of scope configuration. |
| 134 | +## Next steps |
61 | 135 |
|
62 | | -For questions or feedback, contact the team at [[email protected]](mailto:[email protected]). |
| 136 | +- [Review the Storage Discovery management components](management-components.md) |
| 137 | +- [Understand Storage Discovery pricing](pricing.md) |
| 138 | +- [Create a Storage Discovery workspace](create-workspace.md) |
0 commit comments