How To Implement A Data Governance Program With Azure Purview

How to Implement a Data Governance Program with Microsoft Purview

Microsoft Purview (formerly Azure Purview) is Microsoft's unified data governance platform. It scans, classifies, and catalogs data across Azure, on-premises, and multi-cloud sources. This guide covers how to set up a Purview account, configure data scans, build a data catalog, and map data lineage for HIPAA, GDPR, and SOC 2 compliance. See related guidance on enterprise AI governance and Microsoft 365 Compliance Center.

Key facts

• Purview connects to 100+ data source types: Azure, on-premises SQL Server, AWS S3, GCP BigQuery, Salesforce, and more.
• Built-in classification detects 200+ sensitive data types — SSNs, credit card numbers, medical record numbers, passports, and custom patterns.
• Data lineage maps data flow from source to transformation to destination across Azure Data Factory, Synapse, and Power BI.
• Purview Compliance Portal (now part of Microsoft Purview) covers DLP, eDiscovery, and retention policy management.
• EPC Group: 29 years of Microsoft consulting, 10,000+ deployments, Microsoft Solutions Partner (core designations).

Step 1 — Create a Microsoft Purview account

1. Open the Azure portal → search "Microsoft Purview" → Create.
2. Select your subscription, resource group, and region. Use a region that matches your primary data residency requirement.
3. Name the account and click Review + Create.
4. Open the Purview Governance Portal at https://purview.microsoft.com once provisioning completes.

Assign roles in the Access Control blade: Data Reader, Data Curator, or Collection Admin depending on user responsibilities.

Step 2 — Register and scan data sources

Register each data source in Purview before scanning. Registration creates a logical entry — scanning populates the catalog.

Supported source categories

• Azure sources — SQL Database, Synapse Analytics, Azure Storage (Blob/ADLS Gen2), Cosmos DB, Key Vault.
• On-premises — SQL Server, Oracle, SAP HANA, Teradata, MySQL, PostgreSQL (requires self-hosted integration runtime).
• Multi-cloud — AWS S3, AWS Glue, AWS Redshift, GCP BigQuery, GCP Cloud Storage.
• SaaS — Power BI, Salesforce, SAP ERP, Dynamics 365.
• File-based — ADLS Gen2 file shares, Azure Blob Storage containers.

Run a scan

1. In Purview Studio, go to Data Map → Sources → select a registered source.
2. Click New scan. Choose the scan scope (full or incremental).
3. Select a scan ruleset — use the default system ruleset or create a custom one for your sensitive data types.
4. Set the scan trigger: manual, daily, weekly, or monthly.
5. Run the scan and monitor status in the Scan runs view.

Step 3 — Build your data catalog

After scanning, assets appear in the Purview Data Catalog. Enrich them with business metadata.

• Business glossary — define canonical terms (e.g., "Revenue" = net of returns, before tax). Link glossary terms to catalog assets so business and technical users share a common vocabulary.
• Asset descriptions — add plain-English descriptions to tables, columns, and datasets. Purview Copilot can draft these from schema and sample data.
• Classification labels — Purview auto-applies sensitivity labels based on detected data types. Review and correct classification accuracy after the first scan.
• Data stewardship — assign a data steward to each critical asset. The steward approves access requests and maintains metadata quality.
• Collections — organize assets into collections by business domain (Finance, HR, Operations). Apply role-based access at the collection level.

Step 4 — Map data lineage

Purview lineage shows how data flows through your organization — from source to destination.

• Azure Data Factory — ADF pipelines report lineage automatically when Purview integration is enabled.
• Azure Synapse — Synapse Analytics pipelines and SQL scripts push lineage events to Purview.
• Power BI — Purview maps Power BI dataset sources, report dependencies, and sensitivity label propagation.
• Manual lineage — for sources without native integration, add lineage manually in Purview Studio or via the Atlas API.

Step 5 — Compliance and sensitivity label integration

Purview integrates with Microsoft 365 sensitivity labels for end-to-end data protection.

• Enable sensitivity label inheritance so Purview applies labels from classified assets to downstream Power BI reports and SharePoint documents.
• Configure DLP policies in the Purview Compliance Portal to block sharing of classified content based on label.
• Use Purview Insights dashboards to report label coverage, scan results, and sensitive data exposure by source and collection.

Compliance alignment

• HIPAA — auto-detect PHI (medical record numbers, SSNs, diagnosis codes) and apply Highly Confidential labels with access restrictions.
• GDPR — identify EU personal data across all sources. Use data subject request workflows in Purview for Article 17 deletion rights.
• SOC 2 — Purview audit trails document data access and classification actions for Security and Availability criteria evidence.
• CCPA — locate California resident personal data. Purview's search enables data subject requests at scale.

Frequently asked questions

What is the difference between Microsoft Purview and Azure Purview?

Microsoft Purview is the unified brand (since 2022). It combines the former Azure Purview (data governance) with Microsoft 365 Compliance Center features (DLP, eDiscovery, information protection). Both sets of features now appear in the same portal at purview.microsoft.com.

How much does Microsoft Purview cost?

Pricing has two components: the Purview account (charged by data map capacity units) and scan usage (charged per vCore-hour). Small organizations with under 5 TB of scanned data typically spend $500–$2,000/month. Larger estates with multi-cloud scans run $5,000–$20,000/month. EPC Group provides detailed cost estimates before engagement.

Does Purview work with non-Microsoft data sources?

Yes. Purview scans AWS S3, GCP BigQuery, Oracle, Teradata, Salesforce, SAP, and many others. On-premises and multi-cloud sources need the self-hosted integration runtime installed in your environment.

How accurate is automatic data classification?

Purview's built-in classifiers are trained on common sensitive data patterns (SSN, credit card, passport). Accuracy is typically 85–95% for standard patterns. Custom classifiers trained on your organization's specific data formats improve accuracy for industry-specific data types.

How long does a full Purview implementation take?

A standard implementation — account setup, source registration, initial scans, business glossary, and sensitivity label integration — takes 6–10 weeks for a mid-size organization. Enterprise implementations with 50+ data sources and compliance mapping take 12–20 weeks.

Start your Purview governance implementation

EPC Group implements Microsoft Purview for regulated industries — healthcare, financial services, and government. Call (888) 381-9725 or request a 30-minute discovery call.