Accessing Microsoft Purview Privately

This article describes how to disable public network access and access Microsoft Purview Data Governance through Private endpoints.

To disable public network access. From the Azure Portal, go to the Purview account > Settings > Networking, and choose "Disabled from all networks" under Firewall.

Under "Private endpoint connections" create a new private endpoint and choose "platform" for Target sub-resource.
Make sure the private endpoint is created in a Virtual Network that is accessible for your users through an AVD, VPN, or Express route.

You will need to register this private endpoint with a Private DNS Zone for Purview. You can choose to do so during the endpoint creation.

Or you can create the Purview Private DNS zone separately and manually create DNS entries for the following FQDNs pointing to the private IP of the platform endpoint.

api.privatelink.purview-service.microsoft.com

<tenant-id.-api.privatelink.purview-service...

Trying to access Purview over the public internet will load the UI, but the data governance apps will not load. An error will indicate that some apps are behind a private endpoint and could not be loaded.

Accessing Purview from a source with private connectivity to Purview will work fine.

To verify that DNS is properly configured, run

Copy

 Resolve-DnsName  <tenant-id>-api.purview-service.microsoft.com

The result should include a CNAME that points <tenant-id>-api.privatelink.api.purview-service.microsoft.com and resolve to the private IP of the private endpoint.