Currently access controls (e.g., data curator) have tenant level scope. We would like to be able to control access more granularly (e.g., by subscription). How far out is this capability? Two use cases of interest are outlined below

• Use case 1: Data curator or data source administrator permissions granted for a specific management group or subscription




• Use case 2: Marking a management group or subscription as confidential so Purview would not see / share it’s metadata

By default, the creator of the Azure Purview account gets full admin access (per the documentation: "The principal who created a Purview account is automatically given all data plane permissions regardless of what data plane roles they may or may not be in").

In cases where Azure administration is performed by a separate infrastructure team, it's important to ensure separation of duties such that the infrastructure team member who created the Azure Purview account cannot also access the data sources.

In order to perform PoC, make tests, experiment with the porduct showing features, there should be an option on the resource that put it in pause or stop, like for a Data Warehouse or Data Explorer cluster. This would permit to save costs for a resource that is not used, for test purpose, without delete it and recreate everything from scratch. Another alternative would be to create a very low budget instance just for devs.