Adc PDF

Contents
Data Catalog Documentation

Overview
What is Data Catalog?
Common scenarios
Supported data sources
Get Started
Get started with Azure Data Catalog
Adopting Azure Data Catalog
Prerequisites
FAQ
How To
Register data sources
Discover data sources
Annotate data sources
Document data sources
Connect to data sources
Work with big data sources
Data profile data sources
Manage data assets
Save searches and pin data assets
Set up the business glossary
Secure access to data catalog
View related data assets
Reference
Code samples
REST
Search syntax reference
Developer concepts
Resources
Azure Roadmap
Keyboard shortcuts for Azure Data Catalog
MSDN forum
Pricing
Pricing calculator
Release notes
Service updates
Stack Overflow
Terminology
Learn how to use Data Catalog to help your organization and team discover, understand, and consume your data sources.
Tutorials, REST API reference, and other documentation show you how to plan and set up your data repository where data
consumers can discover available data sources and gain knowledge contributed by subject matter experts.
Getting started with Azure Data Catalog
Learn about Azure Data Catalog
Reference
REST
REST API
Search syntax reference
What is Azure Data Catalog?
8/27/2018 • 4 minutes to read • Edit Online
Azure Data Catalog is a fully managed cloud service whose users can discover the data sources they need and
understand the data sources they find. At the same time, Data Catalog helps organizations get more value from
their existing investments.
With Data Catalog, any user (analyst, data scientist, or developer) can discover, understand, and consume data
sources. Data Catalog includes a crowdsourcing model of metadata and annotations. It is a single, central place for
all of an organization's users to contribute their knowledge and build a community and culture of data.
Discovery challenges for data consumers

Traditionally, discovering enterprise data sources has been an organic process based on tribal knowledge. For
companies that want to get the most value from their information assets, this approach presents numerous
challenges:
Users might not be aware that a data source exists unless they come into contact with it as part of another
process. There is no central location where data sources are registered.
Unless users know the location of a data source, they cannot connect to the data by using a client application.
Data-consumption experiences require users to know the connection string or path.
Unless users know the location of a data source's documentation, they cannot understand the intended uses of
the data. Data sources and documentation might live in a variety of places and be consumed through a variety
of experiences.
If users have questions about an information asset, they must locate the expert or team that's responsible for
the data and engage them offline. There is no explicit connection between data and those with expert
perspectives on its use.
Unless users understand the process for requesting access to the data source, discovering the data source and
its documentation still does not help them access the data.
Discovery challenges for data producers

Although data consumers face the previously mentioned challenges, users who are responsible for producing and
maintaining information assets face challenges of their own:
Annotating data sources with descriptive metadata is often a lost effort. Client applications typically ignore
descriptions that are stored in the data source.
Creating documentation for data sources is often a lost effort. Keeping documentation in sync with data sources
is an ongoing responsibility, and users might lack trust in documentation that's perceived as being out of date.
Creating and maintaining documentation for data sources is complex and time-consuming. Making that
documentation readily available to everyone who uses the data source can be even more so.
Restricting access to data sources and ensuring that data consumers know how to request access is an ongoing
challenge.
When such challenges are combined, they present a significant barrier for companies who want to encourage and
promote the use and understanding of enterprise data.
Azure Data Catalog can help

Data Catalog is designed to address these problems and to help enterprises get the most value from their existing
information assets. Data Catalog makes data sources easily discoverable and understandable by the users who
manage the data.
Data Catalog provides a cloud-based service into which a data source can be registered. The data remains in its
existing location, but a copy of its metadata is added to Data Catalog, along with a reference to the data-source
location. The metadata is also indexed to make each data source easily discoverable via search and understandable
to the users who discover it.
After a data source has been registered, its metadata can then be enriched, either by the user who registered it or
by other users in the enterprise. Any user can annotate a data source by providing descriptions, tags, or other
metadata, such as documentation and processes for requesting data source access. This descriptive metadata
supplements the structural metadata (such as column names and data types) that's registered from the data
source.
Discovering and understanding data sources and their use is the primary purpose of registering the sources.
Enterprise users might need data for business intelligence, application development, data science, or any other task
where the right data is required. They can use the Data Catalog discovery experience to quickly find data that
matches their needs, understand the data to evaluate its fitness for the purpose, and consume the data by opening
the data source in their tool of choice.
At the same time, users can contribute to the catalog by tagging, documenting, and annotating data sources that
have already been registered. They can also register new data sources, which can then be discovered, understood,
and consumed by the community of catalog users.
Learn more about Data Catalog

To learn more about the capabilities of Data Catalog, see:
How to register data sources
How to discover data sources
How to annotate data sources
How to document data sources
How to connect to data sources
How to work with big data
How to manage data assets
How to set up the Business Glossary
Frequently asked questions
Next steps
To get started with Data Catalog, go to:
Microsoft Azure Data Catalog
Azure Data Catalog common scenarios
This article presents common scenarios where Azure Data Catalog can help your organization get more value
from its existing data sources.
Scenario 1: Registration of central data sources

Organizations often have many high-value data sources. These data sources include line-of-business, online
transaction processing (OLTP ) systems, data warehouses, and business intelligence/analytics databases. The
number of systems, and the overlap between them, typically grows over time as business needs evolve and the
business itself evolves through, for example, mergers and acquisitions.
It can be difficult for organization members to know where to locate the data within these data sources. Questions
like the following are all too common:
Of the three HR systems used within the company, which should I use to create this type of report?
Where should I go to get the certified sales numbers for the fiscal year that just ended?
Who should I ask, or what is the process I should use to get access to the data warehouse?
I don’t know if these numbers are right. Who can I ask for insight on how this data is supposed to be used
before I share this dashboard with my team?
To these and other questions, Azure Data Catalog can provide answers. The central, high-value, IT-managed data
sources that are used across organizations are often the logical starting point for populating the catalog. Although
any user can register a data source, having the catalog kick-started with the data sources that are most likely to
provide value to the largest number of users helps drive adoption and use of the system.
If you are getting started with Azure Data Catalog, identifying and registering key data sources that are used by
many different teams of data consumers can be your first step to success.
This scenario also presents an opportunity to annotate the high-value data sources to make them easier to
understand and access. One key aspect of this effort is to include information on how users can request access to
the data source. With Azure Data Catalog, you can provide the email address of the user or team that's responsible
for controlling data-source access, links to existing tools or documentation, or free text that describes the access-
request process. This information helps members who discover registered data sources but who do not yet have
permissions to access the data to easily request access by using the processes that are defined and controlled by
the data-source owners.
Scenario 2: Self-service business intelligence

Although traditional corporate business-intelligence solutions continue to be an invaluable part of many
organizations’ data landscapes, the changing pace of business has made self-service BI more and more important.
By using self-service BI, information workers and analysts can create their own reports, workbooks, and
dashboards without relying on a central IT team or being restricted by that IT team’s schedule and availability.
In self-service BI scenarios, users commonly combine data from multiple sources, many of which might not have
previously been used for BI and analysis. Although some of these data sources might already be known, it can be
challenging to discover what to do to locate and evaluate potential data sources for a given task.
Traditionally, this discovery process is a manual one: analysts use their peer network connections to identify others
who work with the data being sought. After a data source is found and used, the process repeats itself again for
each subsequent self-service BI effort, with multiple users performing a redundant manual process of discovery.
With Azure Data Catalog, your organization can break this cycle of effort. After discovering a data source through
traditional means, an analyst can register it to make it more easily discoverable by other users in the future.
Although the analyst can add more value by annotating the registered data assets, this annotation does not need to
take place at the same time as registration. Users can contribute over time, as their schedules permit, gradually
adding value to the data sources registered in the catalog.
This organic growth of the catalog content is a natural complement to the up-front registration of central data
sources. Pre-populating the catalog with data that many users will need can be a motivator for initial use and
discovery. Enabling users to register and annotate additional sources can be a way to keep them and other
organization members engaged.
It’s worth noting that although this scenario focuses specifically on self-service BI, the same patterns and
challenges apply to large-scale corporate BI projects as well. By using Data Catalog, your organization can improve
any effort that involves a manual process of data-source discovery.
Scenario 3: Capturing tribal knowledge

How do you know what data you need to do your job, and where to find that data?
If you’ve been in your job for a while, you probably just know. You’ve gone through a gradual learning process, and
over time have learned about the data sources that are key to your day-to-day work.
When a new employee joins your team, how does that person know what data is required for the job, and where to
find it?
Odds are, the new person comes to you with these questions.
This ongoing transfer of tribal knowledge is part of the data-source discovery process in organizations large and
small. More senior and experienced team members have built up knowledge over the years, and newer team
members have learned to ask them when they have questions. The most vital information often exists only in the
heads of a few key people, and when those people are on vacation or leave the team, the organization suffers.
Data experts ordinarily make an effort to document their knowledge, sharing it via email or in Word documents on
a team SharePoint site. Although this approach can be valuable, it introduces a new discovery problem: how do
people know what documentation exists, and where to find it?
With Azure Data Catalog, your organization has a single, central location for storing and sharing this tribal
knowledge, and for making it easily discoverable. In Data Catalog, your data experts can annotate data assets
directly and provide links to existing documentation. When organization members use the catalog to discover a
data source, they'll find not only the source itself, but also the knowledge that previously existed only in the minds
of your organization's experts.
Supported data sources in Azure Data Catalog
You can publish metadata by using a public API or a click-once registration tool, or by manually entering
information directly to the Azure Data Catalog web portal. The following table summarizes all data sources that
are supported by the catalog today, and the publishing capabilities for each. Also listed are the external data tools
that each data source can launch from our portal "open-in" experience. The second table contains a more technical
specification of each data-source connection property.
List of supported data sources

Data source API Manual entry Registration Open-in tools Notes
object tool
Azure Data Lake ✓ ✓ ✓

Store directory
Azure Data Lake ✓ ✓ ✓

Store file
Azure Blob ✓ ✓ ✓ Power BI

storage Desktop
Azure Storage ✓ ✓ ✓ Power BI

directory Desktop
Azure Storage ✓ ✓ ✓
table
HDFS directory ✓ ✓ ✓
HDFS file ✓ ✓ ✓
Hive table ✓ ✓ ✓ Excel
Hive view ✓ ✓ ✓ Excel
MySQL table ✓ ✓ ✓ Excel, Power BI

Desktop
MySQL view ✓ ✓ ✓ Excel, Power BI

Desktop
Oracle Database ✓ ✓ ✓ Excel, Power BI

table Desktop
Oracle Database ✓ ✓ ✓ Excel, Power BI

view Desktop
Other (generic ✓ ✓
asset)
Azure SQL Data ✓ ✓ ✓ Excel, Power BI

Warehouse table Desktop, SQL
Server data tools
SQL Data ✓ ✓ ✓ Excel, Power BI

Warehouse view Desktop, SQL
Server data tools
SQL Server ✓ ✓ ✓ Excel, Power BI

Analysis Services Desktop
dimension

KPI

measure

table
SQL Server ✓ ✓ ✓ Browser Native mode

Reporting servers only.
Services report SharePoint mode
is not supported.
SQL Server table ✓ ✓ ✓ Excel, Power BI

Desktop, SQL
Server data tools
SQL Server view ✓ ✓ ✓ Excel, Power BI

Desktop, SQL
Server data tools
Teradata table ✓ ✓ ✓ Excel
Teradata view ✓ ✓ ✓ Excel
SAP HANA view ✓ ✓ ✓ Power BI

Desktop
DB2 table ✓ ✓ ✓
DB2 view ✓ ✓ ✓
File system file ✓
FTP directory ✓ ✓ ✓
FTP file ✓ ✓ ✓
HTTP report ✓
HTTP endpoint ✓
HTTP file ✓
OData entity set ✓
OData function ✓
PostgreSQL table ✓ ✓ ✓
PostgreSQL view ✓ ✓ ✓
SAP HANA view ✓
Salesforce object ✓ ✓ ✓
SharePoint list ✓
Azure Cosmos ✓ ✓ ✓
DB collection
Generic ODBC ✓ ✓ ✓
table
Generic ODBC ✓ ✓ ✓
view
Cassandra table ✓ ✓ ✓ Publish as a

generic ODBC
asset
Cassandra view ✓ ✓ ✓ Publish as a

generic ODBC
asset
Sybase table ✓ ✓ ✓
Sybase view ✓ ✓ ✓
MongoDB table ✓ ✓ ✓ Publish as a

generic ODBC
asset
MongoDB view ✓ ✓ ✓ Publish as a

generic ODBC
asset
If you want to see a specific data source supported, suggest it (or voice your support if it has already been
suggested) by going to the Data Catalog on the Azure Feedback Forums.
Data-source reference specification

NOTE
The DSL structure column in the following table lists only the connection properties for "address" property bag that are
used by Azure Data Catalog. That is, "address" property bag can contain other connection properties of the data source
which Azure Data Catalog persists, but does not use.
Source type Asset type Object types DSL structure
Azure Data Lake Store Container Data Lake Protocol: webhdfs

Authentication: {basic,
oauth}
Address:
url
Azure Data Lake Store Table Directory, file Protocol: webhdfs

oauth}
Address:
url
Azure Storage Container Container Protocol: azure-blobs

Authentication: {azure-
access-key}
Address:
domain
account
container
Azure Storage Table Blob, directory Protocol: azure-blobs

access-key}
Address:
domain
account
container
name
Azure Storage Container Container Protocol: azure-tables

access-key}
Address:
domain
account
Azure Storage Table Table Protocol: azure-tables

access-key}
Address:
domain
account
name
Cosmos Container Virtual cluster Protocol: cosmos

windows}
Address:
url
Cosmos Table Stream, stream set, view Protocol: cosmos
windows}
Address:
url
Datazen Container Site Protocol: http

Authentication: {none, basic,
windows, oauth}
Address:
url
Datazen Report Report, dashboard Protocol: http

windows, oauth}
Address:
url
DB2 Container Database Protocol: db2

windows}
Address:
server
database
DB2 Table Table, view Protocol: db2

windows}
Address:
server
database
object
schema
File system Table File Protocol: file

windows}
Address:
path
FTP Table Directory, file Protocol: ftp

windows}
Address:
url
Hadoop Distributed File Container Cluster Protocol: webhdfs

System Authentication: {basic,
oauth}
Address:
url
Hadoop Distributed File Table Directory, file Protocol: webhdfs

System Authentication: {basic,
oauth}
Address:
url
Hive Container Database Protocol: hive
Authentication: {HDInsight,
basic, username, none}
Address:
server
database
connectionProperties:
serverProtocol: {hive2}
Hive Table Table, view Protocol: hive

Authentication: {HDInsight,
basic, username, none}
Address:
server
database
object
connectionProperties:
serverProtocol: {hive2}
HTTP Container Site Protocol: http

windows, oauth}
Address:
url
HTTP Report Report, dashboard Protocol: http

windows, oauth}
Address:
url
HTTP Table Endpoint, file Protocol: http

windows, oauth}
Address:
url
MySQL Container Database Protocol: mysql

Authentication: {protocol,
windows}
Address:
server
database
MySQL Table Table, view Protocol: mysql

windows}
Address:
server
database
object
OData Container Entity container Protocol: odata

windows}
Address:
url
OData Table Entity set, function Protocol: odata
windows}
Address:
url
resource
Oracle Database Container Database Protocol: oracle

windows}
Address:
server
database
Oracle Database Table Table, view Protocol: oracle

windows}
Address:
server
database
schema
object
PostgreSQL Container Database Protocol: postgresql

windows}
Address:
server
database
PostgreSQL Table Table, view Protocol: postgresql

windows}
Address:
server
database
schema
object
Power BI Desktop Container Site Protocol: http

windows, oauth}
Address:
url
Power BI Desktop Report Report, dashboard Protocol: http

windows, oauth}
Address:
url
Power Query Table Data mashup Protocol: power-query

Authentication: {oauth}
Address:
url
Salesforce Table Object Protocol: salesforce-com
windows}
Address:
loginServer
class
itemName
SAP HANA Container Server Protocol: sap-hana-sql

windows}
Address:
server
SAP HANA Table View Protocol: sap-hana-sql

windows}
Address:
server
schema
object
SharePoint Table List Protocol: sharepoint-list

windows}
Address:
url
SQL Data Warehouse Command Stored procedure Protocol: tds

windows}
Address:
server
database
schema
object
SQL Data Warehouse TableValuedFunction Table-valued function Protocol: tds

windows}
Address:
server
database
schema
object
SQL Data Warehouse Container Database Protocol: tds

windows}
Address:
server
database
SQL Data Warehouse Table Table, view Protocol: tds
windows}
Address:
server
database
schema
object
SQL Server Command Stored procedure Protocol: tds

windows}
Address:
server
database
schema
object
SQL Server TableValuedFunction Table-valued function Protocol: tds

windows}
Address:
server
database
schema
object
SQL Server Container Database Protocol: tds

windows}
Address:
server
database
SQL Server Table Table, view Protocol: tds

windows}
Address:
server
database
schema
object
SQL Server Analysis Services Container Model Protocol: analysis-services

multidimensional Authentication: {windows,
basic, anonymous, none}
Address:
server
database
model
SQL Server Analysis Services KPI KPI Protocol: analysis-services

Address:
server
database
model
object
objectType: {KPI}
SQL Server Analysis Services Measure Measure Protocol: analysis-services
Address:
server
database
model
object
objectType: {Measure}
SQL Server Analysis Services Table Dimension Protocol: analysis-services

Address:
server
database
model
object
objectType: {Dimension}
SQL Server Analysis Services Container Model Protocol: analysis-services

tabular Authentication: {windows,
Address:
server
database
model
SQL Server Analysis Services KPI KPI Protocol: analysis-services

Address:
server
database
model
object
objectType: {KPI}
SQL Server Analysis Services Measure Measure Protocol: analysis-services

Address:
server
database
model
object
objectType: {Measure}
SQL Server Analysis Services Table Table Protocol: analysis-services

Address:
server
database
model
object
objectType: {Table}
SQL Server Reporting Container Server Protocol: reporting-services
Services Authentication: {windows}
Address:
server
version:
{ReportingService2010}
SQL Server Reporting Report Report Protocol: reporting-services

Services Authentication: {windows}
Address:
server
path
version:
{ReportingService2010}
Teradata Container Database Protocol: teradata

windows}
Address:
server
database
Teradata Table Table, view Protocol: teradata

windows}
Address:
server
database
object
SQL Server Master Data Container Model Protocol: mssql-mds

Services Authentication: {windows }
Address:
url
model
version
SQL Server Master Data Table Entity Protocol: mssql-mds

Services Authentication: {windows }
Address:
url
model
version
entity
Azure Cosmos DB Container Database Protocol: document-db

access-key}
Address:
url
database
Azure Cosmos DB Collection Collection Protocol: document-db

access-key}
Address:
url
database
collection
Generic ODBC Container Database Protocol: odbc
windows}
Address:
options
database
Generic ODBC Table Table, View Protocol: odbc

windows}
Address:
options
database
object
schema
Sybase Container Database protocol: sybase

authentication: {basic,
windows}
address:
server
database
Sybase Table Table, View protocol: sybase

authentication: {basic,
windows}
address:
server
database
schema
object
Other (none of the above) ✱ ✱ Protocol: generic-asset

Address:
assetId
Azure Data Catalog is a fully managed cloud service that serves as a system of registration and system of
discovery for enterprise data assets. For a detailed overview, see What is Azure Data Catalog.
This tutorial helps you get started with Azure Data Catalog. You perform the following procedures in this
tutorial:
PROCEDURE DESCRIPTION
Provision data catalog In this procedure, you provision or set up Azure Data
Catalog. You do this step only if the catalog has not been set
up before. You can have only one data catalog per
organization (Microsoft Azure Active Directory domain) even
though there are multiple subscriptions associated with your
Azure account.
Register data assets In this procedure, you register data assets from the
AdventureWorks2014 sample database with the data
catalog. Registration is the process of extracting key
structural metadata such as names, types, and locations
from the data source and copying that metadata to the
catalog. The data source and data assets remain where they
are, but the metadata is used by the catalog to make them
more easily discoverable and understandable.
Discover data assets In this procedure, you use the Azure Data Catalog portal to
discover data assets that were registered in the previous
step. After a data source has been registered with Azure
Data Catalog, its metadata is indexed by the service so that
users can easily search for the data they need.
Annotate data assets In this procedure, you provide annotations (information such
as descriptions, tags, documentation, or experts) for the data
assets. This information supplements the metadata extracted
from the data source, and to make the data source more
understandable to more people.
Connect to data assets In this procedure, you open data assets in integrated client
tools (such as Excel and SQL Server Data Tools) and a non-
integrated tool (SQL Server Management Studio).
Manage data assets In this procedure, you set up security for your data assets.
Data Catalog does not give users access to the data itself.
The owner of the data source controls data access.
With Data Catalog, you can discover data sources and view
the metadata related to the sources registered in the
catalog. There may be situations, however, where data
sources should be visible only to specific users or to
members of specific groups. For these scenarios, you can use
Data Catalog to take ownership of registered data assets
within the catalog and control the visibility of the assets you
own.
PROCEDURE DESCRIPTION
Remove data assets In this procedure, you learn how to remove data assets from
the data catalog.
Tutorial prerequisites
Azure subscription
To set up Azure Data Catalog, you must be the owner or co-owner of an Azure subscription.
Azure subscriptions help you organize access to cloud service resources like Azure Data Catalog. They also help
you control how resource usage is reported, billed, and paid for. Each subscription can have a different billing
and payment setup, so you can have different subscriptions and different plans by department, project, regional
office, and so on. Every cloud service belongs to a subscription, and you need to have a subscription before
setting up Azure Data Catalog. To learn more, see Manage accounts, subscriptions, and administrative roles.
If you don't have a subscription, you can create a free trial account in just a couple of minutes. See Free Trial for
details.
Azure Active Directory
To set up Azure Data Catalog, you must be signed in with an Azure Active Directory (Azure AD ) user account.
You must be the owner or co-owner of an Azure subscription.
Azure AD provides an easy way for your business to manage identity and access, both in the cloud and on-
premises. You can use a single work or school account to sign in to any cloud or on-premises web application.
Azure Data Catalog uses Azure AD to authenticate sign-in. To learn more, see What is Azure Active Directory.
Azure Active Directory policy configuration
You may encounter a situation where you can sign in to the Azure Data Catalog portal, but when you attempt to
sign in to the data source registration tool, you encounter an error message that prevents you from signing in.
This error may occur when you are on the company network or when you are connecting from outside the
company network.
The registration tool uses forms authentication to validate user sign-ins against Azure Active Directory. For
successful sign-in, an Azure Active Directory administrator must enable forms authentication in the global
authentication policy.
With the global authentication policy, you can enable authentication separately for intranet and extranet
connections, as shown in the following image. Sign-in errors may occur if forms authentication is not enabled
for the network from which you're connecting.
For more information, see Configuring authentication policies.
Provision data catalog

You can provision only one data catalog per organization (Azure Active Directory domain). Therefore, if the
owner or co-owner of an Azure subscription who belongs to this Azure Active Directory domain has already
created a catalog, you will not be able to create a catalog again even if you have multiple Azure subscriptions. To
test whether a data catalog has been created by a user in your Azure Active Directory domain, go to the Azure
Data Catalog home page and verify whether you see the catalog. If a catalog has already been created for you,
skip the following procedure and go to the next section.
1. Go to the Data Catalog service page and click Get started.
2. Sign in with a user account that is the owner or co-owner of an Azure subscription. You see the following
page after signing in.
3. Specify a name for the data catalog, the subscription you want to use, and the location for the catalog.
4. Expand Pricing and select an Azure Data Catalog edition (Free or Standard).
5. Expand Catalog Users and click Add to add users for the data catalog. You are automatically added to this
group.
6. Expand Catalog Administrators and click Add to add additional administrators for the data catalog. You
are automatically added to this group.
7. Click Create Catalog to create the data catalog for your organization. You see the home page for the data
catalog after it is created.
Find a data catalog in the Azure portal

1. On a separate tab in the web browser or in a separate web browser window, go to the Azure portal and sign
in with the same account that you used to create the data catalog in the previous step.
2. Select Browse and then click Data Catalog.
You see the data catalog you created.

3. Click the catalog that you created. You see the Data Catalog blade in the portal.
4. You can view properties of the data catalog and update them. For example, click Pricing tier and change
the edition.
Adventure Works sample database
In this tutorial, you register data assets (tables) from the AdventureWorks2014 sample database for the SQL
Server Database Engine, but you can use any supported data source if you would prefer to work with data that
is familiar and relevant to your role. For a list of supported data sources, see Supported data sources.
Install the Adventure Works 2014 OLTP database
The Adventure Works database supports standard online transaction-processing scenarios for a fictitious
bicycle manufacturer (Adventure Works Cycles), which includes products, sales, and purchasing. In this tutorial,
you register information about products into Azure Data Catalog.
To install the Adventure Works sample database:
1. Download Adventure Works 2014 Full Database Backup.zip on CodePlex.
2. To restore the database on your machine, follow the instructions in Restore a Database Backup by using SQL
Server Management Studio, or by following these steps:
a. Open SQL Server Management Studio and connect to the SQL Server Database Engine.
b. Right-click Databases and click Restore Database.
c. Under Restore Database, click the Device option for Source and click Browse.
d. Under Select backup devices, click Add.
e. Go to the folder where you have the AdventureWorks2014.bak file, select the file, and click OK to
close the Locate Backup File dialog box.
f. Click OK to close the Select backup devices dialog box.
g. Click OK to close the Restore Database dialog box.
You can now register data assets from the Adventure Works sample database by using Azure Data Catalog.
Register data assets

In this exercise, you use the registration tool to register data assets from the Adventure Works database with the
catalog. Registration is the process of extracting key structural metadata such as names, types, and locations
from the data source and the assets it contains, and copying that metadata to the catalog. The data source and
data assets remain where they are, but the metadata is used by the catalog to make them more easily
discoverable and understandable.
Register a data source
1. Go to the Azure Data Catalog home page and click Publish Data.
2. Click Launch Application to download, install, and run the registration tool on your computer.
3. On the Welcome page, click Sign in and enter your credentials.
4. On the Microsoft Azure Data Catalog page, click SQL Server and Next.
5. Enter the SQL Server connection properties for AdventureWorks2014 (see the following example) and
click CONNECT.
6. Register the metadata of your data asset. In this example, you register Production/Product objects
from the AdventureWorks Production namespace:
a. In the Server Hierarchy tree, expand AdventureWorks2014 and click Production.
b. Select Product, ProductCategory, ProductDescription, and ProductPhoto by using Ctrl+click.
c. Click the move selected arrow (>). This action moves all selected objects into the Objects to be
registered list.
d. Select Include a Preview to include a snapshot preview of the data. The snapshot includes up to 20
records from each table, and it is copied into the catalog.
e. Select Include Data Profile to include a snapshot of the object statistics for the data profile (for
example: minimum, maximum, and average values for a column, number of rows).
f. In the Add tags field, enter adventure works, cycles. This action adds search tags for these data
assets. Tags are a great way to help users find a registered data source.
g. Specify the name of an expert on this data (optional).
h. Click REGISTER. Azure Data Catalog registers your selected objects. In this exercise, the selected
objects from Adventure Works are registered. The registration tool extracts metadata from the
data asset and copies that data into the Azure Data Catalog service. The data remains where it
currently resides, and it remains under the control of the administrators and policies of the current
system.
i. To see your registered data source objects, click View Portal. In the Azure Data Catalog portal,
confirm that you see all four tables and the database in the grid view.
In this exercise, you registered objects from the Adventure Works sample database so that they can be easily
discovered by users across your organization. In the next exercise, you learn how to discover registered data
assets.
Discover data assets

Discovery in Azure Data Catalog uses two primary mechanisms: searching and filtering.
Searching is designed to be both intuitive and powerful. By default, search terms are matched against any
property in the catalog, including user-provided annotations.
Filtering is designed to complement searching. You can select specific characteristics such as experts, data
source type, object type, and tags to view matching data assets and to constrain search results to matching
assets.
By using a combination of searching and filtering, you can quickly navigate the data sources that have been
registered with Azure Data Catalog to discover the data assets you need.
In this exercise, you use the Azure Data Catalog portal to discover data assets you registered in the previous
exercise. See Data Catalog Search syntax reference for details about search syntax.
Following are a few examples for discovering data assets in the catalog.
Discover data assets with basic search
Basic search helps you search a catalog by using one or more search terms. Results are any assets that match on
any property with one or more of the terms specified.
1. Click Home in the Azure Data Catalog portal. If you have closed the web browser, go to the Azure Data
Catalog home page.
2. In the search box, enter cycles and press ENTER.
3. Confirm that you see all four tables and the database (AdventureWorks2014) in the results. You can
switch between grid view and list view by clicking buttons on the toolbar as shown in the following
image. Notice that the search keyword is highlighted in the search results because the Highlight option
is ON. You can also specify the number of results per page in search results.
The Searches panel is on the left and the Properties panel is on the right. On the Searches panel, you
can change search criteria and filter results. The Properties panel displays properties of a selected object
in the grid or list.
4. Click Product in the search results. Click the Preview, Columns, Data Profile, and Documentation
tabs, or click the arrow to expand the bottom pane.
On the Preview tab, you see a preview of the data in the Product table.
5. Click the Columns tab to find details about columns (such as name and data type) in the data asset.
6. Click the Data Profile tab to see the profiling of data (for example: number of rows, size of data, or
minimum value in a column) in the data asset.
7. Filter the results by using Filters on the left. For example, click Table for Object Type, and you see only
the four tables, not the database.
Discover data assets with property scoping

Property scoping helps you discover data assets where the search term is matched with the specified property.
1. Clear the Table filter under Object Type in Filters.
2. In the search box, enter tags:cycles and press ENTER. See Data Catalog Search syntax reference for all the
properties you can use for searching the data catalog.
3. Confirm that you see all four tables and the database (AdventureWorks2014) in the results.
Save the search
1. In the Searches pane in the Current Search section, enter a name for the search and click Save.
2. Confirm that the saved search shows up under Saved Searches.
3. Select one of the actions you can take on the saved search (Rename, Delete, Save As Default search).
Boolean operators
You can broaden or narrow your search with Boolean operators.
1. In the search box, enter tags:cycles AND objectType:table , and press ENTER.
2. Confirm that you see only tables (not the database) in the results.
Grouping with parentheses

By grouping with parentheses, you can group parts of the query to achieve logical isolation, especially along
with Boolean operators.
1. In the search box, enter name:product AND (tags:cycles AND objectType:table) and press ENTER.
2. Confirm that you see only the Product table in the search results.
Comparison operators
With comparison operators, you can use comparisons other than equality for properties that have numeric and
date data types.
1. In the search box, enter lastRegisteredTime:>"06/09/2016" .
2. Clear the Table filter under Object Type.
3. Press ENTER.
4. Confirm that you see the Product, ProductCategory, ProductDescription, and ProductPhoto tables
and the AdventureWorks2014 database you registered in search results.
See How to discover data assets for detailed information about discovering data assets and Data Catalog
Search syntax reference for search syntax.
Annotate data assets

In this exercise, you use the Azure Data Catalog portal to annotate (add information such as descriptions, tags,
or experts) data assets you have previously registered in the catalog. The annotations supplement and enhance
the structural metadata extracted from the data source during registration and makes the data assets much
easier to discover and understand.
In this exercise, you annotate a single data asset (ProductPhoto). You add a friendly name and description to the
ProductPhoto data asset.
1. Go to the Azure Data Catalog home page and search with tags:cycles to find the data assets you have
registered.
2. Click ProductPhoto in search results.
3. Enter Product images for Friendly Name and Product photos for marketing materials for the
Description.
The Description helps others discover and understand why and how to use the selected data asset. You
can also add more tags and view columns. Now you can try searching and filtering to discover data
assets by using the descriptive metadata you’ve added to the catalog.
You can also do the following on this page:
Add experts for the data asset. Click Add in the Experts area.
Add tags at the dataset level. Click Add in the Tags area. A tag can be a user tag or a glossary tag. The
Standard Edition of Data Catalog includes a business glossary that helps catalog administrators define a
central business taxonomy. Catalog users can then annotate data assets with glossary terms. For more
information, see How to set up the Business Glossary for Governed Tagging
Add tags at the column level. Click Add under Tags for the column you want to annotate.
Add description at the column level. Enter Description for a column. You can also view the description
metadata extracted from the data source.
Add Request access information that shows users how to request access to the data asset.
Choose the Documentation tab and provide documentation for the data asset. With Azure Data
Catalog documentation, you can use your data catalog as a content repository to create a complete
narrative of your data assets.
You can also add an annotation to multiple data assets. For example, you can select all the data assets you
registered and specify an expert for them.
Azure Data Catalog supports a crowd-sourcing approach to annotations. Any Data Catalog user can add tags
(user or glossary), descriptions, and other metadata, so that any user with a perspective on a data asset and its
use can have that perspective captured and available to other users.
See How to annotate data assets for detailed information about annotating data assets.
Connect to data assets

In this exercise, you open data assets in an integrated client tool (Excel) and a non-integrated tool (SQL Server
Management Studio) by using connection information.
NOTE
It’s important to remember that Azure Data Catalog doesn’t give you access to the actual data source—it simply makes it
easier for you to discover and understand it. When you connect to a data source, the client application you choose uses
your Windows credentials or prompts you for credentials as necessary. If you have not previously been granted access to
the data source, you need to be granted access before you can connect.
Connect to a data asset from Excel

1. Select Product from search results. Click Open In on the toolbar and click Excel.
2. Click Open in the download pop-up window. This experience may vary depending on the browser.
3. In the Microsoft Excel Security Notice window, click Enable.
4. Keep the defaults in the Import Data dialog box and click OK.
5. View the data source in Excel.
In this exercise, you connected to data assets discovered by using Azure Data Catalog. With the Azure Data
Catalog portal, you can connect directly by using the client applications integrated into the Open in menu. You
can also connect with any application you choose by using the connection location information included in the
asset metadata. For example, you can use SQL Server Management Studio to connect to the
AdventureWorks2014 database to access the data in the data assets registered in this tutorial.
1. Open SQL Server Management Studio.
2. In the Connect to Server dialog box, enter the server name from the Properties pane in the Azure Data
Catalog portal.
3. Use appropriate authentication and credentials to access the data asset. If you don't have access, use
information in the Request Access field to get it.
Click View Connection Strings to view and copy ADF.NET, ODBC, and OLEDB connection strings to the
clipboard for use in your application.
Manage data assets

In this step, you see how to set up security for your data assets. Data Catalog does not give users access to the
data itself. The owner of the data source controls data access.
You can use Data Catalog to discover data sources and to view the metadata related to the sources registered in
the catalog. There may be situations, however, where data sources should only be visible to specific users or to
members of specific groups. For these scenarios, you can use Data Catalog to take ownership of registered data
assets within the catalog, and to then control the visibility of the assets you own.
NOTE
The management capabilities described in this exercise are available only in the Standard Edition of Azure Data Catalog,
not in the Free Edition. In Azure Data Catalog, you can take ownership of data assets, add co-owners to data assets, and
set the visibility of data assets.
Take ownership of data assets and restrict visibility

1. Go to the Azure Data Catalog home page. In the Search text box, enter tags:cycles and press ENTER.
2. Click an item in the result list and click Take Ownership on the toolbar.
3. In the Management section of the Properties panel, click Take Ownership.
4. To restrict visibility, choose Owners & These Users in the Visibility section and click Add. Enter user
email addresses in the text box and press ENTER.
Remove data assets
In this exercise, you use the Azure Data Catalog portal to remove preview data from registered data assets and
delete data assets from the catalog.
In Azure Data Catalog, you can delete an individual asset or delete multiple assets.
1. Go to the Azure Data Catalog home page.
2. In the Search text box, enter tags:cycles and click ENTER.
3. Select an item in the result list and click Delete on the toolbar as shown in the following image:
If you are using the list view, the check box is to the left of the item as shown in the following image:
You can also select multiple data assets and delete them as shown in the following image:
NOTE
The default behavior of the catalog is to allow any user to register any data source, and to allow any user to delete any
data asset that has been registered. The management capabilities included in the Standard Edition of Azure Data Catalog
provide additional options for taking ownership of assets, restricting who can discover assets, and restricting who can
delete assets.
Summary
In this tutorial, you explored essential capabilities of Azure Data Catalog, including registering, annotating,
discovering, and managing enterprise data assets. Now that you’ve completed the tutorial, it’s time to get
started. You can begin today by registering the data sources you and your team rely on, and by inviting
colleagues to use the catalog.
References
How to register data assets
How to discover data assets
How to annotate data assets
How to document data assets
How to connect to data assets
Approach and process for adopting Azure Data
Catalog
This article helps you get started adopting Azure Data Catalog in your organization. To successfully adopt Azure
Data Catalog, you focus on three key items: define your vision, identify key business use cases within your
organization, and choose a pilot project.
Introducing the Azure Data Catalog

Within the world of work, people's expectations of how they should be able to find expert information about data
assets have changed. Today, with the widespread workplace use of social media tools such as Yammer, people
expect to be able to quickly get assistance and advice on a wide range of topics. Azure Data Catalog helps
businesses and teams consolidate information about enterprise data assets in a central repository. Data consumers
can discover these data assets and gain knowledge contributed by subject matter experts.
This article presents an approach to getting started using Azure Data Catalog. The article describes a typical Data
Catalog adoption plan for the fictitious company called Adventure Works.
Azure Data Catalog is a fully managed service in Azure and an enterprise-wide information (metadata) catalog
that enables self-service data source discovery. With Data Catalog, you register, discover, annotate, and connect to
data assets. Data Catalog is designed to manage disparate information assets to make them easy to find data
assets, understand them, and connect to them. It reduces the time to gain insights from available data and
increases the value to organizations. To learn more, see Microsoft Azure Data Catalog.
Azure Data Catalog adoption plan

An Azure Data Catalog adoption plan describes how the benefits of using the service are communicated to
stakeholders and users, and what kind of training you provide to users. One key success driver to adopt Data
Catalog is how effectively you communicate the value of the service to users and stakeholders. The primary
audiences in an initial adoption plan are the users of the service. No matter how much buy-in you get from
stakeholders, if the users, or customers, of your Data Catalog offering do not incorporate it into their usage, the
adoption will not be successful. Therefore, this article assumes you have stakeholder buy-in, and focuses on
creating a plan for user adoption of Data Catalog. An effective adoption plan successfully engages people in what is
possible with Data Catalog and gives them the information and guidance to achieve it. Users need to understand
the value that Data Catalog provides to help them succeed in their jobs. When people see how Data Catalog can
help them achieve more results with data, the value of adopting Data Catalog becomes clear. Change is hard, so an
effective plan needs to take the challenges of change into account.
An adoption plan helps you communicate what is critical for people to succeed and achieve their goals. A typical
plan explains how Data Catalog is going to make users' lives easier, and includes the following parts:
Vision Statement - It helps you concisely discuss the adoption plan with users, and stakeholders. It's your
elevator pitch.
Pilot team and Influencers - Learning from a pilot team and influencers help you refine how to introduce
teams and users to Data Catalog. Influencers can peer coach fellow users. It also helps you identify blockers and
drivers to adoption.
Plan for Communications and Buzz - It helps users to understand how Data Catalog can help them, and can
foster organic adoption within teams, and ultimately the entire organization.
Training Plan - Comprehensive training generally leads to adoption success and favorable results.
Here are some tips to define an Azure Data Catalog adoption plan.
Define your Data Catalog project vision

The first step to define an Azure Data Catalog adoption plan is to write an aspirational description of what you
are trying to accomplish. It's best to keep the vision statement fairly broad, yet concise enough to define specific
short-term, and long-term goals.
Here are some tips to help you define you vision:
Identify the key deployment driver - Think about the specific data source management needs from the
business that can be addressed with Data Catalog. It helps you state the top advantages of using Data Catalog.
For example, there may be common data sources that all new employees need to learn about and use, or
important and complex data sources that only a few key people deeply understand. Azure Data Catalog can
help make these data sources easy to discover and understand, so that these well-known pain points can be
addressed directly and early in the adoption of the service.
Be crisp and clear - A clear understanding of the vision gets everyone on the same page about the value Data
Catalog brings to the organization, and how the vision supports organizational goals.
Inspire people to want to use Data Catalog - Your vision, and communication plan should inspire folks to
recognize that Data Catalog can benefit them to find and connect to data sources to achieve more with data.
Specify goals and timeline - It ensures your adoption plan has specific, achievable deliverables. A timeline
keeps everyone focused, and allows for checkpoints to measure success.
Here is an example vision statement for a Data Catalog adoption plan for the fictitious company called Adventure
Works:
Azure Data Catalog empowers the Adventure Works Finance team to collaborate on key data sources, so every
team member can easily find and use the data she needs and can share her knowledge with the team as a whole.
Once you have a crisp vision statement, you should identify a suitable pilot project for Data Catalog. Generally,
there are several scenarios for Data Catalog, so the next section provides some tips to identify relevant uses cases.
Identify Data Catalog business use cases

To identify use cases that are relevant to Data Catalog, engage with experts from various business units to identify
relevant use cases and business issues to solve. Review existing challenges people have identifying and
understanding data assets. For example, do teams learn about data assets only after asking several people in the
organization who has relevant data sources?
It is best to choose use cases that represent low hanging fruit: cases that are important yet have a high likelihood of
success if solved with Data Catalog.
Here are some tips to identify use cases:
Define the goals of the team - How does the team achieve their goals? Don't focus on Data Catalog yet since
you want to be objective at this stage. Remember it's about the business results, not about the technology.
Define the business problem - What are the issues faced by the team regarding finding and learning about
data assets? For example, information about important data sources may be found in Excel workbooks in a
network folder, and the team may spend much time locating the workbooks.
Understand team culture related to change - Many adoption challenges relate to resistance to change
rather than the implementation of a new tool. How a team responds to change is important when identifying
use cases since the existing process could be in place because "this is how we've always done it" or "if it ain't
broke, why fix it?". Adopting any new tool or process is always easiest when the people affected understand the
value to be realized from the change, and appreciate the importance of the problems to be solved.
Keep focus related to data assets - When discussing the business problems a team faces, you need to "cut
through the weeds", and focus on what's relevant to leveraging enterprise data assets more effectivity.
Here are some example use cases related to Data Catalog:
Example use cases
Register central high-value data sources - IT manages data sources used across the organization. IT can get
started with Data Catalog by registering and annotating common enterprise data sources.
Register team -based data sources - Different teams have useful, line-of-business data sources. Get started
with Azure Data Catalog by identifying and registering key data sources used by many different teams, and
capture the team's tribal knowledge in Azure Data Catalog annotations.
Self-service business intelligence - Teams spend much time combining data from multiple sources. Register
and annotate data sources in a central location to eliminate a manual data source discovery process.
To read more about Data Catalog scenarios, see Azure Data Catalog common scenarios.
Once you identify some use cases for Data Catalog, common scenarios should emerge. The next section discusses
how to identify your first pilot project based on a use case.
Choose a Data Catalog pilot project

A key success factor is to simplify, and start small. A well-defined pilot with a constrained scope helps keep the
project moving forward without getting bogged down with a project that is too complex, or which has too many
participants. But it is also important to include a mix of users, from early adopters to skeptics. Users who embrace
the solution help you refine your future communication and buzz plan. Skeptics help you identify and address
blocking issues. As skeptics become champions, you can use their feedback to identify success drivers.
Your pilot plan should phase in business goals that you want to achieve with Data Catalog. As you learn from the
initial pilot, you can expand your user base. An initial closed pilot is good to establish measurable success, but the
ultimate goal is for organic or viral growth. With organic growth of Data Catalog, users are in control of their own
data usage, and can influence and encourage others to adopt and contribute to the catalog.
Target the right team
When you choose your pilot project, select a team with the most appealing scenarios that solves an existing
business problem. For example, a business analyst creates reports from a SQL Server database. The problem is
that she became aware of the data source only after talking to several colleagues. Finally, after wasting time trying
to find which data sources to use, she found out about an Excel workbook, which contains a description of each
data source. Although the Excel workbook adequately describes the tables that she needs, she would have quickly
found these data sources if they were registered and annotated in Azure Data Catalog.
Identify data heroes
Your first pilot project should have a few individuals who produce data and consume data so that the team has
balanced representation.
Data Producers are people with expertise about data sources. For example, David in another team has worked
extensively with key Adventure Works data sources. Prior to the adoption of Azure Data Catalog, David has
created an Excel workbook to capture information about Adventure Works data sources.
Data Consumers are people with expertise on the use of the data to solve business problems. For example, Nancy
is a business analyst uses Adventure Works SQL Server data sources to analyze data.
One of the business problems that Azure Data Catalog solves is to connect Data Producers to Data
Consumers. It does so by serving as a central repository for information about enterprise data sources. Using
Data Catalog, David registers Adventure Works and SQL Server data sources. Using crowdsourcing any user who
discovers this data source can share her opinions on the data, in addition to using the data she has discovered. For
example, Nancy discovers the data sources by searching the catalog, and shares her specialized knowledge about
the data. Now, others in the organization benefit from shared knowledge by searching the data catalog.
To learn more about registering data sources, see Register data sources.
To learn more about discovering data sources, see Search data sources.
Start small and focused
For most enterprise pilot projects, you should seed the catalog with high-value data sources so that business users
can quickly see the value of Data Catalog. IT is a good place to start identifying common data sources that would
be of interest to your pilot team. For supported data sources, such as SQL Server, we recommend using the Azure
Data Catalog data source registration tool. With the data source registration tool, you can register a wide range of
data sources including SQL Server and Oracle databases, and SQL Server Reporting Services reports. For a
complete list of current data sources, see Azure Data Catalog supported data sources.
Once you have identified and registered key data sources, it is possible to also import data source descriptions
stored in other locations. The Data Catalog API allows developers to load descriptions and annotations from
another location, such as the Excel Workbook that David created and maintains.
The next section describes an example project from the Adventure Works company.
An example project
For this example, Nancy the Business Analyst, creates reports for her team, using data from a SQL Server
database. The problem is that she became aware of the data source only after talking to several colleagues. She
would have quickly found these data sources if they were registered and annotated in a central location such as
Azure Data Catalog.
To illustrate how easily Nancy and her team can find high-value data, you use the data source registration tool to
populate the Catalog with information (metadata) about the data sources. This way the information about the
database is available to the team and the enterprise, not just a few individuals. Once data sources are registered in
Data Catalog, Nancy and her team can easily use them. The result is a more comprehensive and relevant data
catalog for her team and the enterprise. As more teams adopt Data Catalog, business data sources become easier
to find and use; thus, enabling a more data-centric culture to achieve more with your data.
To learn more about the data source registration tool, see Get started with Azure Data Catalog.
As part of the pilot project, Nancy's team also uses data sources that are described in an Excel workbook that David
and is colleagues maintain. Since other teams in the enterprise also use Excel workbooks to describe data sources,
the IT team decides to create a tool to migrate the Excel workbook to Data Catalog. By using the Data Catalog
REST API to import existing annotations, the pilot project team can have a complete data catalog consisting of
metadata extracted from the data sources using the data source registration tool, complete with information
previously documented by data producers and consumers, without the need for manual re-entry. As the enterprise
data catalog grows, the organization can use the data source registration tool for common data sources, and the
Data Catalog API for custom sources and uncommon scenarios.
NOTE
We wrote a sample tool that uses the Azure Data Catalog API to migrate an Excel workbook to Data Catalog. To learn
about the Data Catalog API and the sample tool, download the Ad Hoc workbook code sample, and check out the Azure
Data Catalog REST API documentation.
After the pilot project is in place, it's time to execute your Data Catalog adoption plan.
Execute
At this point you have identified use cases for Data Catalog, and you have identified your first project. In addition,
you have registered the key Adventure Works data sources and have added information from the existing Excel
workbook using the tool that IT built. Now it's time to work with the pilot team to start the Data Catalog adoption
process.
Here are some tips to get you started:
Create excitement - Business users get excited if they believe that Azure Data Catalog makes their lives
easier. Try to make the conversation around the solution and the benefits it provides, not the technology.
Facilitate change - Start small and communicate the plan to business users. To be successful, it's crucial to
involve users from the beginning so that they influence the outcome and develop a sense of ownership about
the solution.
Groom early adopters - Early adopters are business users that are passionate about what they do, and excited
to evangelize the benefits of Azure Data Catalog to their peers.
Target training - Business users do not need to know everything about Data Catalog, so target training to
address specific team goals. Focus on what users do, and how some of their tasks might change, to incorporate
Azure Data Catalog into their daily routine.
Be willing to fail - If the pilot isn't achieving the desired results, reevaluate, and identify areas to change - fix
problems in the pilot before moving on to a larger scope.
Before your pilot team jumps into using Data Catalog, schedule a kick-off meeting to discuss expectations for the
pilot project, and provide initial training.
Set expectations
Setting expectations and goals helps business users focus on specific deliverables. To keep the project on track,
assign regular (for example: daily or weekly based on the scope and duration of the pilot) homework assignments.
One of the most valuable capabilities of Data Catalog is crowdsourcing data assets so that business users can
benefit from knowledge of enterprise data. A great homework assignment is for each pilot team member to
register or annotate at least one data source they have used. See Register a data source and How to annotate data
sources.
Meet with the team on a regular schedule to review some of the annotations. Good annotations about data sources
are at the heart of a successful Data Catalog adoption because they provide meaningful data source insights in a
central location. Without good annotations, knowledge about data sources remains scattered throughout the
enterprise. See How to annotate data sources.
And, the ultimate test of the project is whether users can discover and understand the data sources they need to
use. Pilot users should regularly test the catalog to ensure that the data sources they use for their day to day work
are relevant. When a required data source is missing or not properly annotated, this should serve as a reminder to
register additional data sources or to provide additional annotations. This practice does not only add value to the
pilot effort but also builds effective habits that carry over to other teams after the pilot is complete.
Provide training
Training should be enough to get the users started, and tailored to the specific goals and experience level of the
pilot team members. To get started with training, you can follow the steps in the Get started with Azure Data
Catalog article. In addition, you can download the Azure Data Catalog Pilot Project Training presentation. This
PowerPoint presentation should help you get started introducing Data Catalog to your pilot team members.
Conclusion
Once your pilot team is running fairly smoothly and you have achieved your initial goals, you should expand Data
Catalog adoption to more teams. Apply and refine what you learned from your pilot project to expand Data
Catalog throughout your organization.
The early adopters who participated in the pilot can be helpful to get the word out about the benefits of adopting
Data Catalog. They can share with other teams how Data Catalog helped their team solve business problems,
discover data sources more easily, and share insights about the data sources they use. For example, early adopters
on the Adventure Works pilot team could show others how easy it is to find information about Adventure Works
data assets that were once hard to find and understand.
This article was about getting started with Azure Data Catalog in your organization. We hope you were able to
start a Data Catalog pilot project, and expand Data Catalog throughout your organization.
More information about Azure Data Catalog

Azure Data Catalog product page
Azure Data Catalog documentation
Azure Data Catalog common scenarios
Search data sources
Annotate data sources
Crowdsourcing metadata
Azure Data Catalog prerequisites
You need to take care of a few things before you can set up Azure Data Catalog. Don’t worry, this process does not
take long.
Azure subscription
To set up Data Catalog, you must be the owner or co-owner of an Azure subscription.
Azure subscriptions help you organize access to cloud-service resources such as Data Catalog. Subscriptions also
help you control how resource usage is reported, billed, and paid for. Each subscription can have a separate billing
and payment setup, so you can have subscriptions and plans that vary by department, project, regional office, and
so on. Every cloud service belongs to a subscription, and you need to have a subscription before you set up Data
Catalog. To learn more, see Manage accounts, subscriptions, and administrative roles.
Azure Active Directory

To set up Data Catalog, you must be signed in with an Azure Active Directory (Azure AD ) user account.
Azure AD provides an easy way for your business to manage identity and access, both in the cloud and on-
premises. Users can use a single work or school account for single sign-in to any cloud and on-premises web
application. Data Catalog uses Azure AD to authenticate sign-in. To learn more, see What is Azure Active
Directory?.
NOTE
By using the Azure portal, you can sign in with either a personal Microsoft account or an Azure Active Directory work or
school account. To set up Data Catalog by using either the Azure portal or the Data Catalog portal, you must sign in with an
Azure Active Directory account, not a personal account.
Active Directory policy configuration

You might encounter a situation where you can sign in to the Data Catalog portal, but when you attempt to sign in
to the data source registration tool, you encounter an error message that prevents you from signing in. This
problem behavior might occur only when you're on the company network, or it might occur only when you're
connecting from outside the company network.
The data source registration tool uses Forms Authentication to validate your user credentials against Active
Directory. To help you sign in successfully, an Active Directory administrator must enable Forms Authentication in
the Global Authentication Policy.
In the Global Authentication Policy, authentication methods can be enabled separately for intranet and extranet
connections, as shown in the following screenshot. Sign-in errors might occur if Forms Authentication is not
enabled for the network from which you're connecting.
Next steps
For more information, see Configuring Authentication Policies.
Azure Data Catalog frequently asked questions
This article provides answers to frequently asked questions related to the Azure Data Catalog service.

Data Catalog is a fully managed service, hosted in Microsoft Azure, that serves as a system of registration and
discovery for enterprise data sources. With Data Catalog, any user, from analysts to data scientists and developers,
can register, discover, understand, and consume data sources.
What customer challenges does it solve?

Data Catalog addresses the challenges of data-source discovery and “dark data” so that users can discover and
understand enterprise data sources.
What are its target audiences?

Data Catalog is designed for technical and non-technical users, including:
Data developers and BI and analytics professionals: People who are responsible for producing data and
analytics content for others to consume.
Data stewards: People who have the knowledge about the data, what it means, and how it is intended to be
used.
Data consumers: People who need to be able to easily discover, understand, and connect to the data they need
to do their job, by using the tool of their choice.
Central IT: People who need to make hundreds of data sources discoverable by business users, and who need
to maintain oversight over how data is being used and by whom.
What is its availability by region?

Data Catalog services are currently available in the following data centers:
West US
East US
West Europe
North Europe
Australia East
Southeast Asia
What are its limits on the number of data assets?

The Free Edition of Data Catalog is limited to 5,000 registered data assets.
The Standard Edition of Data Catalog supports up to 100,000 registered data assets.
Any object registered in Data Catalog, such as tables, views, files, and reports, counts as a data asset.
What are its supported data source and asset types?

For a list of currently supported data sources, see Data Catalog DSR.
How do I request support for another data source?

To submit feature requests and other feedback, go to the Data Catalog on the Azure Feedback Forums.
How do I get started with Data Catalog?

The best way to get started is by going to Getting Started with Data Catalog. This article is an end-to-end overview
of the capabilities in the service.
How do I register my data?

To register your data in Data Catalog:
1. In the Azure Data Catalog portal, in the Publish area, start the Azure Data Catalog registration tool.
2. In the Data Catalog data source registration tool, sign in with the same credentials that you use to access the
Data Catalog portal.
3. Select the data source and the specific assets that you want to register.
What properties does it extract for data assets that are registered?
The specific properties differ from data source to data source but, in general, the Data Catalog publishing service
extracts the following information:
Asset Name
Asset Type
Asset Description
Attribute/Column Names
Attribute/Column Data Types
Attribute/Column Description
IMPORTANT
Registering data assets with Data Catalog does not move or copy your data to the cloud. Registering assets from a data
source copies the assets’ metadata to Azure, but the data remains in the existing data-source location. The exception to this
rule is if you choose to upload preview records or a data profile when you register the assets. When you include a preview, up
to 20 records are copied from each asset and stored as a snapshot in Data Catalog. When you include a data profile,
aggregate information is calculated and included in the metadata that's stored in the catalog. Aggregate information can
include the size of tables, the percentage of null values per column, or the minimum, maximum, and average values for
columns.
NOTE
For data sources such as SQL Server Analysis Services that have a first-class Description property, the Data Catalog data
source registration tool extracts that property value. For SQL Server relational databases, which lack a first-class Description
property, the Data Catalog data source registration tool extracts the value from the ms_description extended property for
objects and columns. For more information, see Using Extended Properties on Database Objects.
How long should it take for newly registered assets to appear in the
catalog?
After you register assets with Data Catalog, there may be a period of 5 to 10 seconds before they appear in the
Data Catalog portal.
How do I annotate and enrich the metadata for my registered data

assets?
The simplest way to provide metadata for registered assets is to select the asset in the Data Catalog portal and
then enter the values in the properties pane or schema pane for the selected object.
You can also provide some metadata, such as experts and tags, during the registration process. The values you
provide in the Data Catalog publishing service apply to all assets being registered at that time. To view the recently
registered objects in the portal for additional annotation, select the View Portal button on the final screen of the
Data Catalog data source registration tool.
How do I delete my registered data objects?

You can delete an object from Data Catalog by selecting the object in the portal and then clicking the Delete
button. Removing the object removes its metadata from Data Catalog but does not affect the underlying data
source.
What is an expert?
An expert is a person who has an informed perspective about a data object. An object can have multiple experts.
An expert does not need to be the “owner” for an object, but is simply someone who knows how the data can and
should be used.
How do I share information with the Data Catalog team if I encounter

problems?
To report problems, share information, and ask questions, go to the Azure Data Catalog forum.
Does the catalog work with another data source that I’m interested in?
We’re actively working on adding more data sources to Data Catalog. If you want to see a specific data source
supported, suggest it (or voice your support if it has already been suggested) by going to the Data Catalog on the
Azure Feedback Forums.
How is Azure Data Catalog related to the Data Catalog in Power BI for
Office 365?
You can think of Azure Data Catalog as an evolution of the Data Catalog in Power BI. As of spring 2017, Azure
Data Catalog is used to enable the sharing and discovery of queries in Excel 2016 and Power Query for Excel. Data
Catalog capabilities in Excel are available to users with Power BI Pro licenses.
What permissions do I need to register assets with Data Catalog?

To run the Data Catalog registration tool, you need permissions on the data source that allows you to read the
metadata from the source. To also include a preview, you must have permissions that allow you to read in the data
from the objects being registered.
Data Catalog also allows catalog administrators to restrict which users and groups can add metadata to the
catalog. For additional information, see How to secure access to data catalog and data assets.
Will Data Catalog be made available for on-premises deployment as
well?
Data Catalog is a cloud service that can work with both cloud and on-premises data sources to deliver a hybrid
data-source discovery solution. There are currently no plans for a version of the Data Catalog service that runs on-
premises.
Can I extract more or richer metadata from the data sources I register?
We’re actively working to expand the capabilities of Data Catalog. If you want to have additional metadata
extracted from the data source during registration, suggest it (or vote for it, if it has already been suggested) in the
Data Catalog on the Azure Feedback Forums.
If you would like to include column/schema metadata, previews, or data profiles, for data sources where this
metadata is not extracted by the data source registration tool, you can use the Data Catalog API to add this
metadata. For additional information, see Azure Data Catalog REST API.
How do I restrict the visibility of registered data assets, so that only

certain people can discover them?
Select the data assets in the Data Catalog, and then click the Take Ownership button. Owners of data assets in
Data Catalog can change the visibility settings to either allow all users to discover the owned assets or restrict
visibility to specific users. For additional information, see Manage data assets in Azure Data Catalog.
How do I update the registration for a data asset so that changes in the
data source are reflected in the catalog?
To update the metadata for data assets that are already registered in the catalog, simply re-register the data source
that contains the assets. Any changes in the data source, such as columns being added or removed from tables or
views, are updated in the catalog, but any annotations provided by users are retained.
My question isn’t answered here. Where can I go for answers?

Go to the Azure Data Catalog forum. Questions asked there will find their way here.
Register data sources in Azure Data Catalog
Introduction
Azure Data Catalog is a fully managed cloud service that serves as a system of registration and discovery for
enterprise data sources. In other words, Data Catalog helps people discover, understand, and use data sources, and
it helps organizations get more value from their existing data. The first step to making a data source discoverable
via Data Catalog is to register that data source.

Registration is the process of extracting metadata from the data source and copying that data to the Data Catalog
service. The data remains where it currently resides, and it remains under the control of the administrators and
policies of the current system.
To register a data source, do the following:
1. In the Azure Data Catalog portal, start the Data Catalog data source registration tool.
2. Sign in with your work or school account with the same Azure Active Directory credentials that you use to sign
in to the portal.
3. Select the data source you want to register.
For more step-by-step details, see the Get Started with Azure Data Catalog tutorial.
After you've registered the data source, the catalog tracks its location and indexes its metadata. Users can search,
browse, and discover the data source, and then use its location to connect to it by using the application or tool of
their choice.

For a list of currently supported data sources, see Data Catalog DSR.
Structural metadata
When you register a data source, the registration tool extracts information about the structure of the objects you
select. This information is referred to as structural metadata.
For all objects, this structural metadata includes the object’s location, so that users who discover the data can use
that information to connect to the object in the client tools of their choice. Other structural metadata includes
object name and type, and attribute/column name and data type.
Descriptive metadata
In addition to the core structural metadata that's extracted from the data source, the data source registration tool
extracts descriptive metadata. For SQL Server Analysis Services and SQL Server Reporting Services, this
metadata is taken from the Description properties exposed by these services. For SQL Server, values provided
using the ms_description extended property is extracted. For Oracle Database, the data-source registration tool
extracts the COMMENTS column from the ALL_TAB_COMMENTS view.
In addition to the descriptive metadata that's extracted from the data source, users can enter descriptive metadata
by using the data source registration tool. Users can add tags, and they can identify experts for the objects being
registered. All this descriptive metadata is copied to the Data Catalog service along with the structural metadata.
Include previews
By default, only metadata is extracted from data sources and copied to the Data Catalog service, but
understanding a data source is often made easier when you can view a sample of the data it contains.
By using the Data Catalog data-source registration tool, you can include a snapshot preview of the data in each
table and view that is registered. If you choose to include previews during registration, the registration tool
includes up to 20 records from each table and view. This snapshot is then copied to the catalog along with the
structural and descriptive metadata.
NOTE
Wide tables with a large number of columns might have fewer than 20 records included in their preview.
Include data profiles

Just as including previews can provide valuable context for users who search for data sources in Data Catalog,
including a data profile can make it easier to understand discovered data sources.
By using the Data Catalog data-source registration tool, you can include a data profile for each table and view that
is registered. If you choose to include a data profile during registration, the registration tool includes aggregate
statistics about the data in each table and view, including:
The number of rows and size of the data in the object.
The date for the most recent update of the data and the object schema.
The number of null records and distinct values for columns.
The minimum, maximum, average, and standard deviation values for columns.
These statistics are then copied to the catalog along with the structural and descriptive metadata.
NOTE
Text and date columns do not include average or standard deviation statistics in their data profile.
Update registrations
Registering a data source makes it discoverable in Data Catalog when you use the metadata and optional preview
extracted during registration. If the data source needs to be updated in the catalog (for example, if the schema of
an object has changed, tables originally excluded should be included, or you want to update the data that's
included in the previews), the data source registration tool can be re-run.
Re-registering an already-registered data source performs a merge “upsert” operation: existing objects are
updated, and new objects are created. Any metadata provided by users through the Data Catalog portal are
retained.
Summary
Because it copies structural and descriptive metadata from a data source to the catalog service, registering the
data source in Data Catalog makes the data easier to discover and understand. After you have registered the data
source, you can annotate, manage, and discover it by using the Data Catalog portal.
Next steps
For more information about registering data sources, see the Get Started with Azure Data Catalog tutorial.
How to discover data sources in Azure Data Catalog
Introduction
Azure Data Catalog is a fully managed cloud service that serves as a system of registration and discovery for
enterprise data sources. In other words, Data Catalog helps people discover, understand, and use data sources, and
it helps organizations get more value from their existing data. After a data source is registered with Data Catalog,
its metadata is indexed by the service, so that you can easily search to discover the data you need.
Searching and filtering

Discovery in Data Catalog uses two primary mechanisms: searching and filtering.
Searching is designed to be both intuitive and powerful. By default, search terms are matched against any
property in the catalog, including user-provided annotations.
Filtering is designed to complement searching. You can select specific characteristics such as experts, data source
type, object type, and tags. You can view only matching data assets, and constrain search results to matching
assets.
By using a combination of searching and filtering, you can quickly navigate the data sources that have been
registered with Data Catalog to discover the data sources you need.
Search syntax
Although the default free text search is simple and intuitive, you can also use Data Catalog search syntax for
greater control over the search results. Data Catalog search supports the following techniques:
TECHNIQUE USE EXAMPLE
Basic search Basic search that uses one or more sales data
search terms. Results are any assets
that match any property with one or
more of the terms specified.
Property scoping Return only data sources where the name:finance

search term is matched with the
specified property.
Boolean operators Broaden or narrow a search by using finance NOT corporate

Boolean operations.
Grouping with parenthesis Use parentheses to group parts of the name:finance AND (tags:Q1 OR
query to achieve logical isolation, tags:Q2)
especially in conjunction with Boolean
operators.
Comparison operators Use comparisons other than equality modifiedTime > "11/05/2014"
for properties that have numeric and
date data types.
For more information about Data Catalog search, see the Azure Data Catalog article.
Hit highlighting
When you view search results, any displayed properties that match the specified search terms (such as the data
asset name, description, and tags) are highlighted to make it easier to identify why a given data asset was returned
by a given search.
NOTE
To turn off hit highlighting, use the Highlight switch in the Data Catalog portal.
When you view search results, it might not always be obvious why a data asset is included, even with hit
highlighting enabled. Because all properties are searched by default, a data asset might be returned because of a
match on a column-level property. And because multiple users can annotate registered data assets with their own
tags and descriptions, not all metadata might be displayed in the list of search results.
In the default tile view, each tile displayed in the search results includes a View search term matches icon, so
that you can quickly view the number of matches and their location, and to jump to them if you want.
Summary
Because registering a data source with Data Catalog copies structural and descriptive metadata from the data
source to the catalog service, the data source becomes easier to discover and understand. After you've registered a
data source, you can discover it by using filtering and search from within the Data Catalog portal.
Next steps
For step-by-step details about how to discover data sources, see Get Started with Azure Data Catalog.
How to annotate data sources
Introduction
Microsoft Azure Data Catalog is a fully managed cloud service that serves as a system of registration and
system of discovery for enterprise data sources. In other words, Data Catalog is all about helping people discover,
understand, and use data sources, and helping organizations to get more value from their existing data. When a
data source is registered with Data Catalog, its metadata is copied and indexed by the service, but the story
doesn’t end there. Data Catalog allows users to provide their own descriptive metadata – such as descriptions and
tags – to supplement the metadata extracted from the data source, and to make the data source more
understandable to more people.
Annotation and crowdsourcing

Everyone has an opinion. And this is a good thing. Data Catalog recognizes that different users have different
perspectives on enterprise data sources, and that each of these perspectives can be valuable. Consider the
following scenario:
The system administrator knows the service level agreement for the servers or services that host the data
source.
The database administrator knows the backup schedule for each database, and the allowed ETL processing
windows.
The system owner knows the process for users to request access to the data source.
The data steward knows how the assets and attributes in the data source map to the enterprise data model.
The analyst knows how the data is used in the context of the business processes he supports.
Each of these perspectives is valuable, and Data Catalog uses a crowdsourcing approach to metadata that allows
each one to be captured and used to provide a complete picture of registered data sources. Using the Data
Catalog portal, each user can add and edit his own annotations, while being able to view annotations provided by
other users.
Different types of annotations

Data Catalog supports the following types of annotations:
ANNOTATION NOTES
Friendly name Friendly names can be supplied at the data asset level, to
make the data assets more easily understood. Friendly names
are most useful when the underlying object name is cryptic,
abbreviated or otherwise not meaningful to users.
Description Descriptions can be supplied at the data asset and attribute /

column levels. Descriptions are free-form short text
annotations that describe the user’s perspective on the data
asset or its use.
Tags (user tags) Tags can be supplied at the data asset and attribute / column
levels. User tags are user-defined labels that can be used to
categorize data assets or attributes.
ANNOTATION NOTES
Tags (glossary tags) Tags can be supplied at the data asset and attribute / column
levels. Glossary tags are centrally-defined glossary terms that
can be used to categorize data assets or attributes using a
common business taxonomy. For more information see How
to set up the Business Glossary for Governed Tagging
Experts Experts can be supplied at the data asset level. Experts identify
users or groups with expert perspectives on the data and can
serve as points of contact for users who discover the
registered data sources and have questions that are not
answered by the existing annotations.
Request access Request access information can be supplied at the data asset
level. This information is for users who discover a data source
that they do not yet have permissions to access. Users can
enter the email address of the user or group who grants
access, the URL of the process or tool that users need to gain
access, or can enter the process itself as text.
Documentation Documentation can be supplied at the data asset level. Asset

documentation is rich text information that can include links
and images, and which can provide any information not
conveyed through descriptions and tags.
Annotating multiple assets

When selecting multiple data assets in the Data Catalog portal, users can annotate all selected assets in a single
operation. Annotations will apply to all selected assets, making it easy to select and provide a consistent
description and sets of tags and experts for related data assets.
NOTE
Tags and experts can also be provided when registering data assets using the Data Catalog data source registration tool.
When selecting multiple tables and views, only columns that all selected data assets have in common will be
displayed in the Data Catalog portal. This allows users to provide tags and descriptions for all columns with the
same name for all selected assets.
Annotations and discovery

Just as the metadata extracted from the data source during registration is added to the Data Catalog search index,
user-supplied metadata is also indexed. This means that not only do annotations make it easier for users to
understand the data they discover, annotations also make it easier for users to discover the annotated data assets
by searching using the terms that make sense to them.
Summary
Registering a data source with Data Catalog makes that data discoverable by copying structural and descriptive
metadata from the data source into the Catalog service. Once a data source has been registered, users can provide
annotations to make easier to discover and understand from within the Data Catalog portal.
See also
Get Started with Azure Data Catalog tutorial for step-by-step details about how to annotate data sources.
Document data sources
Introduction
system of discovery for enterprise data sources. In other words, Azure Data Catalog is all about helping people
discover, understand, and use data sources, and helping organizations to get more value from their existing data.
When a data source is registered with Azure Data Catalog, its metadata is copied and indexed by the service, but
the story doesn’t end there. Azure Data Catalog also allows users to provide their own complete documentation
that can describe the usage and common scenarios for the data source.
In How to annotate data sources, you learn that experts who know the data source can annotate it with tags and a
description. The Azure Data Catalog portal includes a rich text editor so that users can fully document data
assets and containers. The editor includes paragraph formatting, such as headings, text formatting, bulleted lists,
numbered lists, and tables.
Tags and descriptions are great for simple annotations. However, to help data consumers better understand the
use of a data source, and business scenarios for a data source, an expert can provide complete, detailed
documentation. It's easy to document a data source. Select a data asset or container, and choose Documentation.
Documenting data assets
The benefit of Azure Data Catalog documentation allows you to use your Data Catalog as a content repository
to create a complete narrative of your data assets. You can explore detailed content that describes containers and
tables. If you already have content in another content repository, such as SharePoint or a file share, you can add to
the asset documentation links to reference this existing content. This feature makes your existing documents more
discoverable.
NOTE
Documentation is not included in search index.
The level of documentation can range from describing the characteristics and value of a data asset container to a
detailed description of table schema within a container. The level of documentation provided should be driven by
your business needs. But in general, here are a few pros and cons of documenting data assets:
Document just a container: All the content is in one place, but might lack necessary details for users to make an
informed decision.
Document just the tables: Content is specific to that object, but your users have multiple places for documents.
Document containers and tables: Most comprehensive approach, but might introduce more maintenance of the
documents.
Summary
Documenting data sources with Azure Data Catalog can create a narrative about your data assets in as much
detail as you need. By using links, you can link to content stored in an existing content repository, which brings
your existing docs and data assets together. Once your users discover appropriate data assets, they can have a
complete set of documentation.
How to connect to data sources
Introduction
discover, understand, and use data sources, and helping organizations to get more value from their existing data. A
key aspect of this scenario is using the data – once a user discovers a data source and understands its purpose, the
next step is to connect to the data source to put its data to use.
Data source locations

During data source registration, Azure Data Catalog receives metadata about the data source. This metadata
includes the details of the data source’s location. The details of the location will vary from data source to data
source, but it will always contain the information needed to connect. For example, the location for a SQL Server
table includes the server name, database name, schema name, and table name, while the location for a SQL Server
Reporting Services report includes the server name and the path to the report. Other data source types will have
locations that reflect the structure and capabilities of the source system.
Integrated client tools

The simplest way to connect to a data source is to use the “Open in…” menu in the Azure Data Catalog portal.
This menu displays a list of options for connecting to the selected data asset. When using the default tile view, this
menu is available on the each tile.
When using the list view, the menu is available in the search bar at the top of the portal window.
Supported Client Applications
When using the “Open in…” menu for data sources in the Azure Data Catalog portal, the correct client application
must be installed on the client computer.
OPEN IN APPLICATION FILE EX TENSION / PROTOCOL SUPPORTED APPLICATION VERSIONS
Excel .odc Excel 2010 or later
Excel (Top 1000) .odc Excel 2010 or later
Power Query .xlsx Excel 2016 or Excel 2010 or Excel 2013

with the Power Query for Excel add-in
installed
Power BI Desktop .pbix Power BI Desktop July 2016 or later
SQL Server Data Tools vsweb:// Visual Studio 2013 Update 4 or later
with SQL Server tooling installed
Report Manager http:// See browser requirements for SQL

Server Reporting Services
Your data, your tools

The options available in the menu will depend on the type of data asset currently selected. Of course, not all
possible tools will be included in the “Open in…” menu, but it is still easy to connect to the data source using any
client tool. When a data asset is selected in the Azure Data Catalog portal, the complete location is displayed in
the properties pane.
The connection information details will differ from data source type to data source type, but the information
included in the portal will give you everything you need to connect to the data source in any client tool. Users can
copy the connection details for the data sources that they have discovered using Azure Data Catalog, enabling
them to work with the data in their tool of choice.
Connecting and data source permissions

Although Azure Data Catalog makes data sources discoverable, access to the data itself remains under the
control of the data source owner or administrator. Discovering a data source in Azure Data Catalog does not
give a user any permissions to access the data source itself.
To make it easier for users who discover a data source but do not have permission to access its data, users can
provide information in the Request Access property when annotating a data source. Information provided here –
including links to the process or point of contact for gaining data source access – is presented alongside the data
source location information in the portal.
Summary
Registering a data source with Azure Data Catalog makes that data discoverable by copying structural and
descriptive metadata from the data source into the Catalog service. Once a data source has been registered, and
discovered, users can connect to the data source from the Azure Data Catalog portal “Open in…”” menu or using
their data tools of choice.
See also
Get Started with Azure Data Catalog tutorial for step-by-step details about how to connect to data sources.
How to work with big data sources in Azure Data
Catalog
Introduction
system of discovery for enterprise data sources. It is all about helping people discover, understand, and use data
sources, and helping organizations to get more value from their existing data sources, including big data.
Azure Data Catalog supports the registration of Azure Blog Storage blobs and directories as well as Hadoop
HDFS files and directories. The semi-structured nature of these data sources provides great flexibility. However, to
get the most value from registering them with Azure Data Catalog, users must consider how the data sources
are organized.
Directories as logical data sets

A common pattern for organizing big data sources is to treat directories as logical data sets. Top-level directories
are used to define a data set, while subfolders define partitions, and the files they contain store the data itself.
An example of this pattern might be:
\vehicle_maintenance_events
\2013
\2014
\2015
\01
\2015-01-trailer01.csv
\2015-01-trailer92.csv
\2015-01-canister9635.csv
...
\location_tracking_events
\2013
...
In this example, vehicle_maintenance_events and location_tracking_events represent logical data sets. Each of these
folders contains data files that are organized by year and month into subfolders. Each of these folders could
potentially contain hundreds or thousands of files.
In this pattern, registering individual files with Azure Data Catalog probably does not make sense. Instead,
register the directories that represent the data sets that be meaningful to the users working with the data.
Reference data files

A complementary pattern is to store reference data sets as individual files. These data sets may be thought of as
the 'small' side of big data, and are often similar to dimensions in an analytical data model. Reference data files
contain records that are used to provide context for the bulk of the data files stored elsewhere in the big data store.
An example of this pattern might be:
\vehicles.csv
\maintenance_facilities.csv
\maintenance_types.csv
When an analyst or data scientist is working with the data contained in the larger directory structures, the data in
these reference files can be used to provide more detailed information for entities that are referred to only by
name or ID in the larger data set.
In this pattern, it makes sense to register the individual reference data files with Azure Data Catalog. Each file
represents a data set, and each one can be annotated and discovered individually.
Alternate patterns
The patterns described in the preceding section are just two possible ways a big data store may be organized, but
each implementation is different. Regardless of how your data sources are structured, when registering big data
sources with Azure Data Catalog, focus on registering the files and directories that represent the data sets that
are of value to others within your organization. Registering all files and directories can clutter the catalog, making it
harder for users to find what they need.
Summary
Registering data sources with Azure Data Catalog makes them easier to discover and understand. By registering
and annotating the big data files and directories that represent logical data sets, you can help users find and use
the big data sources they need.
Data profile data sources
Introduction
discover, understand, and use data sources, and helping organizations to get more value from their existing data.
When a data source is registered with Azure Data Catalog, its metadata is copied and indexed by the service, but
the story doesn’t end there.
The Data Profiling feature of Azure Data Catalog examines the data from supported data sources in your
catalog and collects statistics and information about that data. It's easy to include a profile of your data assets.
When you register a data asset, choose Include Data Profile in the data source registration tool.
What is Data Profiling

Data profiling examines the data in the data source being registered, and collects statistics and information about
that data. During data source discovery, these statistics can help you determine the suitability of the data to solve
their business problem.
The following data sources support data profiling:
SQL Server (including Azure SQL DB and Azure SQL Data Warehouse) tables and views
Oracle tables and views
Teradata tables and views
Hive tables
Including data profiles when registering data assets helps users answer questions about data sources, including:
Can it be used to solve my business problem?
Does the data conform to particular standards or patterns?
What are some of the anomalies of the data source?
What are possible challenges of integrating this data into my application?
NOTE
You can also add documentation to an asset to describe how data could be integrated into an application. See How to
document data sources.
How to include a data profile when registering a data source

It's easy to include a profile of your data source. When you register a data source, in the Objects to be registered
panel of the data source registration tool, choose Include Data Profile.
To learn more about how to register data sources, see How to register data sources and Get started with Azure
Data Catalog.
Filtering on data assets that include data profiles

To discover data assets that include a data profile, you can include has:tableDataProfiles or
has:columnsDataProfiles as one of your search terms.
NOTE
Selecting Include Data Profile in the data source registration tool includes both table and column-level profile information.
However, the Data Catalog API allows data assets to be registered with only one set of profile information included.
Viewing data profile information

Once you find a suitable data source with a profile, you can view the data profile details. To view the data profile,
select a data asset and choose Data Profile in the Data Catalog portal window.
A data profile in Azure Data Catalog shows table and column profile information including:
Object data profile
Number of rows
Table size
When the object was last updated
Column data profile
Column data type
Number of distinct values
Number of rows with NULL values
Minimum, maximum, average, and standard deviation for column values
Summary
Data profiling provides statistics and information about registered data assets to help you determine the suitability
of the data to solve business problems. Along with annotating, and documenting data sources, data profiles can
give users a deeper understanding of your data.
See Also
How to register data sources
Manage data assets in Azure Data Catalog
Introduction
Azure Data Catalog is designed for data-source discovery, so that you can easily discover and understand the data
sources you need to perform analysis and make decisions. These discovery capabilities make the biggest impact
when you and other users can find and understand the broadest range of available data sources. With these
elements in mind, the default behavior of Data Catalog is for all registered data sources to be visible to and
discoverable by all catalog users.
Data Catalog does not give you access to the data itself. Data access is controlled by the owner of the data source.
With Data Catalog, you can discover data sources and view the metadata that's related to the sources that are
registered in the catalog.
There might be situations, however, where data sources should only be visible to specific users, or to members of
specific groups. In such scenarios, users can take ownership of registered data assets within the catalog and then
control the visibility of the assets they own.
NOTE
The functionality described in this article is available only in the Standard Edition of Azure Data Catalog. The Free Edition
does not provide capabilities for ownership and restricting data-asset visibility.
Manage ownership of data assets

By default, data assets that are registered in Data Catalog are unowned. Any user with permission to access the
catalog can discover and annotate these assets. Users can take ownership of unowned data assets and then limit
the visibility of the assets they own.
When a data asset in Data Catalog is owned, only users who are authorized by the owners can discover the asset
and view its metadata, and only the owners can delete the asset from the catalog.
NOTE
Ownership in Data Catalog affects only the metadata that's stored in the catalog. Ownership does not confer any
permissions on the underlying data source.
Take ownership
Users can take ownership of data assets by selecting the Take Ownership option in the Data Catalog portal. No
special permissions are required to take ownership of an unowned data asset. Any user can take ownership of an
unowned data asset.
Add owners and co -owners
If a data asset is already owned, other users cannot simply take ownership. They must be added as co-owners by
an existing owner. Any owner can add additional users or security groups as co-owners.
NOTE
It is a best practice to have at least two individuals as owners for any owned data asset.
Remove owners
Just as any asset owner can add co-owners, any asset owner can remove any co-owner.
An asset owner who removes him or herself as an owner can no longer manage the asset. If the asset owner
removes him or herself as an owner and there are no other co-owners, the asset reverts to an unowned state.
Control visibility
Data-asset owners can control the visibility of the data assets they own. To restrict visibility as the default, where
all Data Catalog users can discover and view the data asset, the asset owner can toggle the visibility setting from
Everyone to Owners & These Users in the properties for the asset. Owners can then add specific users and
security groups.
NOTE
Whenever possible, asset ownership and visibility permissions should be assigned to security groups and not to individual
users.
Catalog administrators
Data Catalog administrators are implicitly co-owners of all assets in the catalog. Asset owners cannot remove
visibility from administrators, and administrators can manage ownership and visibility for all data assets in the
catalog.
Summary
The Data Catalog crowdsourcing model to metadata and data asset discovery allows all catalog users to
contribute and discover. The Standard Edition of Data Catalog is designed for ownership and management to limit
the visibility and use of specific data assets.
Save searches and pin data assets in Azure Data
Catalog
Introduction
Azure Data Catalog provides capabilities for data source discovery. You can quickly search and filter the catalog to
locate data sources and understand their intended purpose, making it easier to find the right data for the job at
hand.
But what if you need to regularly work with the same data? And what if you and other users regularly contribute
your knowledge to the same data sources in the catalog? In these situations, having to repeatedly issue the same
searches can be inefficient. This is where saved search and pinned data assets can help.
Saved searches
A saved search in Data Catalog is a reusable, per-user search definition. You can define a search, including search
terms, tags, and other filters, and then save it. You can re-run the saved search definition later to return any data
assets that match its search criteria.
Create a saved search
To create a saved search, do the following:
1. In the Azure Data Catalog portal, in the Current Search window, click Save.
2. Enter the search criteria that you want to reuse, and then click Save.
3. When you are prompted, enter a name for the saved search. Pick a name that is meaningful and that
describes the data assets that will be returned by the search.
Manage saved searches
After you have saved one or more searches, a Saved Searches option is displayed beneath the Current Search
box. When the list is expanded, all saved searches are displayed.
Do any of the following:

To execute a search, select a saved search in the list.
To view a list of management options for a saved search, click the down arrow next to the search name.
To enter a new name for the saved search, select Rename. The search definition is not changed.
To remove the saved search from your list, select Delete, and then confirm the deletion.
To mark the saved search as your default search, select Save As Default. If you perform an “empty” search
from the Azure Data Catalog home page, your default search is executed. In addition, the search that's
marked as the default search is displayed at the top of the Saved Searches list.
Organizational saved searches
All user in your organization can save searches for their own use. Data Catalog administrators can also save
searches for all users within the organization. When administrators save a search, they're presented with a Share
within the company option. Selecting this option shares the saved search for all users in the organization.
Pinned data assets

With saved searches, you can save and reuse search definitions. The data assets that are returned by the searches
might change over time as the contents of the catalog change. When you pin data assets, you can explicitly identify
specific data assets to make them easier to access without needing to use a search.
Pinning a data asset is straightforward. To add the data asset to your pinned list, you simply click the pin icon. The
icon is displayed in the corner of the asset tile in the tile view, and in the left-most column in the list view in the
Azure Data Catalog portal.
Unpinning a data asset is equally straightforward. Simply click the unpin icon to toggle the setting for the selected
asset.
The My Assets section
The Data Catalog portal home page includes a My Assets section that displays assets of interest to the current
user. This section includes both pinned assets and saved searches.
Summary
Azure Data Catalog provides capabilities that make it easier to discover the data sources you need, so you and
other organization members can spend less time looking for data and more time working with it. Saved searches
and pinned data assets build on these core capabilities so users can easily identify data sources that they work with
repeatedly.
Set up the business glossary for governed tagging
Introduction
Azure Data Catalog enables data-source discovery, so you can easily discover and understand the data sources
that you need to perform analysis and make decisions. These capabilities make the biggest impact when you can
find and understand the broadest range of available data sources.
One Data Catalog feature that promotes greater understanding of assets data is tagging. By using tagging, you
can associate keywords with an asset or a column, which in turn makes it easier to discover the asset via searching
or browsing. Tagging also helps you more easily understand the context and intent of the asset.
However, tagging can sometimes cause problems of its own. Some examples of problems that tagging can
introduce are:
The use of abbreviations on some assets and expanded text on others. This inconsistency hinders the discovery
of assets, even though the intent was to tag the assets with the same tag.
Potential variations in meaning, depending on context. For example, a tag called Revenue on a customer data
set might mean revenue by customer, but the same tag on a quarterly sales dataset might mean quarterly
revenue for the company.
To help address these and other similar challenges, Data Catalog includes a business glossary.
By using the Data Catalog business glossary, an organization can document key business terms and their
definitions to create a common business vocabulary. This governance enables consistency in data usage across the
organization. After a term is defined in the business glossary, it can be assigned to a data asset in the catalog. This
approach, governed tagging, is the same approach as tagging.
Glossary availability and privileges

The business glossary is available only in the Standard Edition of Azure Data Catalog. The Free Edition of Data
Catalog does not include a glossary, and it does not provide capabilities for governed tagging.
You can access the business glossary via the Glossary option in the Data Catalog portal's navigation menu.
Data Catalog administrators and members of the glossary administrators role can create, edit, and delete glossary
terms in the business glossary. All Data Catalog users can view the term definitions and tag assets with glossary
terms.
Creating glossary terms
Data Catalog administrators and glossary administrators can create glossary terms by clicking the New Term
button. Each glossary term contains the following fields:
A business definition for the term
A description that captures the intended use or business rules for the asset or column
A list of stakeholders who know the most about the term
The parent term, which defines the hierarchy in which the term is organized
Glossary term hierarchies

By using the Data Catalog business glossary, an organization can describe its business vocabulary as a hierarchy
of terms, and it can create a classification of terms that better represents its business taxonomy.
A term must be unique at a given level of hierarchy. Duplicate names are not allowed. There is no limit to the
number of levels in a hierarchy, but a hierarchy is often more easily understood when there are three levels or
fewer.
The use of hierarchies in the business glossary is optional. Leaving the parent term field blank for glossary terms
creates a flat (non-hierarchical) list of terms in the glossary.
Tagging assets with glossary terms

After glossary terms have been defined within the catalog, the experience of tagging assets is optimized to search
the glossary as a user types a tag. The Data Catalog portal displays a list of matching glossary terms to choose
from. If the user selects a glossary term from the list, the term is added to the asset as a tag (also called a glossary
tag). The user can also choose to create a new tag by typing a term that's not in the glossary (also called a user
tag).
NOTE
User tags are the only type of tag supported in the Free Edition of Data Catalog.
Hover behavior on tags

In the Data Catalog portal, the two types of tags are visually distinct and present different hover behaviors. When
you hover over a user tag, you can see the tag text and the user or users who have added the tag. When you hover
over a glossary tag, you also see the definition of the glossary term and a link to open the business glossary to
view the full definition of the term.
Search filters for tags
Glossary tags and user tags are both searchable, and you can apply them as filters in a search.
Summary
By using the business glossary in Azure Data Catalog, and the governed tagging it enables, you can identify,
manage, and discover data assets in a consistent manner. The business glossary can promote learning of the
business vocabulary by organization members. The glossary also supports capturing meaningful metadata, which
simplifies asset discovery and understanding.
Next steps
REST API documentation for business glossary operations
How to secure access to data catalog and data assets
IMPORTANT
This feature is available only in the standard edition of Azure Data Catalog.
Azure Data Catalog allows you to specify who can access the data catalog and what operations (register, annotate,
take ownership) they can perform on metadata in the catalog.
Catalog users and permissions

To give a user or a group the access to a data catalog and set permissions:
1. On the home page of your data catalog, click Settings on the toolbar.
2. In the settings page, expand the Catalog Users section.
3. Click Add.
4. Enter the fully qualified user name or name of the security group in the Azure Active Directory (AAD )
associated with the catalog. Use comma (`,’) as a separator if you are adding more than one user or group.
5. Press ENTER or TAB out of the text box.

6. Confirm that all permissions (Annotate, Register, and Take Ownership) are assigned to these users or
groups by default. That is, the user or group can register data assets, annotate data assets, and take ownership
of data assets.
7. To give a user or group only the read access to the catalog, clear the annotate option for that user or group.
When you do so, the user or group cannot annotate data assets in the catalog but they can view them.
8. To deny a user or group from registering data assets, clear the register option for that user or group.
9. To deny a user from taking ownership of a data asset, clear the take ownership option for that user or group.
10. To delete a user/group from catalog users, click x for the user/group at the bottom of the list.
IMPORTANT
We recommend that you add security groups to catalog users rather than adding users directly and assign
permissions. Then, add users to the security groups that match their roles and their required access to the catalog.
Special considerations
The permissions assigned to security groups are additive. Say, a user is in two groups. One group has annotate
permissions and other group does not have annotate permissions. Then, user has annotate permissions.
The permissions assigned explicitly to a user override the permissions assigned to groups to which the user
belongs. In the previous example, say, you explicitly added the user to catalog users and do not assign annotate
permissions. The user cannot annotate data assets even though the user is a member of a group that does have
annotate permissions.
Next steps
How to view related data assets in Azure Data
Catalog?
Azure Data Catalog allows you to view data assets related to a selected data asset and view relationships between
them.

When you register data assets from the following data sources, Azure Data Catalog automatically registers
metadata about join relationships between the selected data assets.
SQL Server
Azure SQL Database
MySQL
Oracle
NOTE
For Data Catalog to import relationship between two data assets, you must register both the assets at the same time. If you
had added one of them separately, add it again and the other data asset to import relationship between them.
View related data assets

To view data assets that are related to a selected dataset, use the Relationships tab as shown in the following
image:
In this example, there are two relationships for the selected ProductSubcategory data asset:
ProductSubcategoryID column of the Product table has a foreign key relationship with ProductSubcategoryID
column of the selected ProductSubcategory table.
ProductCategoryID column of the ProductSubCategory table has a foreign key relationship with
ProductCategoryID column of the selected ProductCategory table.
NOTE
Notice the direction of the arrow in the relationships tree view.
To see more details such as the fully qualified name of the column, move the mouse over and you see a popup
similar to the following image:
To include relationships between assets that have already been registered, re-register those assets.
Next steps
Azure Data Catalog developer concepts
Microsoft Azure Data Catalog is a fully managed cloud service that provides capabilities for data source
discovery and for crowdsourcing data source metadata. Developers can use the service via its REST APIs.
Understanding the concepts implemented in the service is important for developers to successfully integrate with
Azure Data Catalog.
Key concepts
The Azure Data Catalog conceptual model is based on four key concepts: The Catalog, Users, Assets, and
Annotations.
Figure 1 - Azure Data Catalog simplified conceptual model

Catalog
A Catalog is the top-level container for all the metadata an organization stores. There is one Catalog allowed per
Azure Account. Catalogs are tied to an Azure subscription, but only one Catalog can be created for any given
Azure account, even though an account can have multiple subscriptions.
A catalog contains Users and Assets.
Users
Users are security principals that have permissions to perform actions (search the catalog, add, edit or remove
items, etc.) in the Catalog.
There are several different roles a user can have. For information on roles, see the section Roles and Authorization.
Individual users and security groups can be added.
Azure Data Catalog uses Azure Active Directory for identity and access management. Each Catalog user must be a
member of the Active Directory for the account.
Assets
A Catalog contains data assets. Assets are the unit of granularity managed by the catalog.
The granularity of an asset varies by data source. For SQL Server or Oracle Database, an asset can be a Table or a
View. For SQL Server Analysis Services, an asset can be a Measure, a Dimension, or a Key Performance Indicator
(KPI). For SQL Server Reporting Services, an asset is a Report.
An Asset is the thing you add or remove from a Catalog. It is the unit of result you get back from Search.
An Asset is made up from its name, location, and type, and annotations that further describe it.
Annotations
Annotations are items that represent metadata about Assets.
Examples of annotations are description, tags, schema, documentation, etc. A full list of the asset types and
annotation types are in the Asset Object model section.
Crowdsourcing annotations and user perspective (multiplicity of

opinion)
A key aspect of Azure Data Catalog is how it supports the crowdsourcing of metadata in the system. As opposed to
a wiki approach – where there is only one opinion and the last writer wins – the Azure Data Catalog model allows
multiple opinions to live side by side in the system.
This approach reflects the real world of enterprise data where different users can have different perspectives on a
given asset:
A database administrator may provide information about service level agreements, or the available processing
window for bulk ETL operations
A data steward may provide information about the business processes to which the asset applies, or the
classifications that the business has applied to it
A finance analyst may provide information about how the data is used during end-of-period reporting tasks
To support this example, each user – the DBA, the data steward, and the analyst – can add a description to a single
table that has been registered in the Catalog. All descriptions are maintained in the system, and in the Azure Data
Catalog portal all descriptions are displayed.
This pattern is applied to most of the items in the object model, so object types in the JSON payload are often
arrays for properties where you might expect a singleton.
For example, under the asset root is an array of description objects. The array property is named “descriptions”. A
description object has one property - description. The pattern is that each user who types description gets a
description object created for the value supplied by the user.
The UX can then choose how to display the combination. There are three different patterns for display.
The simplest pattern is “Show All”. In this pattern, all the objects are shown in a list view. The Azure Data
Catalog portal UX uses this pattern for description.
Another pattern is “Merge”. In this pattern, all the values from the different users are merged together, with
duplicate removed. Examples of this pattern in the Azure Data Catalog portal UX are the tags and experts
properties.
A third pattern is “last writer wins”. In this pattern, only the most recent value typed in is shown. friendlyName is
an example of this pattern.
Asset object model

As introduced in the Key Concepts section, the Azure Data Catalog object model includes items, which can be
assets or annotations. Items have properties, which can be optional or required. Some properties apply to all items.
Some properties apply to all assets. Some properties apply only to specific asset types.
System properties
Property Name Data Type Comments
timestamp DateTime The last time the item was modified.

This field is generated by the server
when an item is inserted and every time
an item is updated. The value of this
property is ignored on input of publish
operations.
id Uri Absolute url of the item (read-only). It is

the unique addressable URI for the
item. The value of this property is
ignored on input of publish operations.
type String The type of the asset (read-only).
etag String A string corresponding to the version of

the item that can be used for optimistic
concurrency control when performing
operations that update items in the
catalog. "*" can be used to match any
value.
Common properties
These properties apply to all root asset types and all annotation types.
fromSourceSystem Boolean Indicates whether item's data is derived

from a source system (like Sql Server
Database, Oracle Database) or authored
by a user.
Common root properties

These properties apply to all root asset types.
name String A name derived from the data source

location information
dsl DataSourceLocation Uniquely describes the data source and

is one of the identifiers for the asset.
(See dual identity section). The structure
of the dsl varies by the protocol and
source type.
dataSource DataSourceInfo More detail on the type of asset.
lastRegisteredBy SecurityPrincipal Describes the user who most recently

registered this asset. Contains both the
unique id for the user (the upn) and a
display name (lastName and firstName).
containerId String Id of the container asset for the data
source. This property is not supported
for the Container type.
Common non-singleton annotation properties

These properties apply to all non-singleton annotation types (annotations, which allowed to be multiple per asset).
key String A user specified key, which uniquely

identifies the annotation in the current
collection. The key length cannot exceed
256 characters.
Root asset types

Root asset types are those types that represent the various types of data assets that can be registered in the catalog.
For each root type, there is a view, which describes asset and annotations included in the view. View name should
be used in the corresponding {view_name} url segment when publishing an asset using REST API.
Asset Type (View Additional Data Type Allowed Comments

name) Properties Annotations
Table ("tables") Description A Table represents

FriendlyName any tabular data. For
example: SQL Table,
Tag SQL View, Analysis
Schema Services Tabular Table,
Analysis Services
ColumnDescriptio Multidimensional
n dimension, Oracle
Table, etc.
ColumnTag
Expert
Preview
AccessInstruction
TableDataProfile
ColumnDataProfil
e
ColumnDataClassi
fication
Documentation
Measure ("measures") Description This type represents

FriendlyName an Analysis Services
measure.
Tag
Expert
AccessInstruction
Documentation
measure Column Metadata describing
the measure
isCalculated Boolean Specifies if the

measure is calculated
or not.
measureGroup String Physical container for

measure
KPI ("kpis") Description

FriendlyName
Tag
Expert
AccessInstruction
Documentation
measureGroup String Physical container for

measure
goalExpression String An MDX numeric

expression or a
calculation that
returns the target
value of the KPI.
valueExpression String An MDX numeric

expression that
returns the actual
value of the KPI.
statusExpression String An MDX expression

that represents the
state of the KPI at a
specified point in time.
trendExpression String An MDX expression

that evaluates the
value of the KPI over
time. The trend can be
any time-based
criterion that is useful
in a specific business
context.
Report ("reports") Description This type represents a

FriendlyName SQL Server Reporting
Services report
Tag
Expert
AccessInstruction
Documentation
assetCreatedDate String
assetCreatedBy String
assetModifiedDate String
assetModifiedBy String
Container Description This type represents a

("containers") FriendlyName container of other
assets such as a SQL
Tag database, an Azure
Expert Blobs container, or an
Analysis Services
AccessInstruction model.
Documentation
Annotation types
Annotation types represent types of metadata that can be assigned to other types within the catalog.
Annotation Type (Nested Additional Properties Data Type Comments

view name)
Description ("descriptions") This property contains a

description for an asset. Each
user of the system can add
their own description. Only
that user can edit the
Description object. (Admins
and Asset owners can delete
the Description object but
not edit it). The system
maintains users' descriptions
separately. Thus there is an
array of descriptions on each
asset (one for each user who
has contributed their
knowledge about the asset,
in addition to possibly one
that contains information
derived from the data
source).
description string A short description (2-3

lines) of the asset
Tag ("tags") This property defines a tag

for an asset. Each user of the
system can add multiple tags
for an asset. Only the user
who created Tag objects can
edit them. (Admins and
Asset owners can delete the
Tag object but not edit it).
The system maintains users'
tags separately. Thus there is
an array of Tag objects on
each asset.
tag string A tag describing the asset.

FriendlyName This property contains a
("friendlyName") friendly name for an asset.
FriendlyName is a singleton
annotation - only one
FriendlyName can be added
to an asset. Only the user
who created FriendlyName
object can edit it. (Admins
and Asset owners can delete
the FriendlyName object but
not edit it). The system
maintains users' friendly
names separately.
friendlyName string A friendly name of the asset.
Schema ("schema") The Schema describes the

structure of the data. It lists
the attribute (column,
attribute, field, etc.) names,
types as well other
metadata. This information is
all derived from the data
source. Schema is a singleton
annotation - only one
Schema can be added for an
asset.
columns Column[] An array of column objects.

They describe the column
with information derived
from the data source.
ColumnDescription This property contains a
("columnDescriptions") description for a column.
Each user of the system can
add their own descriptions
for multiple columns (at
most one per column). Only
the user who created
ColumnDescription objects
can edit them. (Admins and
ColumnDescription object
but not edit it). The system
maintains these user's
column descriptions
array of ColumnDescription
objects on each asset (one
per column for each user
who has contributed their
knowledge about the
column in addition to
possibly one that contains
information derived from the
data source). The
ColumnDescription is loosely
bound to the Schema so it
can get out of sync. The
ColumnDescription might
describe a column that no
longer exists in the schema.
It is up to the writer to keep
description and schema in
sync. The data source may
also have columns
description information and
they are additional
ColumnDescription objects
that would be created when
running the tool.
columnName String The name of the column this

description refers to.
description String a short description (2-3

lines) of the column.
ColumnTag ("columnTags") This property contains a tag
for a column. Each user of
the system can add multiple
tags for a given column and
can add tags for multiple
columns. Only the user who
created ColumnTag objects
can edit them. (Admins and
ColumnTag object but not
edit it). The system maintains
these users' column tags
array of ColumnTag objects
on each asset. The
ColumnTag is loosely bound
to the schema so it can get
out of sync. The ColumnTag
might describe a column
that no longer exists in the
schema. It is up to the writer
to keep column tag and
schema in sync.

tag refers to.
tag String A tag describing the column.
Expert ("experts") This property contains a user

who is considered an expert
in the data set. The experts’
opinions(descriptions)
bubble to the top of the UX
when listing descriptions.
Each user can specify their
own experts. Only that user
can edit the experts object.
(Admins and Asset owners
can delete the Expert objects
but not edit it).
expert SecurityPrincipal
Preview ("previews") The preview contains a

snapshot of the top 20 rows
of data for the asset. Preview
only make sense for some
types of assets (it makes
sense for Table but not for
Measure).
preview object[] Array of objects that

represent a column. Each
object has a property
mapping to a column with a
value for that column for the
row.
AccessInstruction
("accessInstructions")
mimeType string The mime type of the

content.
content string The instructions for how to

get access to this data asset.
The content could be a URL,
an email address, or a set of
instructions.
TableDataProfile
("tableDataProfiles")
numberOfRows int The number of rows in the

data set
size long The size in bytes of the data

set.
schemaModifiedTime string The last time the schema

was modified
dataModifiedTime string The last time the data set

was modified (data was
added, modified, or delete)
ColumnsDataProfile
("columnsDataProfiles")
columns ColumnDataProfile[] An array of column data

profiles.
ColumnDataClassification
("columnDataClassifications")

classification refers to.
classification String The classification of the data

in this column.
Documentation A given asset can have only

("documentation") one documentation
associated with it.
mimeType string The mime type of the

content.
content string The documentation content.
Common types
Common types can be used as the types for properties, but are not Items.
Common Type Properties Data Type Comments
DataSourceInfo
sourceType string Describes the type of data

source. For example: SQL
Server, Oracle Database, etc.
objectType string Describes the type of object

in the data source. For
example: Table, View for SQL
Server.
DataSourceLocation
protocol string Required. Describes a

protocol used to
communicate with the data
source. For example: "tds" for
SQl Server, "oracle" for
Oracle, etc. Refer to Data
source reference specification
- DSL Structure for the list of
currently supported
protocols.
address Dictionary<string, object> Required. Address is a set of

data specific to the protocol
that is used to identify the
data source being
referenced. The address data
scoped to a particular
protocol, meaning it is
meaningless without
knowing the protocol.
authentication string Optional. The authentication

scheme used to
communicate with the data
source. For example:
windows, oauth, etc.
connectionProperties Dictionary<string, object> Optional. Additional

information on how to
connect to a data source.
SecurityPrincipal The backend does not

perform any validation of
provided properties against
AAD during publishing.
upn string Unique email address of user.

Must be specified if objectId
is not provided or in the
context of "lastRegisteredBy"
property, otherwise optional.
objectId Guid User or security group AAD
identity. Optional. Must be
specified if upn is not
provided, otherwise optional.
firstName string First name of user (for

display purposes). Optional.
Only valid in the context of
"lastRegisteredBy" property.
Cannot be specified when
providing security principal
for "roles", "permissions" and
"experts".
lastName string Last name of user (for

display purposes). Optional.
Only valid in the context of
"lastRegisteredBy" property.
Cannot be specified when
providing security principal
for "roles", "permissions" and
"experts".
Column
name string Name of the column or

attribute.
type string data type of the column or

attribute. The Allowable
types depend on data
sourceType of the asset.
Only a subset of types is
supported.
maxLength int The maximum length

allowed for the column or
attribute. Derived from data
source. Only applicable to
some source types.
precision byte The precision for the column

or attribute. Derived from
data source. Only applicable
to some source types.
isNullable Boolean Whether the column is

allowed to have a null value
or not. Derived from data
source. Only applicable to
some source types.
expression string If the value is a calculated

column, this field contains
the expression that
expresses the value. Derived
from data source. Only
applicable to some source
types.
ColumnDataProfile
columnName string The name of the column
type string The type of the column
min string The minimum value in the

data set
max string The maximum value in the

data set
avg double The average value in the

data set
stdev double The standard deviation for

the data set
nullCount int The count of null values in

the data set
distinctCount int The count of distinct values

in the data set
Asset identity
Azure Data Catalog uses "protocol" and identity properties from the "address" property bag of the
DataSourceLocation "dsl" property to generate identity of the asset, which is used to address the asset inside the
Catalog. For example, the "tds" protocol has identity properties "server", "database", "schema" and "object". The
combinations of the protocol and the identity properties are used to generate the identity of the SQL Server Table
Asset. Azure Data Catalog provides several built-in data source protocols, which are listed at Data source reference
specification - DSL Structure. The set of supported protocols can be extended programmatically (Refer to Data
Catalog REST API reference). Administrators of the Catalog can register custom data source protocols. The
following table describes the properties needed to register a custom protocol.
Custom data source protocol specification
Type Properties Data Type Comments
DataSourceProtocol
namespace string The namespace of the

protocol. Namespace must
be from 1 to 255 characters
long, contain one or more
non-empty parts separated
by dot (.). Each part must be
from 1 to 255 characters
long, start with a letter and
contain only letters and
numbers.
name string The name of the protocol.
Name must be from 1 to
255 characters long, start
with a letter and contain
only letters, numbers, and
the dash (-) character.
identityProperties DataSourceProtocolIdentityP List of identity properties,

roperty[] must contain at least one,
but no more than 20
properties. For example:
"server", "database",
"schema", "object" are
identity properties of the
"tds" protocol.
identitySets DataSourceProtocolIdentityS List of identity sets. Defines

et[] sets of identity properties,
which represent valid asset's
identity. Must contain at
least one, but no more than
20 sets. For example:
{"server", "database",
"schema" and "object"} is an
identity set for "tds"
protocol, which defines
identity of Sql Server Table
asset.
DataSourceProtocolIdentityP
roperty
name string The name of the property.

Name must be from 1 to
100 characters long, start
with a letter and can contain
only letters and numbers.
type string The type of the property.

Supported values: "bool",
boolean", "byte", "guid", "int",
"integer", "long", "string",
"url"
ignoreCase bool Indicates whether case

should be ignored when
using property's value. Can
only be specified for
properties with "string" type.
Default value is false.
urlPathSegmentsIgnoreCase bool[] Indicates whether case

should be ignored for each
segment of the url's path.
Can only be specified for
properties with "url" type.
Default value is [false].
DataSourceProtocolIdentityS
et
name string The name of the identity set.
properties string[] The list of identity properties

included into this identity
set. It cannot contain
duplicates. Each property
referenced by identity set
must be defined in the list of
"identityProperties" of the
protocol.
Roles and authorization

Microsoft Azure Data Catalog provides authorization capabilities for CRUD operations on assets and annotations.
Key concepts
The Azure Data Catalog uses two authorization mechanisms:
Role-based authorization
Permission-based authorization
Roles
There are three roles: Administrator, Owner, and Contributor. Each role has its scope and rights, which are
summarized in the following table.
Role Scope Rights
Administrator Catalog (all assets/annotations in the Read Delete ViewRoles

Catalog) ChangeOwnership ChangeVisibility
ViewPermissions
Owner Each asset (root item) Read Delete ViewRoles

ChangeOwnership ChangeVisibility
ViewPermissions
Contributor Each individual asset and annotation Read Update Delete ViewRoles Note: all
the rights are revoked if the Read right
on the item is revoked from the
Contributor
NOTE
Read, Update, Delete, ViewRoles rights are applicable to any item (asset or annotation) while TakeOwnership,
ChangeOwnership, ChangeVisibility, ViewPermissions are only applicable to the root asset.
Delete right applies to an item and any subitems or single item underneath it. For example, deleting an asset also deletes any
annotations for that asset.
Permissions
Permission is as list of access control entries. Each access control entry assigns set of rights to a security principal.
Permissions can only be specified on an asset (that is, root item) and apply to the asset and any subitems.
During the Azure Data Catalog preview, only Read right is supported in the permissions list to enable scenario to
restrict visibility of an asset.
By default any authenticated user has Read right for any item in the catalog unless visibility is restricted to the set
of principals in the permissions.
REST API
PUT and POST view item requests can be used to control roles and permissions: in addition to item payload, two
system properties can be specified roles and permissions.
NOTE
permissions only applicable to a root item.
Owner role only applicable to a root item.
By default when an item is created in the catalog its Contributor is set to the currently authenticated user. If item should be
updatable by everyone, Contributor should be set to <Everyone> special security principal in the roles property when item
is first published (refer to the following example). Contributor cannot be changed and stays the same during life-time of an
item (even Administrator or Owner doesn’t have the right to change the Contributor). The only value supported for the
explicit setting of the Contributor is <Everyone>: Contributor can only be a user who created an item or <Everyone>.
Examples
Set Contributor to <Everyone> when publishing an item. Special security principal <Everyone> has objectId
"00000000-0000-0000-0000-000000000201". POST
https://api.azuredatacatalog.com/catalogs/default/views/tables/?api-version=2016-03-30
NOTE
Some HTTP client implementations may automatically reissue requests in response to a 302 from the server, but typically
strip Authorization headers from the request. Since the Authorization header is required to make requests to Azure Data
Catalog, you must ensure the Authorization header is still provided when reissuing a request to a redirect location specified
by Azure Data Catalog. The following sample code demonstrates it using the .NET HttpWebRequest object.
Body
{
"roles": [
{
"role": "Contributor",
"members": [
{
"objectId": "00000000-0000-0000-0000-000000000201"
}
]
}
]
}
Assign owners and restrict visibility for an existing root item: PUT
https://api.azuredatacatalog.com/catalogs/default/views/tables/042297b0...1be45ecd462a?api-version=2016-03-
30
{
"roles": [
{
"role": "Owner",
"members": [
{
"objectId": "c4159539-846a-45af-bdfb-58efd3772b43",
"upn": "user1@contoso.com"
},
{
"objectId": "fdabd95b-7c56-47d6-a6ba-a7c5f264533f",
}
]
}
],
"permissions": [
{
"principal": {
"objectId": "27b9a0eb-bb71-4297-9f1f-c462dab7192a",
},
"rights": [
{
"right": "Read"
}
]
},
{
"principal": {
"objectId": "4c8bc8ce-225c-4fcf-b09a-047030baab31",
},
"rights": [
{
"right": "Read"
}
]
}
]
}
NOTE
In PUT it’s not required to specify an item payload in the body: PUT can be used to update just roles and/or permissions.
Keyboard shortcuts for Azure Data Catalog
Keyboard shortcuts for the Data Catalog data source registration tool
General keyboard shortcuts
OPERATION PRESS
Tab to each control on a page Tab
Choose an option Enter or Spacebar
Maximize page WIN+UP
Restore/minimize page WIN+DOWN
Open page menu ALT+SPACEBAR
Authentication page
OPERATION PRESS
Sign into service ALT+S
Data source selection page

OPERATION PRESS
Go to next page (if enabled) ALT+N
Change selected type when the focus is on a tile LEFT, UP, RIGHT, or DOWN ARROW
Data source connection page

OPERATION PRESS
Go to previous page (if enabled) ALT+P
Choose Connect button. ALT+C
Connection context page

OPERATION PRESS
Register button (if enabled) ALT+R
Include Preview checkbox (if available) ALT+P
Include Data Profile checkbox (if available) ALT+D

OPERATION PRESS
Navigate to each list item UP or DOWN ARROW
Server Hierarchy, expand a tree view's node RIGHT ARROW
Move selected items for Available Objects or Objects to be SPACEBAR

registered
Publish progress page

OPERATION PRESS
Cancel button ALT+C
Register More Objects button ALT+R
View Portal button ALT+V
Publish progress page

OPERATION PRESS
Save button (if enabled) ALT+S
Cancel button ALT+C
Keyboard shortcuts for the Data Catalog portal

OPERATION PRESS
Navigate TAB and SHIFT+TAB
Click an item SPACE or ENTER
Drill down into a section SPACE or ENTER
Exit out of a section ESC
Pin/unpin an asset ALT+P
On the discover page, when an asset has focus, select asset SPACE or ENTER
Adds/remove asset from multi-select CTRL+SPACE or ENTER
Toggle the search matches menu ALT+S
Toggle Open In menu ALT+O
Explore container, if the asset is a container ALT+L

What's new in Azure Active Directory?
Get notified about when to revisit this page for updates by adding this URL to your feed reader.
Azure AD receives improvements on an ongoing basis. To stay up-to-date with the most recent developments, this
article provides you with information about:
The latest releases
Known issues
Bug fixes
Deprecated functionality
Plans for changes
This page is updated monthly, so revisit it regularly.
August 2018
Changes to Azure Active Directory IP address ranges
Type: Plan for change
Service category: Other
Product capability: Platform
We're introducing larger IP ranges to Azure AD, which means if you've configured Azure AD IP address ranges for
your firewalls, routers, or Network Security Groups, you'll need to update them. We're making this update so you
won't have to change your firewall, router, or Network Security Groups IP range configurations again when Azure
AD adds new endpoints.
Network traffic is moving to these new ranges over the next two months. To continue with uninterrupted service,
you must add these updated values to your IP Addresses before September 10, 2018:
20.190.128.0/18
40.126.0.0/18
We strongly recommend not removing the old IP Address ranges until all of your network traffic has moved to the
new ranges. For updates about the move and to learn when you can remove the old ranges, see Office 365 URLs
and IP address ranges.
Change notice: Authorization codes will no longer be available for reuse

Service category: Authentications (Logins)
Product capability: User Authentication
Starting on October 10, 2018, Azure AD will stop accepting previously-used authentication codes for new apps.
Any app created before October 10, 2018 will still be able to reuse authentication codes. This security change helps
to bring Azure AD in line with the OAuth specification and will be enforced on both the v1 and v2 endpoints.
If your app reuses authorization codes to get tokens for multiple resources, we recommend that you use the code
to get a refresh token, and then use that refresh token to acquire additional tokens for other resources.
Authorization codes can only be used once, but refresh tokens can be used multiple times across multiple
resources. Any new app that attempts to reuse an authentication code during the OAuth code flow will get an
invalid_grant error, revoking the previous refresh token that was acquired using that duplicate code.
For more information about refresh tokens, see Refreshing the access tokens.
Converged security info management for self-service password (SSPR ) and Multi-Factor Authentication (MFA )
Type: New feature
Service category: SSPR
This new feature helps people manage their security info (such as, phone number, mobile app, and so on) for SSPR
and MFA in a single location and experience; as compared to previously, where it was done in two different
locations.
This converged experience also works for people using either SSPR or MFA. Additionally, if your organization
doesn't enforce MFA or SSPR registration, people can still register any MFA or SSPR security info methods
allowed by your organization from the My Apps portal.
This is an opt-in public preview. Administrators can turn on the new experience (if desired) for a selected group or
for all users in a tenant. For more information about the converged experience, see the Converged experience blog
New HTTP-Only cookies setting in Azure AD Application proxy apps

Type: New feature
Service category: App Proxy
Product capability: Access Control
There's a new setting called, HTTP -Only Cookies in your Application Proxy apps. This setting helps provide extra
security by including the HTTPOnly flag in the HTTP response header for both Application Proxy access and
session cookies, stopping access to the cookie from a client-side script and further preventing actions like copying
or modifying the cookie. Although this flag hasn't been used previously, your cookies have always been encrypted
and transmitted using a SSL connection to help protect against improper modifications.
This setting isn't compatible with apps using ActiveX controls, such as Remote Desktop. If you're in this situation,
we recommend that you turn this setting off.
For more information about the HTTP -Only Cookies setting, see Publish applications using Azure AD Application
Proxy.
Privileged Identity Management (PIM ) for Azure resources supports Management Group resource types
Type: New feature
Service category: Privileged Identity Management
Product capability: Privileged Identity Management
Just-In-Time activation and assignment settings can now be applied to Management Group resource types, just
like you already do for Subscriptions, Resource Groups, and Resources (such as VMs, App Services, and more). In
addition, anyone with a role that provides administrator access for a Management Group can discover and manage
that resource in PIM.
For more information about PIM and Azure resources, see Discover and manage Azure resources by using
Privileged Identity Management
Application access (preview) provides faster access to the Azure AD portal

Type: New feature
Today, when activating a role using PIM, it can take over 10 minutes for the permissions to take effect. If you
choose to use Application access, which is currently in public preview, administrators can access the Azure AD
portal as soon as the activation request completes.
Currently, Application access only supports the Azure AD portal experience and Azure resources. For more
information about PIM and Application access, see What is Azure AD Privileged Identity Management?
New Federated Apps available in Azure AD app gallery - August 2018

Type: New feature
Service category: Enterprise Apps
Product capability: 3rd Party Integration
In August 2018, we've added these 16 new apps with Federation support to the app gallery:
Hornbill, Bridgeline Unbound, Sauce Labs - Mobile and Web Testing, Meta Networks Connector, Way We Do,
Spotinst, ProMaster (by Inlogik), SchoolBooking, 4me, Dossier, N2F - Expense reports, Comm100 Live Chat,
SafeConnect, ZenQMS, eLuminate, Dovetale.
For more information about the apps, see SaaS application integration with Azure Active Directory. For more
information about listing your application in the Azure AD app gallery, see List your application in the Azure Active
Directory application gallery.
Native Tableau support is now available in Azure AD Application Proxy

Type: Changed feature
With our update from the OpenID Connect to the OAuth 2.0 Code Grant protocol for our pre-authentication
protocol, you no longer have to do any additional configuration to use Tableau with Application Proxy. This
protocol change also helps Application Proxy better support more modern apps by using only HTTP redirects,
which are commonly supported in JavaScript and HTML tags.
For more information about our native support for Tableau, see Azure AD Application Proxy now with native
Tableau support.
New support to add Google as an identity provider for B2B guest users in Azure Active Directory (preview)
Type: New feature
Service category: B2B
Product capability: B2B/B2C
By setting up federation with Google in your organization, you can let invited Gmail users sign-in to your shared
apps and resources using their existing Google account, without having to create a personal Microsoft Account
(MSAs) or an Azure AD account.
This is an opt-in public preview. For more information about Google federation, see Add Google as an identity
provider for B2B guest users.
July 2018
Improvements to Azure Active Directory email notifications
Product capability: Identity lifecycle management
Azure Active Directory (Azure AD ) emails now feature an updated design, as well as changes to the sender email
address and sender display name, when sent from the following services:
Azure AD Access Reviews
Azure AD Connect Health
Azure AD Identity Protection
Azure AD Privileged Identity Management
Enterprise App Expiring Certificate Notifications
Enterprise App Provisioning Service Notifications
The email notifications will be sent from the following email address and display name:
Email address: azure-noreply@microsoft.com
Display name: Microsoft Azure
For an example of some of the new e-mail designs and more information, see Email notifications in Azure AD PIM.
Azure AD Activity Logs are now available through Azure Monitor

Type: New feature
Service category: Reporting
Product capability: Monitoring & Reporting
The Azure AD Activity Logs are now available in public preview for the Azure Monitor (Azure's platform-wide
monitoring service). Azure Monitor offers you long-term retention and seamless integration, in addition to these
improvements:
Long-term retention by routing your log files to your own Azure storage account.
Seamless SIEM integration, without requiring you to write or maintain custom scripts.
Seamless integration with your own custom solutions, analytics tools, or incident management solutions.
For more information about these new capabilities, see our blog Azure AD activity logs in Azure Monitor
diagnostics is now in public preview and our documentation, Azure Active Directory activity logs in Azure Monitor
(preview ).
Conditional access information added to the Azure AD sign-ins report

Type: New feature
Product capability: Identity Security & Protection
This update lets you see which policies are evaluated when a user signs in along with the policy outcome. In
addition, the report now includes the type of client app used by the user, so you can identify legacy protocol traffic.
Report entries can also now be searched for a correlation ID, which can be found in the user-facing error message
and can be used to identify and troubleshoot the matching sign-in request.
View legacy authentications through Sign-ins activity logs

Type: New feature
With the introduction of the Client App field in the Sign-in activity logs, customers can now see users that are
using legacy authentications. Customers will be able to access this information using the Sign-ins MS Graph API
or through the Sign-in activity logs in Azure AD portal where you can use the Client App control to filter on
legacy authentications. Check out the documentation for more details.
New Federated Apps available in Azure AD app gallery - July 2018

Type: New feature
In July 2018, we've added these 16 new apps with Federation support to the app gallery:
Innovation Hub, Leapsome, Certain Admin SSO, PSUC Staging, iPass SmartConnect, Screencast-O -Matic,
PowerSchool Unified Classroom, Eli Onboarding, Bomgar Remote Support, Nimblex, Imagineer WebVision,
Insight4GRC, SecureW2 JoinNow Connector, Kanbanize, SmartLPA, Skills Base
New user provisioning SaaS app integrations - July 2018

Type: New feature
Service category: App Provisioning
Azure AD allows you to automate the creation, maintenance, and removal of user identities in SaaS applications
such as Dropbox, Salesforce, ServiceNow, and more. For July 2018, we have added user provisioning support for
the following applications in the Azure AD app gallery:
Cisco Spark
Cisco WebEx
Bonusly
For a list of all applications that support user provisioning in the Azure AD gallery, see SaaS application integration
with Azure Active Directory.
Connect Health for Sync - An easier way to fix orphaned and duplicate attribute sync errors
Type: New feature
Service category: AD Connect
Azure AD Connect Health introduces self-service remediation to help you highlight and fix sync errors. This feature
troubleshoots duplicated attribute sync errors and fixes objects that are orphaned from Azure AD. This diagnosis
has the following benefits:
Narrows down duplicated attribute sync errors, providing specific fixes
Applies a fix for dedicated Azure AD scenarios, resolving errors in a single step
No upgrade or configuration is required to turn on and use this feature
For more information, see Diagnose and remediate duplicated attribute sync errors
Visual updates to the Azure AD and MSA sign-in experiences

Service category: Azure AD
We've updated the UI for Microsoft's online services sign-in experience, such as for Office 365 and Azure. This
change makes the screens less cluttered and more straightforward. For more information about this change, see
the Upcoming improvements to the Azure AD sign-in experience blog.
New release of Azure AD Connect - July 2018

Product capability: Identity Lifecycle Management
The latest release of Azure AD Connect includes:
Bug fixes and supportability updates
General Availability of the Ping Federate integration
Updates to the latest SQL 2012 client
For more information about this update, see Azure AD Connect: Version release history
Updates to the Terms of Use (ToU ) end-user UI

Service category: Terms of Use
Product capability: Governance
We're updating the acceptance string in the TOU end-user UI.
Current text. In order to access [tenantName] resources, you must accept the terms of use.
New text. In order to access [tenantName] resource, you must read the terms of use.
Current text: Choosing to accept means that you agree to all of the above terms of use.
New text: Please click Accept to confirm that you have read and understood the terms of use.
Pass-through Authentication supports legacy protocols and applications

Pass-through Authentication now supports legacy protocols and apps. The following limitations are now fully
supported:
User sign-ins to legacy Office client applications, Office 2010 and Office 2013, without requiring modern
authentication.
Access to calendar sharing and free/busy information in Exchange hybrid environments on Office 2010 only.
User sign-ins to Skype for Business client applications without requiring modern authentication.
User sign-ins to PowerShell version 1.0.
The Apple Device Enrollment Program (Apple DEP ), using the iOS Setup Assistant.
Converged security info management for self-service password reset and Multi-Factor Authentication
Type: New feature
This new feature lets users manage their security info (for example, phone number, email address, mobile app, and
so on) for self-service password reset (SSPR ) and Multi-Factor Authentication (MFA) in a single experience. Users
will no longer have to register the same security info for SSPR and MFA in two different experiences. This new
experience also applies to users who have either SSPR or MFA.
If an organization isn't enforcing MFA or SSPR registration, users can register their security info through the My
Apps portal. From there, users can register any methods enabled for MFA or SSPR.
This is an opt-in public preview. Admins can turn on the new experience (if desired) for a selected group of users or
all users in a tenant.
Use the Microsoft Authenticator app to verify your identity when you reset your password
This feature lets non-admins verify their identity while resetting a password using a notification or code from
Microsoft Authenticator (or any other authenticator app). After admins turn this self-service password reset
method on, users who have registered a mobile app through aka.ms/mfasetup or aka.ms/setupsecurityinfo can use
their mobile app as a verification method while resetting their password.
Mobile app notification can only be turned on as part of a policy that requires two methods to reset your password.
June 2018
Change notice: Security fix to the delegated authorization flow for apps using Azure AD Activity Logs API
Due to our stronger security enforcement, we’ve had to make a change to the permissions for apps that use a
delegated authorization flow to access Azure AD Activity Logs APIs. This change will occur by June 26, 2018.
If any of your apps use Azure AD Activity Log APIs, follow these steps to ensure the app doesn’t break after the
change happens.
To update your app permissions
1. Sign in to the Azure portal, select Azure Active Directory, and then select App Registrations.
2. Select your app that uses the Azure AD Activity Logs API, select Settings, select Required permissions, and
then select the Windows Azure Active Directory API.
3. In the Delegated permissions area of the Enable access blade, select the box next to Read directory data,
and then select Save.
4. Select Grant permissions, and then select Yes.
NOTE
You must be a Global administrator to grant permissions to the app.
For more information, see the Grant permissions area of the Prerequisites to access the Azure AD reporting API
article.
Configure TLS settings to connect to Azure AD services for PCI DSS compliance
Type: New feature
Service category: N/A
Transport Layer Security (TLS ) is a protocol that provides privacy and data integrity between two communicating
applications and is the most widely deployed security protocol used today.
The PCI Security Standards Council has determined that early versions of TLS and Secure Sockets Layer (SSL )
must be disabled in favor of enabling new and more secure app protocols, with compliance starting on June 30,
2018. This change means that if you connect to Azure AD services and require PCI DSS -compliance, you must
disable TLS 1.0. Multiple versions of TLS are available, but TLS 1.2 is the latest version available for Azure Active
Directory Services. We highly recommend moving directly to TLS 1.2 for both client/server and browser/server
combinations.
Out-of-date browsers might not support newer TLS versions, such as TLS 1.2. To see which versions of TLS are
supported by your browser, go to the Qualys SSL Labs site and click Test your browser. We recommend you
upgrade to the latest version of your web browser and preferably enable only TLS 1.2.
To enable TLS 1.2, by browser
Microsoft Edge and Internet Explorer (both are set using Internet Explorer)
1. Open Internet Explorer, select Tools > Internet Options > Advanced.
2. In the Security area, select use TLS 1.2, and then select OK.
3. Close all browser windows and restart Internet Explorer.
Google Chrome
1. Open Google Chrome, type chrome://settings/ into the address bar, and press Enter.
2. Expand the Advanced options, go to the System area, and select Open proxy settings.
3. In the Internet Properties box, select the Advanced tab, go to the Security area, select use TLS 1.2,
and then select OK.
4. Close all browser windows and restart Google Chrome.
Mozilla Firefox
1. Open Firefox, type about:config into the address bar, and then press Enter.
2. Search for the term, TLS, and then select the security.tls.version.max entry.
3. Set the value to 3 to force the browser to use up to version TLS 1.2, and then select OK.
NOTE
Firefox version 60.0 supports TLS 1.3, so you can also set the security.tls.version.max value to 4.
4. Close all browser windows and restart Mozilla Firefox.
New Federated Apps available in Azure AD app gallery - June 2018

Type: New feature
In June 2018, we've added these 15 new apps with Federation support to the app gallery:
Skytap, Settling music, SAML 1.1 Token enabled LOB App, Supermood, Autotask, Endpoint Backup, Skyhigh
Networks, Smartway2, TonicDM, Moconavi, Zoho One, SharePoint on-premises, ForeSee CX Suite, Vidyard,
ChronicX
Azure AD Password Protection is available in public preview

Type: New feature
Service category: Identity Protection
Use Azure AD Password Protection to help eliminate easily guessed passwords from your environment.
Eliminating these passwords helps to lower the risk of compromise from a password spray type of attack.
Specifically, Azure AD Password Protection helps you:
Protect your organization's accounts in both Azure AD and Windows Server Active Directory (AD ).
Stops your users from using passwords on a list of more than 500 of the most commonly used passwords, and
over 1 million character substitution variations of those passwords.
Administer Azure AD Password Protection from a single location in the Azure AD portal, for both Azure AD
and on-premises Windows Server AD.
For more information about Azure AD Password Protection, see Eliminate bad passwords in your organization.
New "all guests" conditional access policy template created during Terms of Use (ToU ) creation
Type: New feature
During the creation of your Terms of Use (ToU ), a new conditional access policy template is also created for "all
guests" and "all apps". This new policy template applies the newly created ToU, streamlining the creation and
enforcement process for guests.
For more information, see Azure Active Directory Terms of use feature.
New "custom" conditional access policy template created during Terms of Use (ToU ) creation
Type: New feature
During the creation of your Terms of Use (ToU ), a new “custom” conditional access policy template is also created.
This new policy template lets you create the ToU and then immediately go to the conditional access policy creation
blade, without needing to manually navigate through the portal.
For more information, see Azure Active Directory Terms of use feature.
New and comprehensive guidance about deploying Azure Multi-Factor Authentication

Type: New feature
We've released new step-by-step guidance about how to deploy Azure Multi-Factor Authentication (MFA) in your
organization.
To view the MFA deployment guide, go to the Identity Deployment Guides repo on GitHub. To provide feedback
about the deployment guides, use the Deployment Plan Feedback form. If you have any questions about the
deployment guides, contact us at IDGitDeploy.
Azure AD delegated app management roles are in public preview
Type: New feature
Admins can now delegate app management tasks without assigning the Global Administrator role. The new roles
and capabilities are:
New standard Azure AD admin roles:
Application Administrator. Grants the ability to manage all aspects of all apps, including
registration, SSO settings, app assignments and licensing, App proxy settings, and consent (except to
Azure AD resources).
Cloud Application Administrator. Grants all of the Application Administrator abilities, except for
App proxy because it doesn't provide on-premises access.
Application Developer. Grants the ability to create app registrations, even if the allow users to
register apps option is turned off.
Ownership (set up per-app registration and per-enterprise app, similar to the group ownership
process:
App Registration Owner. Grants the ability to manage all aspects of owned app registration,
including the app manifest and adding additional owners.
Enterprise App Owner. Grants the ability to manage many aspects of owned enterprise apps,
including SSO settings, app assignments, and consent (except to Azure AD resources).
For more information about public preview, see the Azure AD delegated application management roles are in
public preview! blog. For more information about roles and permissions, see Assigning administrator roles in
Azure Active Directory.
May 2018
ExpressRoute support changes
Software as a Service offering, like Azure Active Directory (Azure AD ) are designed to work best by going directly
through the Internet, without requiring ExpressRoute or any other private VPN tunnels. Because of this, on August
1, 2018, we will stop supporting ExpressRoute for Azure AD services using Azure public peering and Azure
communities in Microsoft peering. Any services impacted by this change might notice Azure AD traffic gradually
shifting from ExpressRoute to the Internet.
While we're changing our support, we also know there are still situations where you might need to use a dedicated
set of circuits for your authentication traffic. Because of this, Azure AD will continue to support per-tenant IP range
restrictions using ExpressRoute and services already on Microsoft peering with the "Other Office 365 Online
services" community. If your services are impacted, but you require ExpressRoute, you must do the following:
If you're on Azure public peering. Move to Microsoft peering and sign up for the Other Office 365
Online services (12076:5100) community. For more info about how to move from Azure public peering to
Microsoft peering, see the Move a public peering to Microsoft peering article.
If you're on Microsoft peering. Sign up for the Other Office 365 Online service (12076:5100)
community. For more info about routing requirements, see the Support for BGP communities section of the
ExpressRoute routing requirements article.
If you must continue to use dedicated circuits, you'll need to talk to your Microsoft Account team about how to get
authorization to use the Other Office 365 Online service (12076:5100) community. The MS Office-managed
review board will verify whether you need those circuits and make sure you understand the technical implications
of keeping them. Unauthorized subscriptions trying to create route filters for Office 365 will receive an error
message.
Microsoft Graph APIs for administrative scenarios for TOU

Type: New feature
Product capability: Developer Experience
We've added Microsoft Graph APIs for administration operation of Azure AD Terms of Use. You are able to create,
update, delete the Terms of Use object.
Add Azure AD multi-tenant endpoint as an identity provider in Azure AD B2C

Type: New feature
Service category: B2C - Consumer Identity Management
Using custom policies, you can now add the Azure AD common endpoint as an identity provider in Azure AD B2C.
This allows you to have a single point of entry for all Azure AD users that are signing into your applications. For
more information, see Azure Active Directory B2C: Allow users to sign in to a multi-tenant Azure AD identity
provider using custom policies.
Use Internal URLs to access apps from anywhere with our My Apps Sign-in Extension and the Azure AD
Application Proxy
Type: New feature
Service category: My Apps
Product capability: SSO
Users can now access applications through internal URLs even when outside your corporate network by using the
My Apps Secure Sign-in Extension for Azure AD. This will work with any application that you have published using
Azure AD Application Proxy, on any browser that also has the Access Panel browser extension installed. The URL
redirection functionality is automatically enabled once a user logs into the extension. The extension is available for
download on Edge, Chrome, and Firefox.
Azure Active Directory - Data in Europe for Europe customers

Type: New feature
Product capability: GoLocal
Customers in Europe require their data to stay in Europe and not replicated outside of European datacenters for
meeting privacy and European laws. This article provides the specific details on what identity information will be
stored within Europe and also provide details on information that will be stored outside European datacenters.
New user provisioning SaaS app integrations - May 2018

Type: New feature
Azure AD allows you to automate the creation, maintenance, and removal of user identities in SaaS applications
such as Dropbox, Salesforce, ServiceNow, and more. For May 2018, we have added user provisioning support for
the following applications in the Azure AD app gallery:
BlueJeans
Cornerstone OnDemand
Zendesk
For a list of all applications that support user provisioning in the Azure AD gallery, see https://aka.ms/appstutorial.
Azure AD access reviews of groups and app access now provides recurring reviews
Type: New feature
Service category: Access Reviews
Access review of groups and apps is now generally available as part of Azure AD Premium P2. Administrators will
be able to configure access reviews of group memberships and application assignments to automatically recur at
regular intervals, such as monthly or quarterly.
Azure AD Activity logs (sign-ins and audit) are now available through MS Graph
Type: New feature
Azure AD Activity logs, which, includes Sign-ins and Audit logs, are now available through MS Graph. We have
exposed two end points through MS Graph to access these logs. Check out our documents for programmatic
access to Azure AD Reporting APIs to get started.
Improvements to the B2B redemption experience and leave an org

Type: New feature
Just in time redemption: Once you share a resource with a guest user using B2B API – you don’t need to send
out a special invitation email. In most cases, the guest user can access the resource and will be taken through the
redemption experience just in time. No more impact due to missed emails. No more asking your guest users “Did
you click on that redemption link the system sent you?”. This means once SPO uses the invitation manager –
cloudy attachments can have the same canonical URL for all users – internal and external – in any state of
redemption.
Modern redemption experience: No more split screen redemption landing page. Users will see a modern
consent experience with the inviting organization's privacy statement, just like they do for third-party apps.
Guest users can leave the org: Once a user’s relationship with an org is over, they can self-serve leaving the
organization. No more calling the inviting org’s admin to “be removed”, no more raising support tickets.
New Federated Apps available in Azure AD app gallery - May 2018

Type: New feature
In May 2018, we've added these 18 new apps with Federation support to our app gallery:
AwardSpring, Infogix Data3Sixty Govern, Yodeck, Jamf Pro, KnowledgeOwl, Envi MMIS, LaunchDarkly, Adobe
Captivate Prime, Montage Online, まなびポケット, OpenReel, Arc Publishing - SSO, PlanGrid, iWellnessNow,
Proxyclick, Riskware, Flock, Reviewsnap
For more information about the apps, see SaaS application integration with Azure Active Directory.
For more information about listing your application in the Azure AD app gallery, see List your application in the
Azure Active Directory application gallery.
New step-by-step deployment guides for Azure Active Directory

Type: New feature
Product capability: Directory
New, step-by-step guidance about how to deploy Azure Active Directory (Azure AD ), including self-service
password reset (SSPR ), single sign-on (SSO ), conditional access (CA), App proxy, User provisioning, Active
Directory Federation Services (ADFS ) to Pass-through Authentication (PTA), and ADFS to Password hash sync
(PHS ).
To view the deployment guides, go to the Identity Deployment Guides repo on GitHub. To provide feedback about
the deployment guides, use the Deployment Plan Feedback form. If you have any questions about the deployment
guides, contact us at IDGitDeploy.
Enterprise Applications Search - Load More Apps

Type: New feature
Having trouble finding your applications / service principals? We've added the ability to load more applications in
your enterprise applications all applications list. By default, we show 20 applications. You can now click, Load more
to view additional applications.
The May release of AADConnect contains a public preview of the integration with PingFederate, important
security updates, many bug fixes, and new great new troubleshooting tools.
Service category: AD Connect
The May release of AADConnect contains a public preview of the integration with PingFederate, important security
updates, many bug fixes, and new great new troubleshooting tools. You can find the release notes here.
Azure AD access reviews: auto -apply

Service category: Access Reviews
Access reviews of groups and apps are now generally available as part of Azure AD Premium P2. An administrator
can configure to automatically apply the reviewer's changes to that group or app as the access review completes.
The administrator can also specify what happens to the user's continued access if reviewers didn't respond, remove
access, keep access, or take system recommendations.
ID tokens can no longer be returned using the query response_mode for new apps.
Apps created on or after April 25, 2018 will no longer be able to request an id_token using the query
response_mode. This brings Azure AD inline with the OIDC specifications and helps reduce your apps attack
surface. Apps created before April 25, 2018 are not blocked from using the query response_mode with a
response_type of id_token. The error returned, when requesting an id_token from AAD, is AADSTS70007:
‘query’ is not a supported value of ‘response_mode’ when requesting a token.
The fragment and form_post response_modes continue to work - when creating new application objects (for
example, for App Proxy usage), ensure use of one of these response_modes before they create a new application.
April 2018
Azure AD B2C Access Token are GA
Type: New feature
You can now access Web APIs secured by Azure AD B2C using access tokens. The feature is moving from public
preview to GA. The UI experience to configure Azure AD B2C applications and web APIs has been improved, and
other minor improvements were made.
For more information, see Azure AD B2C: Requesting access tokens.
Test single sign-on configuration for SAML -based applications

Type: New feature
When configuring SAML -based SSO applications, you're able to test the integration on the configuration page. If
you encounter an error during sign in, you can provide the error in the testing experience and Azure AD provides
you with resolution steps to solve the specific issue.
For more information, see:
Configuring single sign-on to applications that are not in the Azure Active Directory application gallery
How to debug SAML -based single sign-on to applications in Azure Active Directory
Azure AD Terms of Use now has per user reporting

Type: New feature
Product capability: Compliance
Administrators can now select a given ToU and see all the users that have consented to that ToU and what
date/time it took place.
For more information, see the Azure AD terms of use feature.
Azure AD Connect Health: Risky IP for AD FS extranet lockout protection

Type: New feature
Connect Health now supports the ability to detect IP addresses that exceed a threshold of failed U/P logins on an
hourly or daily basis. The capabilities provided by this feature are:
Comprehensive report showing IP address and the number of failed logins generated on an hourly/daily basis
with customizable threshold.
Email-based alerts showing when a specific IP address has exceeded the threshold of failed U/P logins on an
hourly/daily basis.
A download option to do a detailed analysis of the data
For more information, see Risky IP Report.
Easy app config with metadata file or URL

Type: New feature
On the Enterprise applications page, administrators can upload a SAML metadata file to configure SAML based
sign-on for AAD Gallery and Non-Gallery application.
Additionally, you can use Azure AD application federation metadata URL to configure SSO with the targeted
application.
For more information, see Configuring single sign-on to applications that are not in the Azure Active Directory
application gallery.
Azure AD Terms of use now generally available

Type: New feature
Azure AD Terms of Use have moved from public preview to generally available.
For more information, see the Azure AD terms of use feature.
Allow or block invitations to B2B users from specific organizations

Type: New feature
You can now specify which partner organizations you want to share and collaborate with in Azure AD B2B
Collaboration. To do this, you can choose to create list of specific allow or deny domains. When a domain is blocked
using these capabilities, employees can no longer send invitations to people in that domain.
This helps you to control access to your resources, while enabling a smooth experience for approved users.
This B2B Collaboration feature is available for all Azure Active Directory customers and can be used in conjunction
with Azure AD Premium features like conditional access and identity protection for more granular control of when
and how external business users sign in and gain access.
For more information, see Allow or block invitations to B2B users from specific organizations.
New federated apps available in Azure AD app gallery

Type: New feature
In April 2018, we've added these 13 new apps with Federation support to our app gallery:
Criterion HCM, FiscalNote, Secret Server (On-Premises), Dynamic Signal, mindWireless, OrgChart Now, Ziflow,
AppNeta Performance Monitor, Elium , Fluxx Labs, Cisco Cloud, Shelf, SafetyNet
Grant B2B users in Azure AD access to your on-premises applications (public preview)
Type: New feature
As an organization that uses Azure Active Directory (Azure AD ) B2B collaboration capabilities to invite guest users
from partner organizations to your Azure AD, you can now provide these B2B users access to on-premises apps.
These on-premises apps can use SAML -based authentication or Integrated Windows Authentication (IWA) with
Kerberos constrained delegation (KCD ).
For more information, see Grant B2B users in Azure AD access to your on-premises applications.
Get SSO integration tutorials from the Azure Marketplace

If an application that is listed in the Azure marketplace supports SAML based single sign-on, clicking Get it now
provides you with the integration tutorial associated with that application.
Faster performance of Azure AD automatic user provisioning to SaaS applications

Previously, customers using the Azure Active Directory user provisioning connectors for SaaS applications (for
example Salesforce, ServiceNow, and Box) could experience slow performance if their Azure AD tenants contained
over 100,000 combined users and groups, and they were using user and group assignments to determine which
users should be provisioned.
On April 2, 2018, significant performance enhancements were deployed to the Azure AD provisioning service that
greatly reduce the amount of time needed to perform initial synchronizations between Azure Active Directory and
target SaaS applications.
As a result, many customers that had initial synchronizations to apps that took many days or never completed, are
now completing within a matter of minutes or hours.
For more information, see What happens during provisioning?
Self-service password reset from Windows 10 lock screen for hybrid Azure AD joined machines
Service category: Self Service Password Reset
We have updated the Windows 10 SSPR feature to include support for machines that are hybrid Azure AD joined.
This feature is available in Windows 10 RS4 allows users to reset their password from the lock screen of a
Windows 10 machine. Users who are enabled and registered for self-service password reset can utilize this feature.
For more information, see Azure AD password reset from the login screen.
March 2018
Certificate expire notification
Type: Fixed
Azure AD sends a notification when a certificate for a gallery or non-gallery application is about to expire.
Some users did not receive notifications for enterprise applications configured for SAML -based single sign-on.
This issue was resolved. Azure AD sends notification for certificates expiring in 7, 30 and 60 days. You are able to
see this event in the audit logs.
Manage Certificates for federated single sign-on in Azure Active Directory
Audit activity reports in the Azure Active Directory portal
Twitter and GitHub identity providers in Azure AD B2C

Type: New feature
You can now add Twitter or GitHub as an identity provider in Azure AD B2C. Twitter is moving from public preview
to GA. GitHub is being released in public preview.
For more information, see What is Azure AD B2B collaboration?.
Restrict browser access using Intune Managed Browser with Azure AD application-based conditional access for
iOS and Android
Type: New feature
Service category: Conditional Access
Now in public preview!
Intune Managed Browser SSO: Your employees can use single sign-on across native clients (like Microsoft
Outlook) and the Intune Managed Browser for all Azure AD -connected apps.
Intune Managed Browser Conditional Access Support: You can now require employees to use the Intune
Managed browser using application-based conditional access policies.
Read more about this in our blog post.
Setup application-based conditional access
Configure managed browser policies
App Proxy Cmdlets in Powershell GA Module

Type: New feature
Support for Application Proxy cmdlets is now in the Powershell GA Module! This does require you to stay updated
on Powershell modules - if you become more than a year behind, some cmdlets may stop working.
For more information, see AzureAD.
Office 365 native clients are supported by Seamless SSO using a non-interactive protocol
Type: New feature
User using Office 365 native clients (version 16.0.8730.xxxx and above) get a silent sign-on experience using
Seamless SSO. This support is provided by the addition a non-interactive protocol (WS -Trust) to Azure AD.
For more information, see How does sign-in on a native client with Seamless SSO work?
Users get a silent sign-on experience, with Seamless SSO, if an application sends sign-in requests to Azure AD's
tenant endpoints
Type: New feature
Users get a silent sign-on experience, with Seamless SSO, if an application (for example,
https://contoso.sharepoint.com ) sends sign-in requests to Azure AD's tenant endpoints - that is,
https://login.microsoftonline.com/contoso.com/<..> or https://login.microsoftonline.com/<tenant_ID>/<..> -
instead of Azure AD's common endpoint ( https://login.microsoftonline.com/common/<...> ).
For more information, see Azure Active Directory Seamless Single Sign-On.
Need to add only one Azure AD URL, instead of two URLs previously, to users' Intranet zone settings to roll out
Seamless SSO
Type: New feature
To roll out Seamless SSO to your users, you need to add only one Azure AD URL to the users' Intranet zone
settings by using group policy in Active Directory: https://autologon.microsoftazuread-sso.com . Previously,
customers were required to add two URLs.
For more information, see Azure Active Directory Seamless Single Sign-On.
New Federated Apps available in Azure AD app gallery

Type: New feature
In March 2018, we've added these 15 new apps with Federation support to our app gallery:
Boxcryptor, CylancePROTECT, Wrike, SignalFx, Assistant by FirstAgenda, YardiOne, Vtiger CRM, inwink,
Amplitude, Spacio, ContractWorks, Bersin, Mercell, Trisotech Digital Enterprise Server, Qumu Cloud.
PIM for Azure Resources is generally available

Type: New feature
If you are using Azure AD Privileged Identity Management for directory roles, you can now use PIM's time-bound
access and assignment capabilities for Azure Resource roles such as Subscriptions, Resource Groups, Virtual
Machines, and any other resource supported by Azure Resource Manager. Enforce Multi-Factor Authentication
when activating roles Just-In-Time, and schedule activations in coordination with approved change windows. In
addition, this release adds enhancements not available during public preview including an updated UI, approval
workflows, and the ability to extend roles expiring soon and renew expired roles.
For more information, see PIM for Azure resources (Preview )
Adding Optional Claims to your apps tokens (public preview)

Type: New feature
Your Azure AD app can now request custom or optional claims in JWTs or SAML tokens. These are claims about
the user or tenant that are not included by default in the token, due to size or applicability constraints. This is
currently in public preview for Azure AD apps on the v1.0 and v2.0 endpoints. See the documentation for
information on what claims can be added and how to edit your application manifest to request them.
For more information, see Optional claims in Azure AD.
Azure AD supports PKCE for more secure OAuth flows

Type: New feature
Azure AD docs have been updated to note support for PKCE, which allows for more secure communication during
the OAuth 2.0 Authorization Code grant flow. Both S256 and plaintext code_challenges are supported on the v1.0
and v2.0 endpoints.
For more information, see Request an authorization code.
Support for provisioning all user attribute values available in the Workday Get_Workers API
Type: New feature
The public preview of inbound provisioning from Workday to Active Directory and Azure AD now supports the
ability to extract and provisioning all attribute values available in the Workday Get_Workers API. This adds
supports for hundreds of additional standard and custom attributes beyond the ones shipped with the initial
version of the Workday inbound provisioning connector.
For more information, see: Customizing the list of Workday user attributes
Changing group membership from dynamic to static, and vice versa

Type: New feature
Service category: Group Management
Product capability: Collaboration
It is possible to change how membership is managed in a group. This is useful when you want to keep the same
group name and ID in the system, so any existing references to the group are still valid; creating a new group
would require updating those references. We've updated the Azure AD Admin center to support this functionality.
Now, customers can convert existing groups from dynamic membership to assigned membership and vice-versa.
The existing PowerShell cmdlets are also still available.
For more information, see Changing dynamic membership to static and vice-versa
Improved sign-out behavior with Seamless SSO

Previously, even if users explicitly signed out of an application secured by Azure AD, they would be automatically
signed back in using Seamless SSO if they were trying to access an Azure AD application again within their
corpnet from their domain joined devices. With this change, sign out is supported. This allows users to choose the
same or different Azure AD account to sign back in with, instead of being automatically signed in using Seamless
SSO.
For more information, see Azure Active Directory Seamless Single Sign-On
Application Proxy Connector Version 1.5.402.0 Released

This connector version is gradually being rolled out through November. This new connector version includes the
following changes:
The connector now sets domain level cookies instead subdomain level. This ensures a smoother SSO
experience and avoids redundant authentication prompts.
Support for chunked encoding requests
Improved connector health monitoring
Several bug fixes and stability improvements
For more information, see Understand Azure AD Application Proxy connectors.
February 2018
Improved navigation for managing users and groups
Service category: Directory Management
The navigation experience for managing users and groups has been streamlined. You can now navigate from the
directory overview directly to the list of all users, with easier access to the list of deleted users. You can also
navigate from the directory overview directly to the list of all groups, with easier access to group management
settings. And also from the directory overview page, you can search for a user, group, enterprise application, or app
registration.
Availability of sign-ins and audit reports in Microsoft Azure operated by 21Vianet (Azure China 21Vianet)
Type: New feature
Service category: Azure Stack
Azure AD Activity log reports are now available in Microsoft Azure operated by 21Vianet (Azure China 21Vianet)
instances. The following logs are included:
Sign-ins activity logs - Includes all the sign-ins logs associated with your tenant.
Self service Password Audit Logs - Includes all the SSPR audit logs.
Directory Management Audit logs - Includes all the directory management-related audit logs like User
management, App Management, and others.
With these logs, you can gain insights into how your environment is doing. The provided data enables you to:
Determine how your apps and services are utilized by your users.
Troubleshoot issues preventing your users from getting their work done.
For more information about how to use these reports, see Azure Active Directory reporting.
Use "Report Reader" role (non-admin role ) to view Azure AD Activity Reports
Type: New feature
As part of customers feedback to enable non-admin roles to have access to Azure AD activity logs, we have
enabled the ability for users who are in the "Report Reader" role to access Sign-ins and Audit activity within the
Azure portal as well as using our Graph APIs.
For more information, how to use these reports, see Azure Active Directory reporting.
EmployeeID claim available as user attribute and user identifier

Type: New feature
You can configure EmployeeID as the User identifier and User attribute for member users and B2B guests in
SAML -based sign-on applications from the Enterprise application UI.
For more information, see Customizing claims issued in the SAML token for enterprise applications in Azure
Active Directory.
Simplified Application Management using Wildcards in Azure AD Application Proxy

Type: New feature
To make application deployment easier and reduce your administrative overhead, we now support the ability to
publish applications using wildcards. To publish a wildcard application, you can follow the standard application
publishing flow, but use a wildcard in the internal and external URLs.
For more information, see Wildcard applications in the Azure Active Directory application proxy
New cmdlets to support configuration of Application Proxy

Type: New feature
The latest release of the AzureAD PowerShell Preview module contains new cmdlets that allow customers to
configure Application Proxy Applications using PowerShell.
The new cmdlets are:
Get-AzureADApplicationProxyApplication
Get-AzureADApplicationProxyApplicationConnectorGroup
Get-AzureADApplicationProxyConnector
Get-AzureADApplicationProxyConnectorGroup
Get-AzureADApplicationProxyConnectorGroupMembers
Get-AzureADApplicationProxyConnectorMemberOf
New -AzureADApplicationProxyApplication
New -AzureADApplicationProxyConnectorGroup
Remove-AzureADApplicationProxyApplication
Remove-AzureADApplicationProxyApplicationConnectorGroup
Remove-AzureADApplicationProxyConnectorGroup
Set-AzureADApplicationProxyApplication
Set-AzureADApplicationProxyApplicationConnectorGroup
Set-AzureADApplicationProxyApplicationCustomDomainCertificate
Set-AzureADApplicationProxyApplicationSingleSignOn
Set-AzureADApplicationProxyConnector
Set-AzureADApplicationProxyConnectorGroup
New cmdlets to support configuration of groups

Type: New feature
The latest release of the AzureAD PowerShell module contains cmdlets to manage groups in Azure AD. These
cmdlets were previously available in the AzureADPreview module and are now added to the AzureAD module
The Group cmdlets that are now release for General Availability are:
Get-AzureADMSGroup
New -AzureADMSGroup
Remove-AzureADMSGroup
Set-AzureADMSGroup
Get-AzureADMSGroupLifecyclePolicy
New -AzureADMSGroupLifecyclePolicy
Remove-AzureADMSGroupLifecyclePolicy
Add-AzureADMSLifecyclePolicyGroup
Remove-AzureADMSLifecyclePolicyGroup
Reset-AzureADMSLifeCycleGroup
Get-AzureADMSLifecyclePolicyGroup
A new release of Azure AD Connect is available

Type: New feature
Service category: AD Sync
Azure AD Connect is the preferred tool to synchronize data between Azure AD and on premises data sources,
including Windows Server Active Directory and LDAP.
IMPORTANT
This build introduces schema and sync rule changes. The Azure AD Connect Synchronization Service triggers a Full Import
and Full Synchronization steps after an upgrade. For information on how to change this behavior, see How to defer full
synchronization after upgrade.
This release has the following updates and changes:

Fixed issues
Fix timing window on background tasks for Partition Filtering page when switching to next page.
Fixed a bug that caused Access violation during the ConfigDB custom action.
Fixed a bug to recover from sql connection timeout.
Fixed a bug where certificates with SAN wildcards fail pre-req check.
Fixed a bug that causes miiserver.exe crash during AAD connector export.
Fixed a bug where a bad password attempt logged on DC when running caused the AAD connect wizard to
change configuration
New features and improvements
Application telemetry - Administrators can switch this class of data on/off.
Azure AD Health data - Administrators must visit the health portal to control their health settings. Once the
service policy has been changed, the agents will read and enforce it.
Added device writeback configuration actions and a progress bar for page initialization.
Improved general diagnostics with HTML report and full data collection in a ZIP -Text / HTML Report.
Improved reliability of auto upgrade and added additional telemetry to ensure the health of the server can
be determined.
Restrict permissions available to privileged accounts on AD Connector account. For new installations, the
wizard restricts the permissions that privileged accounts have on the MSOL account after creating the
MSOL account. The changes affect express installations and custom installations with Auto-Create account.
Changed the installer to not require SA privilege on clean install of AADConnect.
New utility to troubleshoot synchronization issues for a specific object. Currently, the utility checks for the
following things:
UserPrincipalName mismatch between synchronized user object and the user account in Azure AD
Tenant.
If the object is filtered from synchronization due to domain filtering
If the object is filtered from synchronization due to organizational unit (OU ) filtering
New utility to synchronize the current password hash stored in the on-premises Active Directory for a
specific user account. The utility does not require a password change.
Applications supporting Intune App Protection policies added for use with Azure AD application-based
conditional access
Service category: Conditional Access
We have added more applications that support application-based conditional access. Now, you can get access to
Office 365 and other Azure AD -connected cloud apps using these approved client apps.
The following applications will be added by the end of February:
Microsoft Power BI
Microsoft Launcher
Microsoft Invoicing
Approved client app requirement
Azure AD app-based conditional access
Terms of Use update to mobile experience

When the terms of use are displayed, you can now click Having trouble viewing? Click here. Clicking this link
opens the terms of use natively on your device. Regardless of the font size in the document or the screen size of
device, you can zoom and read the document as needed.
January 2018
New Federated Apps available in Azure AD app gallery
Type: New feature
In January 2018, the following new apps with federation support were added in the app gallery:
IBM OpenPages, OneTrust Privacy Management Software, Dealpath, [IriusRisk Federated Directory, and Fidelity
NetBenefits.
Sign in with additional risk detected

Type: New feature
Service category: Identity Protection
The insight you get for a detected risk event is tied to your Azure AD subscription. With the Azure AD Premium P2
edition, you get the most detailed information about all underlying detections.
With the Azure AD Premium P1 edition, detections that are not covered by your license appear as the risk event
Sign-in with additional risk detected.
For more information, see Azure Active Directory risk events.
Hide Office 365 applications from end user's access panels

Type: New feature
You can now better manage how Office 365 applications show up on your user's access panels through a new user
setting. This option is helpful for reducing the number of apps in a user's access panels if you prefer to only show
Office apps in the Office portal. The setting is located in the User Settings and is labeled, Users can only see
Office 365 apps in the Office 365 portal.
For more information, see Hide an application from user's experience in Azure Active Directory.
Seamless sign into apps enabled for Password SSO directly from app's URL
Type: New feature
The My Apps browser extension is now available via a convenient tool that gives you the My Apps single-sign on
capability as a shortcut in your browser. After installing, user's will see a waffle icon in their browser that provides
them quick access to apps. Users can now take advantage of:
The ability to directly sign in to password-SSO based apps from the app’s sign-in page
Launch any app using the quick search feature
Shortcuts to recently used apps from the extension
The extension is available for Edge, Chrome, and Firefox.
For more information, see My Apps Secure Sign-in Extension.
Azure AD administration experience in Azure Classic Portal has been retired

Type: Deprecated
As of January 8, 2018, the Azure AD administration experience in the Azure classic portal has been retired. This
took place in conjunction with the retirement of the Azure classic portal itself. In the future, you should use the
Azure AD admin center for all your portal-based administration of Azure AD.
The PhoneFactor web portal has been retired

Type: Deprecated
As of January 8, 2018, the PhoneFactor web portal has been retired. This portal was used for the administration of
MFA server, but those functions have been moved into the Azure portal at portal.azure.com.
The MFA configuration is located at: Azure Active Directory > MFA Server
Deprecate Azure AD reports

Type: Deprecated
With the general availability of the new Azure Active Directory Administration console and new APIs now available
for both activity and security reports, the report APIs under "/reports" endpoint have been retired as of end of
December 31, 2017.
What's available?
As part of the transition to the new admin console, we have made 2 new APIs available for retrieving Azure AD
Activity Logs. The new set of APIs provides richer filtering and sorting functionality in addition to providing richer
audit and sign-in activities. The data previously available through the security reports can now be accessed through
the Identity Protection risk events API in Microsoft Graph.
Get started with the Azure Active Directory reporting API
Get started with Azure Active Directory Identity Protection and Microsoft Graph
December 2017
Terms of use in the Access Panel
Type: New feature
Service category: Terms of use
You now can go to the Access Panel and view the terms of use that you previously accepted.
Follow these steps:
1. Go to the MyApps portal, and sign in.
2. In the upper-right corner, select your name, and then select Profile from the list.
3. On your Profile, select Review terms of use.
4. Now you can review the terms of use you accepted.
For more information, see the Azure AD terms of use feature (preview ).
New Azure AD sign-in experience

Type: New feature
Product capability: User authentication
The Azure AD and Microsoft account identity system UIs were redesigned so that they have a consistent look and
feel. In addition, the Azure AD sign-in page collects the user name first, followed by the credential on a second
screen.
For more information, see The new Azure AD sign-in experience is now in public preview.
Fewer sign-in prompts: A new "keep me signed in" experience for Azure AD sign-in
Type: New feature
The Keep me signed in check box on the Azure AD sign-in page was replaced with a new prompt that shows up
after you successfully authenticate.
If you respond Yes to this prompt, the service gives you a persistent refresh token. This behavior is the same as
when you selected the Keep me signed in check box in the old experience. For federated tenants, this prompt
shows after you successfully authenticate with the federated service.
For more information, see Fewer sign-in prompts: The new "keep me signed in" experience for Azure AD is in
preview.
Add configuration to require the terms of use to be expanded prior to accepting

Type: New feature
An option for administrators requires their users to expand the terms of use prior to accepting the terms.
Select either On or Off to require users to expand the terms of use. The On setting requires users to view the
terms of use prior to accepting them.
For more information, see the Azure AD terms of use feature (preview ).
Scoped activation for eligible role assignments

Type: New feature
You can use scoped activation to activate eligible Azure resource role assignments with less autonomy than the
original assignment defaults. An example is if you're assigned as the owner of a subscription in your tenant. With
scoped activation, you can activate the owner role for up to five resources contained within the subscription (such
as resource groups and virtual machines). Scoping your activation might reduce the possibility of executing
unwanted changes to critical Azure resources.
For more information, see What is Azure AD Privileged Identity Management?.
New federated apps in the Azure AD app gallery

Type: New feature
Service category: Enterprise apps
In December 2017, we've added these new apps with Federation support to our app gallery:
Accredible, Adobe Experience Manager, EFI Digital StoreFront, Communifire CybSafe, FactSet, IMAGE WORKS,
MOBI, MobileIron Azure AD integration, Reflektive, SAML SSO for Bamboo by resolution GmbH, SAML SSO for
Bitbucket by resolution GmbH, Vodeclic, WebHR, Zenegy Azure AD Integration.
Approval workflows for Azure AD directory roles

Approval workflow for Azure AD directory roles is generally available.
With approval workflow, privileged-role administrators can require eligible-role members to request role activation
before they can use the privileged role. Multiple users and groups can be delegated approval responsibilities.
Eligible role members receive notifications when approval is finished and their role is active.
Pass-through authentication: Skype for Business support

Pass-through authentication now supports user sign-ins to Skype for Business client applications that support
modern authentication, which includes online and hybrid topologies.
For more information, see Skype for Business topologies supported with modern authentication.
Updates to Azure AD Privileged Identity Management for Azure RBAC (preview)

With the public preview refresh of Azure AD Privileged Identity Management (PIM ) for Azure Role-Based Access
Control (RBAC ), you can now:
Use Just Enough Administration.
Require approval to activate resource roles.
Schedule a future activation of a role that requires approval for both Azure AD and Azure RBAC roles.
For more information, see Privileged Identity Management for Azure resources (preview ).
November 2017
Access Control service retirement
Service category: Access Control service
Product capability: Access Control service
Azure Active Directory Access Control (also known as the Access Control service) will be retired in late 2018. More
information that includes a detailed schedule and high-level migration guidance will be provided in the next few
weeks. You can leave comments on this page with any questions about the Access Control service, and a team
member will answer them.
Restrict browser access to the Intune Managed Browser

Service category: Conditional access
Product capability: Identity security and protection
You can restrict browser access to Office 365 and other Azure AD -connected cloud apps by using the Intune
Managed Browser as an approved app.
You now can configure the following condition for application-based conditional access:
Client apps: Browser
What is the effect of the change?
Today, access is blocked when you use this condition. When the preview is available, all access will require the use
of the managed browser application.
Look for this capability and more information in upcoming blogs and release notes.
For more information, see Conditional access in Azure AD.
New approved client apps for Azure AD app-based conditional access

The following apps are on the list of approved client apps:
Microsoft Kaizala
Microsoft StaffHub
Terms-of-use support for multiple languages

Type: New feature
Administrators now can create new terms of use that contain multiple PDF documents. You can tag these PDF
documents with a corresponding language. Users are shown the PDF with the matching language based on their
preferences. If there is no match, the default language is shown.
Real-time password writeback client status

Type: New feature
Service category: Self-service password reset
You now can review the status of your on-premises password writeback client. This option is available in the On-
premises integration section of the Password reset page.
If there are issues with your connection to your on-premises writeback client, you see an error message that
provides you with:
Information on why you can't connect to your on-premises writeback client.
A link to documentation that assists you in resolving the issue.
For more information, see on-premises integration.

Type: New feature
You now can restrict access to Office 365 and other Azure AD -connected cloud apps to approved client apps that
support Intune app protection policies by using Azure AD app-based conditional access. Intune app protection
policies are used to configure and protect company data on these client applications.
By combining app-based with device-based conditional access policies, you have the flexibility to protect data for
personal and company devices.
The following conditions and controls are now available for use with app-based conditional access:
Supported platform condition
iOS
Android
Client apps condition
Mobile apps and desktop clients
Access control
Require approved client app
For more information, see Azure AD app-based conditional access.
Manage Azure AD devices in the Azure Portal

Type: New feature
Service category: Device registration and management
You now can find all your devices connected to Azure AD and the device-related activities in one place. There is a
new administration experience to manage all your device identities and settings in the Azure portal. In this release,
you can:
View all your devices that are available for conditional access in Azure AD.
View properties, which include your hybrid Azure AD -joined devices.
Find BitLocker keys for your Azure AD -joined devices, manage your device with Intune, and more.
Manage Azure AD device-related settings.
For more information, see Manage devices by using the Azure portal.
Support for macOS as a device platform for Azure AD conditional access

Type: New feature
You now can include (or exclude) macOS as a device platform condition in your Azure AD conditional access policy.
With the addition of macOS to the supported device platforms, you can:
Enroll and manage macOS devices by using Intune. Similar to other platforms like iOS and Android, a
company portal application is available for macOS to do unified enrollments. You can use the new company
portal app for macOS to enroll a device with Intune and register it with Azure AD.
Ensure macOS devices adhere to your organization's compliance policies defined in Intune. In Intune
on the Azure portal, you now can set up compliance policies for macOS devices.
Restrict access to applications in Azure AD to only compliant macOS devices. Conditional access policy
authoring has macOS as a separate device platform option. Now you can author macOS -specific conditional
access policies for the targeted application set in Azure.
Create a device compliance policy for macOS devices with Intune
Conditional access in Azure AD
Network Policy Server extension for Azure Multi-Factor Authentication
Type: New feature
Service category: Multi-factor authentication
The Network Policy Server extension for Azure Multi-Factor Authentication adds cloud-based Multi-Factor
Authentication capabilities to your authentication infrastructure by using your existing servers. With the Network
Policy Server extension, you can add phone call, text message, or phone app verification to your existing
authentication flow. You don't have to install, configure, and maintain new servers.
This extension was created for organizations that want to protect virtual private network connections without
deploying the Azure Multi-Factor Authentication Server. The Network Policy Server extension acts as an adapter
between RADIUS and cloud-based Azure Multi-Factor Authentication to provide a second factor of authentication
for federated or synced users.
For more information, see Integrate your existing Network Policy Server infrastructure with Azure Multi-Factor
Authentication.
Restore or permanently remove deleted users

Type: New feature
Service category: User management
In the Azure AD admin center, you can now:
Restore a deleted user.
Permanently delete a user.
To try it out:
1. In the Azure AD admin center, select All users in the Manage section.
2. From the Show list, select Recently deleted users.
3. Select one or more recently deleted users, and then either restore them or permanently delete them.
New approved client apps for Azure AD app-based conditional access

The following apps were added to the list of approved client apps:
Microsoft Planner
Azure Information Protection
Use "OR" between controls in a conditional access policy

You now can use "OR" (require one of the selected controls) for conditional access controls. You can use this
feature to create policies with "OR" between access controls. For example, you can use this feature to create a
policy that requires a user to sign in by using Multi-Factor Authentication "OR" to be on a compliant device.
For more information, see Controls in Azure AD conditional access.
Aggregation of real-time risk events

Service category: Identity protection
In Azure AD Identity Protection, all real-time risk events that originated from the same IP address on a given day
are now aggregated for each risk event type. This change limits the volume of risk events shown without any
change in user security.
The underlying real-time detection works each time the user signs in. If you have a sign-in risk security policy set
up to Multi-Factor Authentication or block access, it is still triggered during each risky sign-in.
October 2017
Deprecate Azure AD reports
The Azure portal provides you with:
A new Azure AD administration console.
New APIs for activity and security reports.
Due to these new capabilities, the report APIs under the /reports endpoint were retired on December 10, 2017.
Automatic sign-in field detection

Type: Fixed
Product capability: Single sign-on
Azure AD supports automatic sign-in field detection for applications that render an HTML user name and
password field. These steps are documented in How to automatically capture sign-in fields for an application. You
can find this capability by adding a Non-Gallery application on the Enterprise Applications page in the Azure
portal. Additionally, you can configure the Single Sign-on mode on this new application to Password-based
Single Sign-on, enter a web URL, and then save the page.
Due to a service issue, this functionality was temporarily disabled. The issue was resolved, and the automatic sign-
in field detection is available again.
New Multi-Factor Authentication features

Type: New feature
Service category: Multi-factor authentication
Multi-factor authentication (MFA) is an essential part of protecting your organization. To make credentials more
adaptive and the experience more seamless, the following features were added:
Multi-factor challenge results are directly integrated into the Azure AD sign-in report, which includes
programmatic access to MFA results.
The MFA configuration is more deeply integrated into the Azure AD configuration experience in the Azure
portal.
With this public preview, MFA management and reporting are an integrated part of the core Azure AD
configuration experience. Now you can manage the MFA management portal functionality within the Azure AD
experience.
For more information, see Reference for MFA reporting in the Azure portal .
Terms of use
Type: New feature
You can use Azure AD terms of use to present information such as relevant disclaimers for legal or compliance
requirements to users.
You can use Azure AD terms of use in the following scenarios:
General terms of use for all users in your organization
Specific terms of use based on a user's attributes (for example, doctors vs. nurses or domestic vs. international
employees, done by dynamic groups)
Specific terms of use for accessing high-impact business apps, like Salesforce
For more information, see Azure AD terms of use.
Enhancements to Privileged Identity Management

Type: New feature
With Azure AD Privileged Identity Management, you can manage, control, and monitor access to Azure resources
(preview ) within your organization to:
Subscriptions
Resource groups
Virtual machines
All resources within the Azure portal that use the Azure RBAC functionality can take advantage of all the security
and lifecycle management capabilities that Azure AD Privileged Identity Management has to offer.
For more information, see Privileged Identity Management for Azure resources.
Access reviews
Type: New feature
Service category: Access reviews
Organizations can use access reviews (preview ) to efficiently manage group memberships and access to enterprise
applications:
You can recertify guest user access by using access reviews of their access to applications and memberships of
groups. Reviewers can efficiently decide whether to allow guests continued access based on the insights
provided by the access reviews.
You can recertify employee access to applications and group memberships with access reviews.
You can collect the access review controls into programs relevant for your organization to track reviews for
compliance or risk-sensitive applications.
For more information, see Azure AD access reviews.
Hide third-party applications from My Apps and the Office 365 app launcher
Type: New feature
Product capability: Single sign-on
You now can better manage apps that show up on your users' portals through a new hide app property. You can
hide apps to help in cases where app tiles show up for back-end services or duplicate tiles and clutter users' app
launchers. The toggle is in the Properties section of the third-party app and is labeled Visible to user? You also
can hide an app programmatically through PowerShell.
For more information, see Hide a third-party application from a user's experience in Azure AD.
What's available?
As part of the transition to the new admin console, two new APIs for retrieving Azure AD activity logs are available.
The new set of APIs provides richer filtering and sorting functionality in addition to providing richer audit and sign-
in activities. The data previously available through the security reports now can be accessed through the Identity
Protection Risk Events API in Microsoft Graph.
September 2017
Hotfix for Identity Manager
Service category: Identity Manager
Product capability: Identity lifecycle management
A hotfix roll-up package (build 4.4.1642.0) is available as of September 25, 2017, for Identity Manager 2016
Service Pack 1. This roll-up package:
Resolves issues and adds improvements.
Is a cumulative update that replaces all Identity Manager 2016 Service Pack 1 updates up to build 4.4.1459.0 for
Identity Manager 2016.
Requires you to have Identity Manager 2016 build 4.4.1302.0.
For more information, see Hotfix rollup package (build 4.4.1642.0) is available for Identity Manager 2016 Service
Pack 1.
Azure Data Catalog terminology
Catalog
The Azure Data Catalog is a cloud-based metadata repository in which data sources and data assets can be
registered. The catalog serves as a central storage location for structural metadata extracted from data sources and
for descriptive metadata added by users.
Data source
A data source is a system or container that manages data assets. Examples include SQL Server databases, Oracle
databases, SQL Server Analysis Services databases (tabular or multidimensional) and SQL Server Reporting
Services servers.
Data asset
Data assets are objects contained within data sources that can be registered with the catalog. Examples include
SQL Server tables and views, Oracle tables and views, SQL Server Analysis Services measures, dimensions and
KPIs, and SQL Server Reporting Services reports.
Data asset location

The catalog stores the location of a data source or data asset, which can be used to connect to the source using a
client application. The format and details of the location vary based on the data source type. For example, a SQL
Server table can be identified by its four part name – server name, database name, schema name, object name –
while a SQL Server Reporting Services Report can be identified by its URL.
Structural metadata
Structural metadata is the metadata extracted from a data source that describes the structure of a data asset. This
includes the assets location, its object name and type, and additional type-specific characteristics. For example, the
structural metadata for tables and views includes the names and data types for the object’s columns.
Descriptive metadata
Descriptive metadata is metadata that describes the purpose or intent of a data asset. Typically descriptive
metadata is added by catalog users using the Azure Data Catalog portal, but it can also be extracted from the data
source during registration. For example, the Azure Data Catalog registration tool will extract descriptions from the
Description property in SQL Server Analysis Services and SQL Server Reporting Services, and from the
ms_description extended property in SQL Server databases, if these properties have been populated with values.
Request access
A data asset's descriptive metadata can include information on how to request access to the data asset or data
source. This information is presented with the data asset location, and can include one or more of the following
options:
The email address of the user or team responsible for granting access to the data source.
The URL of the documented process that users must follow to gain access to the data source.
The URL of an identity and access management tool (such as Microsoft Identity Manager) that can be used to
gain access to the data source.
A free-text entry that describes how users can gain access to the data source.
Preview
A preview in Azure Data Catalog is a snapshot of up to 20 records that can be extracted from the data source
during registration, and stored in the catalog with the data asset metadata. The preview can help users who
discover a data asset better understand its function and purpose. In other words, seeing sample data can be more
valuable than seeing just the column names and data types. Previews are only supported for tables and views, and
must be explicitly selected by the user during registration.
Data Profile
A data profile in Azure Data Catalog is a snapshot of table-level and column-level metadata about a registered data
asset that can be extracted from the data source during registration, and stored in the catalog with the data asset
metadata. The data profile can help users who discover a data asset better understand its function and purpose.
Similar to previews, data profiles must be explicitly selected by the user during registration.
NOTE
Extracting a data profile can be a costly operation for large tables and views, and may significantly increase the time required
to register a data source.
User perspective
In Azure Data Catalog, any user can provide descriptive metadata for a registered data asset. Each user has a
distinct perspective on the data and its use. For example, the administrator responsible for a server may provide
the details of its service level agreement (SLA) or backup windows; a data steward may provide links to
documentation for the business processes the data supports; and an analyst may provide a description in the terms
that are most relevant to other analysts, and which can be most valuable to those users who need to discover and
understand the data.
Each of these perspectives are inherently valuable, and with Azure Data Catalog each user can provide the
information that is meaningful to them, while all users can use that information to understand the data and its
purpose.
Expert
An expert is a user who has been identified as having an informed “expert” perspective for a data asset. Any user
can add themselves or another user as an expert for an asset. Being listed as an expert does not convey any
additional privileges in Azure Data Catalog; it allows users to easily locate those perspectives that are most likely to
be useful when reviewing an asset’s descriptive metadata.
Owner
An owner is a user who has additional privileges for managing a data asset in Azure Data Catalog. Users can take
ownership of registered data assets, and owners can add other users as co-owners. For more information see How
to manage data assets
NOTE
Ownership and management are available only in the Standard Edition of Azure Data Catalog.
Registration
Registration is the act of extracting data asset metadata from a data source and copying it to the Azure Data
Catalog service. Data assets that have been registered can then be annotated and discovered.
See also
What is Azure Data Catalog? - This article provides an overview of the Azure Data Catalog service, the value it
provides, and the scenarios it supports.
Get started with Azure Data Catalog - This article provides an end-to-end tutorial that shows you how to use
Azure Data Catalog for data source discovery.

Adc PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Adc PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Contents

Data Catalog Documentation

Getting started with Azure Data Catalog

Learn about Azure Data Catalog

Discovery challenges for data consumers

Discovery challenges for data producers

Azure Data Catalog can help

Learn more about Data Catalog

Scenario 1: Registration of central data sources

Scenario 2: Self-service business intelligence

Scenario 3: Capturing tribal knowledge

List of supported data sources

Azure Data Lake ✓ ✓ ✓

Azure Data Lake ✓ ✓ ✓

Azure Blob ✓ ✓ ✓ Power BI

Azure Storage ✓ ✓ ✓ Power BI

Hive table ✓ ✓ ✓ Excel

Hive view ✓ ✓ ✓ Excel

MySQL table ✓ ✓ ✓ Excel, Power BI

MySQL view ✓ ✓ ✓ Excel, Power BI

Oracle Database ✓ ✓ ✓ Excel, Power BI

Oracle Database ✓ ✓ ✓ Excel, Power BI

Azure SQL Data ✓ ✓ ✓ Excel, Power BI

SQL Data ✓ ✓ ✓ Excel, Power BI

SQL Server ✓ ✓ ✓ Excel, Power BI

SQL Server ✓ ✓ ✓ Excel, Power BI

SQL Server ✓ ✓ ✓ Excel, Power BI

SQL Server ✓ ✓ ✓ Excel, Power BI

SQL Server ✓ ✓ ✓ Browser Native mode

SQL Server table ✓ ✓ ✓ Excel, Power BI

SQL Server view ✓ ✓ ✓ Excel, Power BI

Teradata table ✓ ✓ ✓ Excel

Teradata view ✓ ✓ ✓ Excel

SAP HANA view ✓ ✓ ✓ Power BI

File system file ✓

OData entity set ✓

SAP HANA view ✓

Cassandra table ✓ ✓ ✓ Publish as a

Cassandra view ✓ ✓ ✓ Publish as a

MongoDB table ✓ ✓ ✓ Publish as a

MongoDB view ✓ ✓ ✓ Publish as a

Data-source reference specification

Source type Asset type Object types DSL structure

Azure Data Lake Store Container Data Lake Protocol: webhdfs

Azure Data Lake Store Table Directory, file Protocol: webhdfs

Azure Storage Container Container Protocol: azure-blobs

Azure Storage Table Blob, directory Protocol: azure-blobs

Azure Storage Container Container Protocol: azure-tables

Azure Storage Table Table Protocol: azure-tables

Cosmos Container Virtual cluster Protocol: cosmos

Datazen Container Site Protocol: http

Datazen Report Report, dashboard Protocol: http

DB2 Container Database Protocol: db2

DB2 Table Table, view Protocol: db2

File system Table File Protocol: file

FTP Table Directory, file Protocol: ftp

Hadoop Distributed File Container Cluster Protocol: webhdfs

Hadoop Distributed File Table Directory, file Protocol: webhdfs

Hive Table Table, view Protocol: hive

HTTP Container Site Protocol: http

HTTP Report Report, dashboard Protocol: http

HTTP Table Endpoint, file Protocol: http

MySQL Container Database Protocol: mysql