How to Create a Demo/Test Environment for Azure Data Catalog
Azure Data Catalog is a Software as a Service (SaaS) offering in Azure, part of the Cortana Intelligence Suite, for registering metadata about data sources. Check this post for an overview of Azure Data Catalog key features. (I'm a big fan of what Azure Data Catalog is trying to accomplish.)
There are a couple of particulars about Azure Data Catalog which make it a bit more difficult to set up a Demo/Test/Learning type of environment, including:
- You are required to sign into Azure Data Catalog with an organizational account. Signing in with a Microsoft account (formerly known as a Live account) won't work for Azure Data Catalog authentication, even if that's what you normally use for Azure.
- One Azure Data Catalog may be created per organization. Note this is *not* per Azure subscription - if your account has access to multiple subscriptions, it's still one catalog per organization.
These restrictions are because the intention is for Azure Data Catalog to be an enterprise-wide sole system of registry for enterprise data sources.
Summary: Creating a Demo/Test Environment for Azure Data Catalog
Because of the above two restrictions, we need to create a Demo/Test/Learning sort of environment in a particular way. For the remainder of this post, the objective is to create a Data Catalog outside of your normal organizational Azure environment - i.e., associated to an MSDN account for instance.
With some very helpful advice from Matthew Roche (from the Azure Data Catalog product team at Microsoft), the best method currently to create a Data Catalog test environment is as follows:
- Sign into the Azure portal with a Microsoft account (not with your organizational account). You should be the administrator of this subscription. For instance, my subscription is associated with my MSDN.
- In your Azure Active Directory (AAD), create a new AAD account. This cannot be associated to a Microsoft account; it needs to be a native AAD account. A native AAD account is recognized by the Data Catalog service as an organizational account.
- Allow this new AAD account to be co-administrator of the subscription. This will permit the AAD account to provision the new Azure Data Catalog service.
- Go to the Azure Data Catalog portal at www.azuredatacatalog.com and sign in with the new AAD account. Provision a new Azure Data Catalog from here. You will continue to do all of the work in Azure Data Catalog with this separate AAD ID (and additional AAD IDs if desired).
The objective of this is to leave the Azure Data Catalog in your 'real' organizational Azure subscription free of test or temporary use data sources - i.e., you wouldn't want users in your environment to discover something like an AdventureWorks sample database in the catalog (loophole: if you are paying for the standard version of Azure Data Catalog, rather than the free version, you do get security capabilities and could restrict a data source to just yourself so others can't find it).
Sidenote: One additional important thing to be aware of with Azure Data Catalog is that a data source may be registered in the catalog only once. This is to prevent duplicates which could be really confusing to users of the system.
Below are further details about how to make this approach work.
Details: Creating a Demo/Test Environment for Azure Data Catalog
Step 1: Sign into Azure portal for which you are an administrator.
First, sign into the Azure portal with your Microsoft account (such as user@outlook.com). As of the time of this writing (April 2016), Azure Active Directory is still managed in the old portal not in the new portal yet. The old portal can be found at https://manage.windowsazure.com/.
For our demo/test purposes, this should not be your organizational account (such as user@companyname.com). And of course, you need administrative privileges for the Azure subscription.
Step 2: Create a Native Azure Active Directory Account.
Go to the Active Directory menu, then select your default directory:
On the Users page, select Add User at the bottom:
Create a new user with the name you prefer:
Be sure to jot down the temporary password assigned by Azure.
At this point, you should see your new user on the AAD Users page. The key to making this all work is the account is sourced from 'Microsoft Azure Active Directory' and is *not* a Microsoft Account. (An account sourced from your organization's Active Directory works too...but we're trying to create a demo outside of the organizational Azure tenant.)
Next let's reset that temporary password now.
Open up an InPrivate or Incognito browser window and go to https://login.microsoftonline.com/. By using InPrivate or Incognito, the login screen will reliably accept any type of account (otherwise it makes assumptions based on the type of account you're logged onto your machine with currently). You'll want to either use a different browser, or close the Azure portal, before this step so that it doesn't sign you in with the account you're logged into Azure with.
Sign in with the new AAD account we just created. When prompted, put in the current temporary password and reset to a new password. Close this browser window when finished resetting the password.
Step 3: Provide Co-Administrator Permissions to the New AAD Account.
Back in the Azure portal (we're still using the old portal at https://manage.windowsazure.com/ since this functionality isn't yet exposed in the new portal). Here you sign in with your Microsoft account again (just like step 1). Go to the Settings menu, then the Administrators page, then click Add:
Input the e-mail address of your new AAD user. You'll see a green check when it's validated.
At this point you should see your native AAD account listed on the Administrators page. Now we know that account has permission to create the Azure Data Catalog service. (I can be more liberal with this sort of setting because the Azure tenant I'm working in only contains demo data, not any real data.)
Go ahead and close the Azure browser window as we are finished with the Azure portal.
Step 4: Provision a New Azure Data Catalog from the Data Catalog Portal.
Now it's time to provision the Azure Data Catalog using our AAD account.
Launch a new browser window using InPrivate or Incognito (this will ensure you'll be able to seamlessly sign in with your AAD account) and go to the Azure Data Catalog portal at https://azuredatacatalog.com. When prompted, sign in with your AAD account.
If everything with the AAD account is set up correctly, you should see a page which prompts you to create a new Azure Data Catalog:
Tip: Remember you can only have one catalog per organization, so be sure to give it a pretty broad name.
You can go ahead and add any other users and administrators for the Catalog as appropriate, provided they are not personal Microsoft accounts.
Troubleshooting Access to Azure Data Catalog
This account does not have permission to access Azure Data Catalog
When signing into the Azure Data Catalog portal, the message "This account does not have permission to access Azure Data Catalog" is generated when you have signed in with an appropriate kind of account, and a catalog already exists somewhere, but your account doesn't have permission to access it.
To figure out more info about the existing data catalog, first check if you see any catalogs in the new Azure portal at https://portal.azure.com/. If no catalogs are listed, this means the catalog resides in a subscription which you don't have permission to see in the Azure portal. Since there's one catalog per organization - if there's a subscription you cannot see, it's possible that's where the catalog is at.
To get more information try to create a new catalog. You'll see a message "Only one Azure Data Catalog is supported per organization. A Catalog has already been created for your organization. You cannot add additional catalogs." Click the link under that message to "Access existing Azure Data Catalog."
Under User, you should be able to see the name of the catalog which may give you a hint as to which subscription it resides in. In any case, you need to talk to your Azure service administrator if this happens to determine if the catalog that is set up is really what/where you want it to be.
You've logged in using a personal Microsoft account
When signing into the Azure Data Catalog portal, the message "You've logged in using a personal Microsoft account" is generated when you're not using an organizational account recognized by the Data Catalog service. Here's where you want to refer to the instructions above in this post to create a native Azure Active Directory (AAD) account to use for logging into Azure Data Catalog.