Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit acbd91e

Browse files
committedJan 31, 2020
added adx sharing
1 parent 99adc4b commit acbd91e

8 files changed

+192
-125
lines changed
 

‎articles/data-share/concepts-roles-permissions.md

Lines changed: 42 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
---
22
title: Roles and requirements for Azure Data Share
3-
description: Learn about the access control roles and requirements for data providers and data consumers to share data in Azure Data Share.
3+
description: Learn about the permissions required to share and receive data using Azure Data Share.
44
author: joannapea
55
ms.author: joanpo
66
ms.service: data-share
@@ -10,72 +10,83 @@ ms.date: 07/10/2019
1010

1111
# Roles and requirements for Azure Data Share
1212

13-
This article describes the roles required to share data using Azure Data Share, as well as to accept and receive data using Azure Data Share.
13+
This article describes roles and permissions required to share and receive data using Azure Data Share service.
1414

1515
## Roles and requirements
1616

17-
Azure Data Share uses Managed Identities for Azure Services (previously known as MSIs) to authenticate to underlying storage accounts in order to be able to read data to be shared by a data provider, as well as receive data shared as a data consumer. As a result, there is no exchange of credentials between the data provider and the data consumer.
17+
With Azure Data Share service, you can share data without exchanging credentials between data provider and consumer. Azure Data Share service uses Managed Identities (previously known as MSIs) to authenticate to Azure data store.
1818

19-
The Managed Service Identity needs to be granted access to the underlying storage account or SQL database. The Azure Data Share service uses the Azure Data Share resource's Managed Service Identity to read and write data. The user of Azure Data Share needs the ability to create a role assignment for the Managed Service Identity to the storage account or SQL database that they are sharing data from/to.
19+
Azure Data Share resource's managed identity needs to be granted access to Azure data store. Azure Data Share service then uses this managed identity to read and write data for snapshot-based sharing, and to establish symbolic link for in-place sharing.
2020

21-
In the case of storage, Permission to create role assignments exists in the **owner** role, User Access Administrator role, or a custom role with Microsoft.Authorization/role assignments/write permission assigned.
21+
To share or receive data from an Azure data store, user needs at least the following permissions. Additional permissions are required for SQL-based sharing.
22+
* Permission to write to the Azure data store. Typically, this permission exists in the **Contributor** role.
23+
* Permission to create role assignment in the Azure data store. Typically, permission to create role assignments exists in the **Owner** role, User Access Administrator role, or a custom role with Microsoft.Authorization/role assignments/write permission assigned. This permission is not required if the data share resource's managed identity is already granted access to the Azure data store. See table below for required role.
2224

23-
If you are not an owner of the storage account in question, and you are unable to create a role assignment for the Azure Data Share resource's Managed Identity yourself, you can request an Azure Administrator to create a role assignment on your behalf.
24-
25-
Below is a summary of the roles assigned to Data Share resource-Managed Identity:
25+
Below is a summary of the roles assigned to Data Share resource's managed identity:
2626

2727
| | | |
2828
|---|---|---|
29-
|**Storage Type**|**Data Provider Store**|**Data Consumer Target Store**|
29+
|**Data Store Type**|**Data Provider Source Data Store**|**Data Consumer Target Data Store**|
3030
|Azure Blob Storage| Storage Blob Data Reader | Storage Blob Data Contributor
3131
|Azure Data Lake Gen1 | Owner | Not Supported
3232
|Azure Data Lake Gen2 | Storage Blob Data Reader | Storage Blob Data Contributor
33-
|Azure SQL | dbo | dbo
33+
|Azure SQL Server | SQL DB Contributor | SQL DB Contributor
34+
|Azure Data Explorer Cluster | Contributor | Contributor
3435
|
3536

36-
### Data providers
37-
To add a dataset to an Azure Data Share, the data providers data share resource-managed identity needs to be added to the Storage Blob Data Reader role. This is done automatically by the Azure Data Share service if the user is adding datasets via Azure and is an owner of the storage account, or is a member of a custom role that has the Microsoft.Authorization/role assignments/write permission assigned.
37+
For SQL-based sharing, a SQL user needs to be created from an external provider in the SQL database with the same name as the Azure Data Share resource. Below is a summary of the permission required by the SQL user.
38+
39+
| | | |
40+
|---|---|---|
41+
|**SQL Database Type**|**Data Provider SQL User Permission**|**Data Consumer SQL User Permission**|
42+
|Azure SQL Database | db_datareader | db_datareader, db_datawriter, db_ddladmin
43+
|Azure Synapse Analytics (formerly SQL DW) | db_datareader | db_datareader, db_datawriter, db_ddladmin
44+
|
45+
46+
47+
### Data provider
48+
To add a dataset in Azure Data Share, provider data share resource's managed identity needs to be granted access to the source Azure data store. For example, in the case of storage account, the data share resource's managed identity is granted the Storage Blob Data Reader role.
3849

39-
Alternatively, the user can have an Azure Administrator add the data share resource-managed identity to the Storage Blob Data Reader role manually. Creating this role assignment manually by the Administrator will void having to be an owner of the Storage account or have a custom role assignment. This applies to data being shared from Azure Storage or Azure Data Lake Gen2.
50+
This is done automatically by the Azure Data Share service when user is adding dataset via Azure portal and the user has the proper permission. For example, user is an owner of the Azure data store, or is a member of a custom role that has the Microsoft.Authorization/role assignments/write permission assigned.
4051

41-
If sharing data from Azure Data Lake Gen1, the role assignment must be made to the Owner role.
52+
Alternatively, user can have owner of the Azure data store add the data share resource's managed identity to the Azure data store manually. This action only needs to be performed once per data share resource.
4253

43-
To create a role assignment for the Data Share resource's Managed Identity, follow the below steps:
54+
To create a role assignment for the data share resource's managed identity, follow the below steps:
4455

45-
1. Navigate to the Storage account.
56+
1. Navigate to the Azure data store.
4657
1. Select **Access Control (IAM)**.
4758
1. Select **Add a role assignment**.
48-
1. Under *Role*, select *Storage Blob Data Reader*.
49-
1. Under *Select*, type in the name of your Azure Data Share account.
59+
1. Under *Role*, select the role in the role assignment table above (for example, for storage account, select *Storage Blob Data Reader*).
60+
1. Under *Select*, type in the name of your Azure Data Share resource.
5061
1. Click *Save*.
5162

52-
For SQL-based sources, a user needs to be created from an external provider in the SQL database that data is being shared from with the same name as the Azure Data Share account. A sample script along with other prerequisites for SQL-based sharing can be found in the [share your data](share-your-data.md) tutorial.
63+
For SQL-based sources, in addition to the above steps, a SQL user needs to be created from an external provider in the SQL database with the same name as the Azure Data Share resource. This user needs to be granted db_owner permission. A sample script along with other prerequisites for SQL-based sharing can be found in the [share your data](share-your-data.md) tutorial.
5364

54-
### Data consumers
55-
To receive data, the data consumers data share resource-managed identity needs to be added to the Storage Blob Data Contributor role and/or dbo role of a SQL database if receiving data into a SQL database.
65+
### Data consumer
66+
To receive data, consumer data share resource's managed identity needs to be granted access to the target Azure data store. For example, in the case of storage account, the data share resource's managed identity is granted the Storage Blob Data Contributor role.
5667

57-
In the case of storage, this is done automatically by the Azure Data Share service if the user is adding datasets via Azure and is an owner of the storage account, or is a member of a custom role which has the Microsoft.Authorization/role assignments/write permission assigned.
68+
This is done automatically by the Azure Data Share service if the user specifies a target data store via Azure portal and the user has proper permission. For example, user is an owner of the Azure data store, or is a member of a custom role which has the Microsoft.Authorization/role assignments/write permission assigned.
5869

59-
Alternatively, the user can have an Azure Administrator add the data share resource-managed identity to the Storage Blob Data Contributor role manually. Creating this role assignment manually by the Administrator will void having to be an owner of the Storage account or have a custom role assignment. Note that this applies to data being shared to Azure Storage or Azure Data Lake Gen2. Receiving data to Azure Data Lake Gen1 is not supported.
70+
Alternatively, user can have owner of the Azure data store add the data share resource's managed identity to the Azure data store manually. This action only needs to be performed once per data share resource.
6071

61-
To create a role assignment for the Data Share resource's Managed Identity manually, follow the below steps:
72+
To create a role assignment for the data share resource's managed identity manually, follow the below steps:
6273

63-
1. Navigate to the Storage account.
74+
1. Navigate to the Azure data store.
6475
1. Select **Access Control (IAM)**.
6576
1. Select **Add a role assignment**.
66-
1. Under *Role*, select *Storage Blob Data Contributor*.
67-
1. Under *Select*, type in the name of your Azure Data Share account.
77+
1. Under *Role*, select the role in the role assignment table above (for example, for storage account, select *Storage Blob Data Reader*).
78+
1. Under *Select*, type in the name of your Azure Data Share resource.
6879
1. Click *Save*.
6980

70-
If you are sharing data using our REST APIs, you will need to create these role assignments manually by adding the data share account in to the appropriate roles.
81+
For SQL-based target, in addition to the above steps, a SQL user needs to be created from an external provider in the SQL database with the same name as the Azure Data Share resource. This user needs to be granted db_owner permission. A sample script along with other prerequisites for SQL-based sharing can be found in the [accept and receive data](subscribe-to-data-share.md) tutorial.
7182

72-
If you are receiving data into a SQL-based source, ensure that a new user is created from an external provider with the same name as your Azure Data Share account. See prerequisites in [accept and receive data](subscribe-to-data-share.md) tutorial.
83+
If you are sharing data using REST APIs, you need to create these role assignments manually.
7384

74-
To learn more about how to add a role assignment, refer to [this documentation,](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal#add-a-role-assignment) which outlines how to add a role assignment to an Azure resource.
85+
To learn more about how to add a role assignment, refer to [this documentation,](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal#add-a-role-assignment).
7586

7687
## Resource provider registration
7788

78-
When accepting an Azure Data Share invitation, you will need to manually register the Microsoft.DataShare resource provider in to your subscription. Follow these steps to register the Microsoft.DataShare resource provider into your Azure Subscription.
89+
To view Azure Data Share invitation for the first time in your Azure tenant, you may need to manually register the Microsoft.DataShare resource provider into your Azure subscription. Follow these steps to register the Microsoft.DataShare resource provider into your Azure Subscription.
7990

8091
1. In the Azure portal, navigate to **Subscriptions**.
8192
1. Select the subscription that you're using for Azure Data Share.

‎articles/data-share/data-share-troubleshoot.md

Lines changed: 45 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -19,53 +19,72 @@ In some cases, when a new user clicks **Accept Invitation** from the e-mail invi
1919

2020
![No invitations](media/no-invites.png)
2121

22-
The above error is a known issue with the service and is currently being addressed. As a workaround, follow the below steps.
22+
This could be due to the following reasons:
2323

24-
1. In the Azure portal, navigate to **Subscriptions**
25-
1. Select the subscription that you're using for Azure Data Share
26-
1. Click on **Resource Providers**
27-
1. Search for Microsoft.DataShare
28-
1. Click **Register**
24+
**1. Azure Data Share service is not registered as a resource provider of any Azure subscription in the Azure tenant.** You will experience this issue if there is no Data Share resource in your Azure tenant. When you create an Azure Data Share resource, it automatically registers the resource provider in your Azure subscription. You can also manually register the Data Share service following these steps. You'll need to have the Azure Contributor role to complete these steps.
25+
26+
* In the Azure portal, navigate to **Subscriptions**
27+
* Select the subscription you want to use to create Azure Data Share resource
28+
* Click on **Resource Providers**
29+
* Search for **Microsoft.DataShare**
30+
* Click **Register**
2931

3032
You'll need to have the [Azure Contributor RBAC role](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor) to complete these steps.
3133

32-
If you still are unable to see a data share invitation, contact your data provider and ensure that they have sent the invitation to your Azure login e-mail address and *not* your e-mail alias.
34+
**2. Invitation is sent to your email alias instead of your Azure login email.** If you have registered the Azure Data Share service or have already created a Data Share resource in the Azure tenant, but still cannot see the invitation, it maybe because the provider has entered your email alias as recipient instead of your Azure login email address. Contact your data provider and ensure that they have sent the invitation to your Azure login e-mail address and not your e-mail alias.
35+
36+
**3. Invitation has already been accepted.** The link in the email takes you to the Data Share Invitation page in Azure Portal, which only lists pending invitations. If you have already accepted the invitation, it will no longer show up in the Data Share Invitation page. Proceed to your Data Share resource which you used to accept the invitation into to view received shares and configure your target Azure Data Explorer cluster setting.
37+
38+
## Error when creating or receiving a new share
3339

34-
> [!IMPORTANT]
35-
> If you have already accepted an Azure Data Share invitation and exited the service prior to configuring storage, follow the instructions detailed in the [configure a dataset mapping](how-to-configure-mapping.md) how-to guide to learn how to finish configuring your received data share and start receiving data.
40+
"Failed to add datasets"
3641

37-
## Error when creating or receiving a new Data Share
42+
"Failed to map datasets"
3843

39-
"Error: Operation returned an invalid status code 'BadRequest'"
44+
"Unable to grant Data Share resource x access to y"
4045

41-
"Error: AuthorizationFailed"
46+
"You do not have proper permissions to x"
4247

43-
"Error: role assignment to storage account"
48+
"We could not add write permissions for Azure Data Share account to one or more of your selected resources"
4449

45-
![Privilege error](media/error-write-privilege.png)
50+
If you receive any of the above errors when creating a new share or mapping datasets, it could be due to insufficient permissions to the Azure data store. See [Roles and requirements](concepts-roles-permissions.md) for required permissions.
4651

47-
If you receive any of the above errors when creating a new data share or receiving a new data share, it is because there are insufficient permissions to the storage account. The permission required is *Microsoft.Authorization/role assignments/write*, which exists in the storage owner role or can be assigned to a custom role. Even if you created the Storage account, it does NOT automatically make you the owner of the storage account. Follow these steps to grant yourself owner of the storage account. Alternatively, a custom role can be created with this permission that you can add yourself in to.
52+
You need write permission to share or receive data from an Azure data store, which typically exists in the Contributor role.
4853

49-
1. Navigate to Storage account in Azure portal
50-
1. Select **Access control (IAM)**
51-
1. Click **Add**
52-
1. Add yourself in as owner.
54+
If this is the first time you are sharing or receiving data from the Azure data store, you also need *Microsoft.Authorization/role assignments/write* permission, which typically exists in the Owner role. Even if you created the Azure data store resource, it does NOT automatically make you the owner of the resource. With proper permission, Azure Data Share service automatically grants the data share resource's managed identity access to the data store. This process could take a few minutes to take effect. If you experience failure due to this delay, try again in a few minutes.
55+
56+
SQL-based sharing requires additional permissions. See Troubleshooting SQL-based sharing for details.
5357

5458
## Troubleshooting SQL-based sharing
5559

56-
"Error: x datasets were not added because you do not have the required permissions to share."
60+
"User x does not exist in SQL database"
5761

58-
If you receive this error when adding a dataset from a SQL-based source, it may be because you did not create a user for the Azure Data Share MSI on your SQL Server. To resolve this issue, run the following script:
62+
If you receive this error when adding a dataset from a SQL-based source, it may be because you did not create a user for the Azure Data Share managed identity on your SQL Server. To resolve this issue, run the following script:
5963

6064
```sql
61-
create user <share_acct_name> from external provider;
62-
exec sp_addrolemember db_owner, <share_acct_name>;
65+
create user "<share_acct_name>" from external provider;
66+
exec sp_addrolemember db_datareader, "<share_acct_name>";
6367
```
64-
Note that the *<share_acc_name>* is the name of your Data Share Account. If you have not created a Data Share account as yet, you can come back to this pre-requisite later.
68+
If you receive this error when mapping dataset to a SQL-based target, it may be because you did not create a user for the Azure Data Share managed identity on your SQL Server. To resolve this issue, run the following script:
6569

66-
Ensure that you have followed all prerequisites listed in [Share your data](share-your-data.md) tutorial.
70+
```sql
71+
create user "<share_acc_name>" from external provider;
72+
exec sp_addrolemember db_datareader, "<share_acc_name>";
73+
exec sp_addrolemember db_datawriter, "<share_acc_name>";
74+
exec sp_addrolemember db_ddladmin, "<share_acc_name>";
75+
```
76+
Note that the *<share_acc_name>* is the name of your Data Share resource.
77+
78+
Ensure that you have followed all prerequisites listed in [Share your data](share-your-data.md) and [accept and receive data](subscribe-to-data-share.md) tutorial.
79+
80+
## Snapshot failed
81+
Snapshot could fail due to a variety of reasons. You can find detailed error message by clicking on the start time of the snapshot and then the status of each dataset.
82+
83+
If the error message is related to permission, verify Data Share service has the required permission. See [Roles and requirements](concepts-roles-permissions.md) for details. If this is the first time you are taking a snapshot, it could take a few minutes for Data Share resource to be granted access to the Azure data store. Wait for a few minutes and try again.
6784

6885
## Next steps
6986

70-
To learn how to start sharing data, continue to the [share your data](share-your-data.md) tutorial.
87+
To learn how to start sharing data, continue to the [share your data](share-your-data.md) tutorial.
88+
89+
To learn how to receive data, continue to the [accept and receive data](subscribe-to-data-share.md) tutorial.
7190

‎articles/data-share/how-to-configure-mapping.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ ms.date: 07/10/2019
99
---
1010
# How to configure a dataset mapping for a received share in Azure Data Share
1111

12-
This article explains how to configure a dataset mapping for a Received Share using Azure Data Share. You'll want to do this if you accepted a data share invitation but opted to "Accept and configure later". You may want to configure a dataset mapping if you need to change the destination for data being shared with you, or if you want to receive data into a SQL Server.
12+
This article explains how to configure a dataset mapping for a Received Share using Azure Data Share. You'll want to do this if you accepted a data share invitation but opted to "Accept and configure later", or if data is shared in-place. You may want to configure a dataset mapping if you need to change the destination for data being shared with you, or if you want to receive data into a SQL Server.
1313

1414
## Navigate to a received data share
1515

@@ -21,9 +21,9 @@ Check the box next to the dataset you'd like to assign a destination to. Select
2121

2222
![Map to target](./media/dataset-map-target.png "Map to target")
2323

24-
## Select a new destination store
24+
## Select a new target store
2525

26-
Select a target data type that you'd like the data to land in. Note that any data that already exists in any previously mapped storage accounts will not be automatically moved to the new destination.
26+
Select a target data type that you'd like the data to land in. For snapshot-based sharing, any data that already exists in any previously mapped storage accounts will not be automatically moved to the new target store. For in-place sharing, select a data store in the Location specified. The Location is the Azure data center where data provider's source data store is located at.
2727

2828
![Target storage account](./media/dataset-map-target-sql.png "Target storage")
2929

940 Bytes
Loading

‎articles/data-share/overview.md

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ Another use case for Azure Data Share is establishing a data consortium. For exa
3131

3232
## How it works
3333

34-
Azure Data Share currently offers snapshot-based sharing and in-place sharing (in limited preview).
34+
Azure Data Share currently offers snapshot-based sharing and in-place sharing.
3535

3636
In snapshot-based sharing, data moves from the data provider's Azure subscription and lands in the data consumer's Azure subscription. As a data provider, you provision a data share and invite recipients to the data share. Data consumers receive an invitation to your data share via e-mail. Once a data consumer accepts the invitation, they can trigger a full snapshot of the data shared with them. This data is received into the data consumers storage account. Data consumers can receive regular, incremental updates to the data shared with them so that they always have the latest version of the data.
3737

@@ -41,7 +41,7 @@ Data providers can offer their data consumers incremental updates to the data sh
4141

4242
When a data consumer accepts a data share, they are able to receive the data in a data store of their choice. For example, if the data provider shares data using Azure Blob Storage, the data consumer can receive this data in Azure Data Lake Store. Similarly, if the data provider shares data from an Azure SQL Data Warehouse, the data consumer can choose whether they want to receive the data into an Azure Data Lake Store, an Azure SQL Database or an Azure SQL Data Warehouse. In the case of sharing from SQL-based sources, the data consumer can also choose whether they receive data in parquet or csv.
4343

44-
In-place sharing is currently in limited preview for Azure Data Explorer. Data providers are able to share data where it resides, with no data movement via a symbolic link. Sign up for the limited preview of Azure Data Explorer in-place sharing [here](https://aka.ms/azuredatasharepreviewsignup).
44+
With in-place sharing, data providers can share data where it resides without copying the data. After sharing relationship is established through the invitation flow, a symbolic link is created between the data provider's source data store and the data consumer's target data store. Data consumer can read and query the data in real time using its own data store. Changes to the source data store is available to the data consumer immediately. In-place sharing is currently in preview for Azure Data Explorer.
4545

4646
## Key capabilities
4747

@@ -51,6 +51,8 @@ Azure Data Share enables data providers to:
5151

5252
* Keep track of who you have shared your data with
5353

54+
* Choice of snapshot or in-place sharing
55+
5456
* How frequently your data consumers are receiving updates to your data
5557

5658
* Allow your customers to pull the latest version of your data as needed, or allow them to automatically receive incremental changes to your data at an interval defined by you
@@ -63,13 +65,13 @@ Azure Data Share enables data consumers to:
6365

6466
* Accept or reject an Azure Data Share invitation
6567

66-
* Trigger a full or incremental snapshot of a Data Share that an organization has shared with you
68+
* Accept data shared with you into a [supported data store](supported-data-stores.md).
6769

68-
* Subscribe to a Data Share to receive the latest copy of the data through incremental snapshot copy
70+
* Trigger a full or incremental snapshot of a Data Share that an organization has shared with you
6971

70-
* Accept data shared with you into a [supported data store](supported-data-stores.md).
72+
* Subscribe to a data share to receive the latest copy of the data through incremental snapshot
7173

72-
All key capabilities listed above are supported through the Azure or via REST APIs. For more details on using Azure Data Share through REST APIs, check out our reference documentation.
74+
All key capabilities listed above are supported through the Azure portal or via REST APIs. For more details on using Azure Data Share through REST APIs, check out our reference documentation.
7375

7476
## Security
7577

@@ -82,9 +84,9 @@ Azure Data Share leverages Managed Identities for Azure Resources (previously kn
8284

8385
## Supported regions
8486

85-
For a list of Azure regions that make Azure Data Share available, please refer to the [products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share/) page and search for Azure Data Share.
87+
For a list of Azure regions that make Azure Data Share available, please refer to the [products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share) page and search for Azure Data Share.
8688

87-
Azure Data Share does not store any data itself. The data is stored in the underlying data store that is being shared. For example, if a data producer stores their data in an Azure Data Lake Store account located in West US, that is where the data is stored. If they are sharing data with an Azure Storage account located in West Europe, the data is transferred directly to the Azure Storage account located in West Europe.
89+
Azure Data Share does not store a copy of the data itself. The data is stored in the underlying data store that is being shared. For example, if a data producer stores their data in an Azure Data Lake Store account located in West US, that is where the data is stored. If they are sharing data with an Azure Storage account located in West Europe via snapshot, typically the data is transferred directly to the Azure Storage account located in West Europe.
8890

8991
The Azure Data Share service does not have to be available in your region to leverage the service. For example, if you have data stored in an Azure Storage account located in a region where Azure Data Share is not yet available, you can still leverage the service to share your data.
9092

‎articles/data-share/share-your-data.md

Lines changed: 23 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ In this tutorial, you'll learn how to:
1616
> [!div class="checklist"]
1717
> * Create a Data Share.
1818
> * Add datasets to your Data Share.
19-
> * Enable a synchronization schedule for your Data Share.
19+
> * Enable a snapshot schedule for your Data Share.
2020
> * Add recipients to your Data Share.
2121
2222
## Prerequisites
@@ -27,27 +27,36 @@ In this tutorial, you'll learn how to:
2727
### Share from a storage account:
2828

2929
* An Azure Storage account: If you don't already have one, you can create an [Azure Storage account](https://docs.microsoft.com/azure/storage/common/storage-quickstart-create-account)
30-
* Permission to add role assignment to the storage account, which is present in the *Microsoft.Authorization/role assignments/write* permission. This permission exists in the owner role.
30+
* Permission to write to the storage account, which is present in *Microsoft.Storage/storageAccounts/write*. This permission exists in the Contributor role.
31+
* Permission to add role assignment to the storage account, which is present in *Microsoft.Authorization/role assignments/write*. This permission exists in the Owner role.
32+
3133

3234
### Share from a SQL-based source:
3335

34-
* An Azure SQL Database or Azure SQL Data Warehouse with tables and views that you want to share.
36+
* An Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL Data Warehouse) with tables and views that you want to share.
37+
* Permission to write to the databases on SQL server, which is present in *Microsoft.Sql/servers/databases/write*. This permission exists in the Contributor role.
3538
* Permission for the data share to access the data warehouse. This can be done through the following steps:
3639
1. Set yourself as the Azure Active Directory Admin for the server.
3740
1. Connect to the Azure SQL Database/Data Warehouse using Azure Active Directory.
38-
1. Use Query Editor (preview) to execute the following script to add the Data Share MSI as a db_owner. You must connect using Active Directory and not SQL Server authentication.
41+
1. Use Query Editor (preview) to execute the following script to add the Data Share resource Managed Identity as a db_datareader. You must connect using Active Directory and not SQL Server authentication.
3942

4043
```sql
41-
create user <share_acct_name> from external provider;
42-
exec sp_addrolemember db_owner, <share_acct_name>;
44+
create user "<share_acct_name>" from external provider;
45+
exec sp_addrolemember db_datareader, "<share_acct_name>";
4346
```
44-
Note that the *<share_acc_name>* is the name of your Data Share Account. If you have not created a Data Share account as yet, you can come back to this pre-requisite later.
47+
Note that the *<share_acc_name>* is the name of your Data Share resource. If you have not created a Data Share resource as yet, you can come back to this pre-requisite later.
48+
49+
* An [Azure SQL Database User with 'db_datareader' access](https://docs.microsoft.com/azure/sql-database/sql-database-manage-logins#non-administrator-users) to navigate and select the tables and/or views you wish to share.
4550

46-
* An [Azure SQL Database User with `db_owner` access](https://docs.microsoft.com/azure/sql-database/sql-database-manage-logins#non-administrator-users) to navigate and select the tables and/or views you wish to share.
51+
* Client IP SQL Server Firewall access. This can be done through the following steps:
52+
1. In SQL server in Azure portal, navigate to *Firewalls and virtual networks*
53+
1. Click the **on** toggle to allow access to Azure Services.
54+
1. Click **+Add client IP** and click **Save**. Client IP address is subject to change. You can also add an IP range.
4755

48-
* Client IP SQL Server Firewall access: This can be done through the following steps:
49-
1. Navigate to *Firewalls and Virtual Networks*
50-
1. Click the **on** toggle to allow access to Azure Services.
56+
### Share from Azure Data Explorer
57+
* An Azure Data Explorer cluster with databases you want to share.
58+
* Permission to write to Azure Data Explorer cluster, which is present in *Microsoft.Kusto/clusters/write*. This permission exists in the Contributor role.
59+
* Permission to add role assignment to the Azure Data Explorer cluster, which is present in *Microsoft.Authorization/role assignments/write*. This permission exists in the Owner role.
5160

5261
## Sign in to the Azure portal
5362

@@ -87,7 +96,7 @@ Create an Azure Data Share resource in an Azure resource group.
8796

8897
1. Select **Create**.
8998

90-
1. Fill out the details for your Data Share. Specify a name, description of share contents, and terms of use (optional).
99+
1. Fill out the details for your Data Share. Specify a name, share type, description of share contents, and terms of use (optional).
91100

92101
![EnterShareDetails](./media/enter-share-details.png "Enter Share details")
93102

@@ -97,7 +106,7 @@ Create an Azure Data Share resource in an Azure resource group.
97106

98107
![Datasets](./media/datasets.png "Datasets")
99108

100-
1. Select the dataset type that you would like to add. If sharing from an Azure SQL Database or Azure SQL Datawarehouse, you will be prompted for some SQL credentials. Authenticate using the user you created as part of the prerequisites.
109+
1. Select the dataset type that you would like to add. You will see a different list of dataset types depending on the share type (snapshot or in-place) you have selected in the previous step. If sharing from an Azure SQL Database or Azure SQL Data Warehouse, you will be prompted for some SQL credentials. Authenticate using the user you created as part of the prerequisites.
101110

102111
![AddDatasets](./media/add-datasets.png "Add Datasets")
103112

@@ -111,7 +120,7 @@ Create an Azure Data Share resource in an Azure resource group.
111120

112121
1. Select **Continue**
113122

114-
1. If you'd like your data consumer to be able to get incremental updates of your data, enable the snapshot schedule.
123+
1. If you have selected snapshot share type, you can configure snapshot schedule to provide updates of your data to your data consumer.
115124

116125
![EnableSnapshots](./media/enable-snapshots.png "Enable snapshots")
117126

‎articles/data-share/subscribe-to-data-share.md

Lines changed: 49 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -28,94 +28,107 @@ Ensure that all pre-requisites are complete before accepting a data share invita
2828
### Receive data into a storage account:
2929

3030
* An Azure Storage account: If you don't already have one, you can create an [Azure Storage account](https://docs.microsoft.com/azure/storage/common/storage-quickstart-create-account).
31-
* Permission to add role assignment to the storage account, which is present in the *Microsoft.Authorization/role assignments/write* permission. This permission exists in the owner role.
31+
* Permission to write to the storage account, which is present in *Microsoft.Storage/storageAccounts/write*. This permission exists in the Contributor role.
32+
* Permission to add role assignment to the storage account, which is present in *Microsoft.Authorization/role assignments/write*. This permission exists in the Owner role.
3233
* Resource Provider registration for Microsoft.DataShare. See the [Azure Resource Providers](https://docs.microsoft.com/azure/azure-resource-manager/resource-manager-supported-services) documentation for information on how to do this.
3334

3435
> [!IMPORTANT]
3536
> To accept and receive an Azure Data Share, you must first register the Microsoft.DataShare resource provider and you must be an owner of the storage account that you accept data into. Follow the instructions documented in [Troubleshoot Azure Data Share](data-share-troubleshoot.md) to register the data share resource provider as well as add yourself as an owner of the storage account.
3637
3738
### Receive data into a SQL-based source:
3839

39-
* Permission for the data share MSI to access the Azure SQL Database or Azure SQL Data Warehouse. This can be done through the following steps:
40+
* Permission to write to databases on the SQL server, which is present in *Microsoft.Sql/servers/databases/write*. This permission exists in the Contributor role.
41+
* Permission for the data share resource's managed identity to access the Azure SQL Database or Azure SQL Data Warehouse. This can be done through the following steps:
4042
1. Set yourself as the Azure Active Directory Admin for the server.
4143
1. Connect to the Azure SQL Database/Data Warehouse using Azure Active Directory.
42-
1. Use Query Editor (preview) to execute the following script to add the Data Share MSI as a db_owner. You must connect using Active Directory and not SQL Server authentication.
44+
1. Use Query Editor (preview) to execute the following script to add the Data Share Managed Identity as a db_owner. You must connect using Active Directory and not SQL Server authentication.
4345

4446
```sql
45-
create user <share_acct_name> from external provider;
46-
exec sp_addrolemember db_owner, <share_acct_name>;
47+
create user "<share_acc_name>" from external provider;
48+
exec sp_addrolemember db_datareader, "<share_acc_name>";
49+
exec sp_addrolemember db_datawriter, "<share_acc_name>";
50+
exec sp_addrolemember db_ddladmin, "<share_acc_name>";
4751
```
48-
Note that the *<share_acc_name>* is the name of your Data Share Account. If you have not created a Data Share account as yet, you can come back to this pre-requisite later.
52+
Note that the *<share_acc_name>* is the name of your Data Share resource. If you have not created a Data Share resource as yet, you can come back to this pre-requisite later.
4953

50-
* Client IP SQL Server Firewall access: This can be done through the following steps:
51-
1. Navigate to *Firewalls and Virtual Networks*
52-
1. Click the **on** toggle to allow access to Azure Services.
54+
* Client IP SQL Server Firewall access. This can be done through the following steps:
55+
1. In SQL server in Azure portal, navigate to *Firewalls and virtual networks*
56+
1. Click the **on** toggle to allow access to Azure Services.
57+
1. Click **+Add client IP** and click **Save**. Client IP address is subject to change. This process might need to be repeated the next time you are sharing SQL data from Azure portal. You can also add an IP range.
5358

54-
Once these pre-requisites are complete, you are ready to receive data into your SQL Server.
59+
60+
### Receive data into an Azure Data Explorer cluster:
61+
62+
* An Azure Data Explorer cluster in the same Azure data center as the data provider's Data Explorer cluster: If you don't already have one, you can create an [Azure Data Explorer cluster](https://docs.microsoft.com/azure/data-explorer/create-cluster-database-portal). If you don't know the Azure data center of the data provider's cluster, you can create the cluster later in the process.
63+
* Permission to write to the Azure Data Explorer cluster, which is present in *Microsoft.Kusto/clusters/write*. This permission exists in the Contributor role.
64+
* Permission to add role assignment to the Azure Data Explorer cluster, which is present in *Microsoft.Authorization/role assignments/write*. This permission exists in the Owner role.
5565

5666
## Sign in to the Azure portal
5767

5868
Sign in to the [Azure portal](https://portal.azure.com/).
5969

6070
## Open invitation
6171

62-
Check your inbox for an invitation from your data provider. The invitation is from Microsoft Azure, titled **Azure Data Share invitation from <yourdataprovider@domain.com>**. Take note of the share name to ensure you're accepting the correct share if there are multiple invitations.
72+
1. Check your inbox for an invitation from your data provider. The invitation is from Microsoft Azure, titled **Azure Data Share invitation from <yourdataprovider@domain.com>**. Take note of the share name to ensure you're accepting the correct share if there are multiple invitations.
6373

64-
Select on **View invitation** to see your invitation in Azure. This takes you to your Received Shares view.
74+
1. Select on **View invitation** to see your invitation in Azure. This takes you to your Received Shares view.
6575

66-
![Invitations](./media/invitations.png "List of invitations")
76+
![Invitations](./media/invitations.png "List of invitations")
6777

6878
Select the share you would like to view.
6979

7080
## Accept invitation
71-
Make sure all fields are reviewed, including the **Terms of Use**. If you agree to the terms of use, you'll be required to check the box to indicate you agree.
81+
1. Make sure all fields are reviewed, including the **Terms of Use**. If you agree to the terms of use, you'll be required to check the box to indicate you agree.
82+
83+
![Terms of use](./media/terms-of-use.png "Terms of use")
7284

73-
![Terms of use](./media/terms-of-use.png "Terms of use")
85+
1. Under *Target Data Share Account*, select the Subscription and Resource Group that you'll be deploying your Data Share into.
7486

75-
Under *Target Data Share Account*, select the Subscription and Resource Group that you'll be deploying your Data Share into.
87+
For the **Data Share Account** field, select **Create new** if you don't have an existing Data Share account. Otherwise, select an existing Data Share account that you'd like to accept your data share into.
7688

77-
For the **Data Share Account** field, select **Create new** if you don't have an existing Data Share account. Otherwise, select an existing Data Share account that you'd like to accept your data share into.
89+
For the **Received Share Name** field, you may leave the default specified by the data provide, or specify a new name for the received share.
7890

79-
For the *Received Share Name* field, you may leave the default specified by the Data Provide, or specify a new name for the received share.
91+
![Target data share account](./media/target-data-share.png "Target data share account")
8092

81-
![Target data share account](./media/target-data-share.png "Target data share account")
93+
1. Once you've agreed to the terms of use and specified a location for your share, Select on *Accept and Configure*. A share subscription will be created.
8294

83-
Once you've agreed to the terms of use and specified a location for your share, Select on *Accept and Configure*. If you chose this option, a share subscription will be created and the next screen will ask you to select a target storage account for your data to be copied into.
95+
For snapshot-based sharing, the next screen will ask you to select a target storage account for your data to be copied into.
8496

85-
![Accept options](./media/accept-options.png "Accept options")
97+
![Accept options](./media/accept-options.png "Accept options")
8698

87-
If you prefer to accept the invitation now but configure your storage at a later time, Select *Accept and Configure later*. This option allows you to configure your target storage account later. To continue configuring your storage later, see [how to configure your storage account](how-to-configure-mapping.md) page for detailed steps on how to resume your data share configuration.
99+
If you prefer to accept the invitation now but configure your target data store at a later time, Select *Accept and Configure later*. To continue configuring your storage later, see [configure dataset mappings](how-to-configure-mapping.md) page for detailed steps on how to resume your data share configuration.
88100

89-
If you don't want to accept the invitation, Select *Reject*.
101+
For in-place sharing, see [configure dataset mappings](how-to-configure-mapping.md) page for detailed steps on how to resume your data share configuration.
102+
103+
If you don't want to accept the invitation, Select *Reject*.
90104

91105
## Configure storage
92-
Under *Target Storage Settings*, select the Subscription, Resource group, and storage account that you'd like to receive your data into.
106+
1. Under *Target Storage Settings*, select the Subscription, Resource group, and storage account that you'd like to receive your data into.
93107

94-
![Target storage settings](./media/target-storage-settings.png "Target storage")
108+
![Target storage settings](./media/target-storage-settings.png "Target storage")
95109

96-
To receive regular refreshes of your data, make sure you enable the snapshot settings. Note that you will only see a snapshot setting schedule if your data provider has included it in the data share.
110+
1. To receive regular update of your data, make sure you enable the snapshot settings. Note that you will only see a snapshot setting schedule if your data provider has included it in the data share.
97111

98-
![Snapshot settings](./media/snapshot-settings.png "Snapshot settings")
112+
![Snapshot settings](./media/snapshot-settings.png "Snapshot settings")
99113

100-
Select *Save*.
114+
1. Select *Save*.
101115

102116
> [!IMPORTANT]
103-
> If you are receiving SQL-based data and would like to receive that data into a SQL-based source, visit our [configure a dataset mapping](how-to-configure-mapping.md) how-to guide to learn how to configure a SQL Server as the destination for your dataset.
117+
> If you are receiving SQL-based data and would like to receive that data into a SQL-based source, visit [configure a dataset mapping](how-to-configure-mapping.md) how-to guide to learn how to configure a SQL Server as the destination for your dataset.
104118
105119
## Trigger a snapshot
120+
These steps only apply to snapshot-based sharing.
106121

107-
You can trigger a snapshot in the Received Shares -> Details tab by selecting **Trigger snapshot**. Here, you can trigger a full or incremental snapshot of your data. If it is your first time receiving data from your data provider, select full copy.
108-
109-
![Trigger snapshot](./media/trigger-snapshot.png "Trigger snapshot")
122+
1. You can trigger a snapshot in the Received Shares -> Details tab by selecting **Trigger snapshot**. Here, you can trigger a full or incremental snapshot of your data. If it is your first time receiving data from your data provider, select full copy.
110123

111-
When the last run status is *successful*, open the storage account to view the received data.
124+
![Trigger snapshot](./media/trigger-snapshot.png "Trigger snapshot")
112125

113-
To check which storage account you used, Select on **Datasets**.
126+
1. When the last run status is *successful*, go to target data store to view the received data. Select **Datasets**, and click on the link in the Target Path.
114127

115-
![Consumer datasets](./media/consumer-datasets.png "Consumer dataset mapping")
128+
![Consumer datasets](./media/consumer-datasets.png "Consumer dataset mapping")
116129

117130
## View history
118131
To view a history of your snapshots, navigate to Received Shares -> History. Here you'll find a history of all snapshots that were generated for the past 60 days.
119132

120133
## Next steps
121-
In this tutorial, you learnt how to accept and receive an Azure Data Share. To learn more about Azure Data Share concepts, continue to [Concepts: Azure Data Share Terminology](terminology.md).
134+
In this tutorial, you learned how to accept and receive an Azure Data Share. To learn more about Azure Data Share concepts, continue to [Concepts: Azure Data Share Terminology](terminology.md).

‎articles/data-share/supported-data-stores.md

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -24,21 +24,34 @@ The below table details the supported data sources for Azure Data Share.
2424
| Azure Data Lake Storage Gen2 |||
2525
| Azure SQL Database |Public Preview | |
2626
| Azure Synapse Analytics (formerly Azure SQL DW) |Public Preview | |
27-
| Azure Data Explorer | |[Limited preview](https://aka.ms/azuredatasharepreviewsignup) |
27+
| Azure Data Explorer | |Public Preview |
2828

2929
## Data store support matrix
3030

3131
Azure Data Share offers data consumers flexibility when deciding on a data store to accept data in to. For example, data being shared from Azure SQL Database can be received into Azure Data Lake Store Gen2, Azure SQL Database or Azure Synapse Analytics. Customers can choose which format to receive data in when configuring a received data share.
3232

3333
The below table details different combinations and choices that data consumers have when accepting and configuring their data share. For more information on how to configure dataset mappings, see [how to configure dataset mappings](how-to-configure-mapping.md).
3434

35-
| | Azure Blob Storage | Azure SQL Data Lake Gen1 | Azure SQL Data Lake Gen2 | Azure SQL Database | Azure Synapse Analytics
35+
| | Azure Blob Storage | Azure Data Lake Storage Gen1 | Azure Data Lake Storage Gen2 | Azure SQL Database | Azure Synapse Analytics
3636
|:--- |:--- |:--- |:--- |:--- |:--- |
37-
| Azure Blob storage ||||
38-
| Azure Data Lake Storage Gen1 || ||
39-
| Azure Data Lake Storage Gen2 || ||
40-
| Azure SQL Database || ||||
41-
| Azure Synapse Analytics || ||||
37+
| Azure Blob storage ||||
38+
| Azure Data Lake Storage Gen1 || ||
39+
| Azure Data Lake Storage Gen2 || ||
40+
| Azure SQL Database || ||||
41+
| Azure Synapse Analytics (formerly Azure SQL DW) || ||||
42+
43+
## Share from a storage account
44+
Azure Data Share supports sharing of files, folders and file systems from Azure Data Lake Gen1 and Azure Data Lake Gen2. It also supports sharing of blobs, folders and containers from Azure Blob Storage. When folders are shared in snapshot-based sharing, data consumer can can choose to make a full copy of the share data, or leverage incremental snapshot capability to copy only new or updated files. Existing files with the same name will be overwritten.
45+
46+
## Share from a SQL-based source
47+
Azure Data Share supports sharing of tables or views from Azure SQL Database and Azure Synapse Analytics (formerly Azure SQL DW). Data consumer can choose to accept the data into Azure Data Lake Storage Gen2 or Azure Blob Storage as csv or parquet file. Full snapshot overwrites the content of the target file. Alternatively, data consumer can accept the data into a SQL table. If the target SQL table is not available on the data consumer side, Azure Data Share creates the SQL table with the source schema. Full snapshot appends content of the source table to the target SQL table. Incremental snapshot is currently not supported.
48+
49+
## Share from Azure Data Explorer
50+
Azure Data Share supports the ability to share databases in-place from Azure Data Explorer clusters. Data provider can share at the database or cluster level. When shared at database level, data consumer will only be able to access the specific database(s) shared by the data provider. When shared at cluster level, data consumer can access all the databases from the provider's cluster, including any future databases created by the data provider.
51+
52+
To access shared databases, data consumer needs to have its own Azure Data Explorer cluster. Data consumer's Azure Data Explorer cluster needs to locate in the same Azure data center as the data provider's Azure Data Explorer cluster. When sharing relationship is established, Azure Data Share creates a symbolic link between the provider and consumer's Azure Data Explorer clusters.
53+
54+
Azure Data Explorer supports two modes of data ingestion: batch and streaming. Data received from batch in the shared database will appear between a few seconds to a few minutes on the data consumer side. Data received from streaming could take up to 24 hours to appear on the data consumer side.
4255

4356
## Next steps
4457

0 commit comments

Comments
 (0)
Please sign in to comment.