A quick post about a problem I encountered after deploying an Azure Traffic Manager with three endpoints consisting of three websites running in Azure App Services. Initially, everything worked smoothly, but a few days after deployment, I started encountering an error.
When accessing the traffic manager url, I received the message below.
Message: 404 Web Site not found. You may be seeing this error due to one of the reasons listed below: – Custom domain has not been configured inside Azure. – Client cache is still pointing the domain to the old IP address. Clear the cache by running the command ipconfig/flushdns.
Traffic manager also showed a monitor status of Degraded as shown in the image below
However, I was able to access each app service url directly without an issue and the web page would load successfully. The above error only appeared when accessing the traffic manager url.
Resolution I was originally using standard app service plans which support custom domains. My Azure App Service Plan had the traffic manager domain configured as shown in the image below.
When investigating, I found that the error was due to my app service plans being downgraded to the shared tier, which does not allow the use of custom domains.
Upgrading to a plan which allows custom domains resolved the issue.
Join us for the AI (Artificial Intelligence) Skills Fest event happening today, April 8th 2025, where Microsoft aim to set a new Guinness World Record™ for the number of people trained on AI in a 24 hour period!
Why You Should Join
Around the Clock Learning: Participate at any time that suits you with learning opportunities available 24/7.
Earn a Badge: Participants will earn a badge to showcase their achievement and be part of history. Available today only (8th April 2025).
50 Days of Discovery: Continue your AI skilling journey after the 8th of April 2025 with 50 days of discovery and learning.
Free Registration: Yes, you read that right! Register for FREE and be part of this groundbreaking event.
How to Participate in the Guinness World Record™ attempt
Explore sessions: Click Explore event located towards the top of the page (as shown in the image below), or click the following link, AI Skills Fest Events
Take part in 1 or more 45 minute sessions TODAY Tuesday 8th April.
4. Confirm Your Participation: Scan the QR code at the end of the session to contribute towards the global Microsoft effort and become a Guinness World Record™ holder yourself! The presenter will display a QR code for you to scan at the end of the session.
5. Claim Your Badge: Don’t forget to claim your badge! 🥳
6. Share your success: Post your milestone with hashtag #AISkillsFest
What happens after the 8th April 2025?
Continue Learning with 50 days of FREE AI learning!
Join the Microsoft AI Skills Challenge and WIN a FREE exam voucher and cash prizes. This is a 50 day gamified learning to sharpen your AI skills and compete globally. Learn more and get started at https://aka.ms/aiskillfest/challengeofficialrules. The page includes a list of FAQ’s.
Spread the Word
Help us make history by sharing this event with your friends, colleagues, and followers. Together, we can achieve something truly remarkable.
In this post, I explore Microsoft Purview roles and scopes.
As we know from the previous posts, Microsoft Purview offers a robust data governance and compliance solution, enabling organisations to manage sensitive information across multiple platforms. Given the highly sensitive nature of the data within Microsoft Purview, it is crucial to restrict access to authorised individuals only. To ensure that access is granted to the right individuals, Microsoft Purview leverages Role Based Access Control (RBAC), which allows for more precise control over who can access specific solutions and datasets.
Please note that holding a Compliance Admin or even a Global Admin role may not grant access to highly confidential data. Additional roles may need to be assigned to manage specific areas within Microsoft Purview. Furthermore, granting highly privileged roles to admins does not follow best practices and the principle of least privilege. We should always assign just enough permissions for the admin to perform their duties.
Let’s explore roles and scopes further.
Access purview.microsoft.com, click Settings, and click to expand Roles and scopes from the left pane.
2. The first two options available under Roles and scopes are Microsoft Entra ID and Role groups.
Microsoft Entra ID roles, visible within Entra ID at entra.microsoft.com, include over 100 built in roles that serve various administrative functions. In the Microsoft Purview Portal, however, only 9 specific Entra ID roles are listed, each capable of performing tasks related to compliance and governance in Microsoft Purview. These roles, when assigned or if already assigned to users, grant them permissions to access and perform specific tasks within Microsoft Purview. Therefore, if you’re assigned one of these roles via Entra ID, you will have certain permissions inside Microsoft Purview depending on the role assigned. However, this does not mean you have full control to Microsoft Purview, as additional Purview roles need to be assigned to perform specific tasks.
For example, to view Role Groups (under the option Entra ID) in the Purview portal, users need to have the Global Administrator role assigned. If you’re already a Global Admin, you’ll automatically have access to view and manage users within Role Groups in Microsoft Purview.
However, assigning such a powerful role (Global Administrator) might not always be ideal, as it provides extensive permissions beyond just viewing Role Groups in Entra ID. To address this, there is a more targeted Microsoft Purview role available under Role Groups, the Role Management role. This role enables users to view, create, and modify Role Groups and much more inside Microsoft Purview without granting the broad permissions associated with a Global Admin, which has significant control over your environment.
But what is the purpose of Role Groups? Role groups in Microsoft Purview are specific to data governance and compliance tasks within Purview itself. These groups allow you to manage user permissions for accessing and performing tasks in Purview, like working with policies or data classifications. Essentially, Entra ID roles control broader administrative access, while the 65 built in Role Groups target Purview specific permissions. Apart from the one Entra ID role (Global Administrator), the remaining 8 Entra ID roles can also be located inside Role Groups.
Why is it called a Role Group? Because it’s a group of roles. Let’s take Organization Management as an example.
3. If I click on the Organization Management role group, I see a number of roles included as part of this role group.
The image above displays a list of roles in the Organization Management group.
4. Click Edit to add members to this group.
5. From here, we can add members to this role group and click next to complete.
6. But what if one of the role groups was ideal for you, but you wanted to remove some roles or slightly tweak the role group to fulfil your requirements? You can clone the role by clicking “Copy” and configure it as needed.
7. Give the role group a suitable name and click Copy.
8. Locate the custom role group you created from the list, open it, and click Edit. You can then remove any unwanted roles as needed.
9. What if you wanted to create a role group and add the required roles from scratch? Click Role groups located under Roles and scopes, and click + Create role group as shown in the images below.
Important note: It’s crucial to assign the right permissions following the principle of least privilege, ensuring that users managing Purview have only the permissions necessary to perform their job functions. Over provisioning permissions can increase the attack surface and lead to excessive control in the event the account is compromised by a bad actor.
Finally, we come to Adaptive scopes.
Adaptive Scopes
What are Adaptive Scopes?
When you create retention and communication compliance policies (more on these policies later) in Microsoft Purview, you can add an adaptive scope for your policy. But, what’s the benefit? An adaptive scope allows you to create policies that automatically adjust to include or exclude data based on a specific criteria. This helps ensure that the right policies are applied to the right data without needing constant manual updates. For, example, you want to create a retention policy that ensures all documents related to financial transactions are retained for 7 years, regardless of where the data is stored. You can create and assign an adaptive scope based on queries, such as if the user’s country is the US. The retention policy will retain data for the specified number of years in the US only. If the requirement for retention in the UK is different, you could create a retention policy to retain data for 10 years and assign the adaptive scope including a query based on UK users. An adaptive scope reduces the management overhead.
Adaptive scopes are similar to dynamic groups in Entra ID but offer more and work with specific Purview policies, which will be covered later. To summarise, an adaptive scope is a scope that is dynamically filled based on a query you configure.
Adaptive scopes can also be applied to SharePoint site names and URL’s, OneDrive, Teams messages and more. See image below for a list. Source: Adaptive scopes | Microsoft Learn
Let’s go through the steps
Navigate to the Microsoft Purview portal and click on Adaptive scopes.
2. Click on Create scope to start creating a new adaptive scope
3. Enter a name for your adaptive scope. For example, you want to create an adaptive scope for your finance team. You can later create a retention policy to store data for the finance team for 7 years and assign this adaptive scope to the policy. Microsoft Purview will look for individuals in the finance team with a specific attribute, which we will configure shortly.
Click Next to proceed
4. The next page allows you to assign an admin unit you may have created in Entra ID. You don’t have to select admin units and could click Next to move to the next page, but it’s worth knowing why you would want to use an admin unit.
Explanation of Admin Units Admin units provide the ability to assign admins to one or more administrative units, with the result that these now restricted admins can manage only the users in their assigned administrative units. For example, a university may have thousands of student user accounts located in Entra ID. You need to split support responsibility amongst three IT teams. IT Team A are responsible for taking support calls from the Law students. IT Team A have the needed permissions to manage Law student user accounts. Team B will only manage Medicine students and Team C will only manage Engineering students. Admin units allow us to split responsibility between the IT teams.
This boundary of management flows into Microsoft Purview for supported solutions to ensure that restricted admins can manage only the users they have been assigned to manage.
For example, let’s take IT team A who manage and support Law students. IT team A only have the permissions to manage Law student user accounts. We create a new adaptive scope for Law students and select the administrative unitnamed Law Students. Then, because we want the adaptive scope to include only Law students, we use the department attribute to specify Department = Faculty of Law. If we misconfigure this attribute and instead specify, Department = Faculty of Art, but the users with that value aren’t included in the Law studentsadministrative unit, the scope won’t contain any users. The target users can be Law students only. You can learn more about administrative units at the following Microsoft Learn link, Administrative units in Microsoft Entra ID – Microsoft Entra ID | Microsoft Learn.
In this demo, I won’t be assigning an admin unit. Click Next
5. On the scope type page, we can select the scope. Here we can scope the adaptive scope to users, SharePoint sites or Microsoft 365 groups.
6. I’ll select SharePoint sites and click Next.
7. This is where we can build a query. For example, these attributes can be used in our policy to apply a retention policy of 7 years if the SharePoint URL or name starts with “finance”.
8. Here is an example query
Query: Site URL starts with finance
and here is my SharePoint page starting with finance in the URL.
You can also add additional queries if required
You can also add custom attributes if needed
You can also use a different condition if you don’t wish to use “starts with”
9. Now, when I apply the adaptive scope to a policy, it will only apply the policy to SharePoint sites starting with Finance.
We can also create an adaptive scope for users, SharePoint site or Microsoft 365 Groups. Images below.
User attributes available for users
Microsoft 365 Groups
Attributes available for Microsoft 365 Group
That’s it for roles and scopes.
I hope this post was useful.
Stay tuned for further blog posts where we explore the different solutions available in Microsoft Purview.
In this short post, I will cover how to access Azure Cloud Shell locally from your Windows device. This will allow you to run Cloud Shell commands locally instead of using the Cloud Shell in the Azure portal.
Download Windows Terminal from the Windows store if not already installed on your device.
Note: The Azure Cloud Shell is integrated into Windows Terminal and can be downloaded and installed on your laptop. Windows Terminal is available in all versions of Windows 11 and versions of Windows 10 22H2 after the installation of the May 23, 2023 update, KB5026435.
If you don’t have access to the Microsoft Store or Windows Terminal is not already installed on your device, the builds are published on the GitHub releases page. However, if you download from GitHub, Windows Terminal will not automatically update with new versions. You will have to update it yourself when there is a new release.
Search for and launch PowerShell from your start menu
3. Click the arrow next to the + tab and click Azure Cloud Shell, as shown in the image below.
Welcome to part 2 of this Microsoft Purview blog post series. If you missed part 1, please do check it out at the following link, Introduction to Microsoft Purview – Part 1 – Cloud Build. In this post, we will explore the Microsoft Purview portal, exploring its features and functionalities. By the end of this article, you will have an understanding of how to navigate the Microsoft Purview portal.
Now that you have a basic understanding of what Microsoft Purview offers, let’s familiarise ourselves with the Microsoft Purview portal.
If you have recently accessed the compliance portal, you may be aware that the legacy portal has been deprecated and is gradually being retired. Accessing the legacy portal at compliance.microsoft.com will remind you that the old portal has been retired, and you’ll be redirected to the new portal, as shown in the image below.
The new Microsoft Purview portal The new Purview portal offers a single pane of glass view as it brings together data governance, data security, and compliance solutions to help you quickly discover and protect data stored across platforms and apps including Microsoft 365, Microsoft Azure, Amazon Web Services, and more.
The new portal is designed to make securing and governing your data easy and efficient. It has a refreshed design that provides a consistent look and feel and simplified navigation into Microsoft Purview solutions.
The Microsoft Purview portal provides access to data governance, data security, and risk and compliance solutions all from the one place. I briefly covered these three pillars in the first part of this blog series, so please do check it out.
Throughout this series, I’ll be accessing the new Microsoft Purview portal via purview.microsoft.com
Let’s get started and familiarise ourselves with the new portal before we dive into the various Microsoft Purview offerings in further posts.
A Welcome to the new Microsoft Purview portal window appears. The new Microsoft Purview portal will gradually become the default portal over time.
3. I commence by clicking the check box, I agree to the terms of data flow disclosure and privacy statements, and then click get started.
4. I am redirected to the new Microsoft Purview portal
5. Towards the top, there is an automated rotating slider which includes different messages. The first message informs me that Purview supports platforms such as Microsoft 365, Microsoft Azure, Microsoft Fabric and more.
6. As I scroll down the page, I see a few of the popular solutions listed including Data Catalog, Information Protection, Data Loss Prevention, Insider Risk Management and I can click view all solutions to view more. I’ll cover some of these solutions in further posts in this blog series.
7. Below solutions, I see featured insights. The stats below show Microsoft 365 as a top platform. These insights also show which platforms store the most data, in my case I only have Microsoft 365 in my demo environment. This currently includes data in Microsoft 365 such as unstructured data like documents, emails, and other content.
8. Towards the right in the image above, I see Top 3 sensitive info types by platform. This is based on sensitive information detected in my demo content. Microsoft Purview has automatically located this data in my Microsoft 365 platform and listed it in the portal. I’ll cover sensitive info types in a later blog post as part of this series.
9. As I scroll down, I get to compliance posture status. It’s empty at the moment as I have only started to use Microsoft Purview in this demo environment. This score measures your progress in completing recommended improvement actions. Your score can help you understand your current compliance posture and it can also help you prioritise actions based on their potential to reduce risk.
10. Further down we have the trials and recommendations area from where you can view the different products and give them a trial to improve your experience. Click view all trials and recommendations to access more.
11. Finally, towards the bottom of the page we have Knowledge Center where you can learn more about Purview via free videos and Microsoft Learn content. Click the link Go to Knowledge Center to view more useful content.
12. Let’s continue to explore the portal for now. We’ll revisit the configuration options and features in later posts.
13. I’ll start with clicking settings located in the left pane.
14. The account overview page shows a free version of Microsoft Purview as shown in the image below. The free version is an automatically available instance, ready for your users without needing to set it up. It allows your organisation to try Microsoft Purview’s basic capabilities and begin your governance journey.
I already have access to Microsoft 365 E5 licenses so I should be able to continue with this blog series but let’s see how we get on as we make progress. Microsoft 365 E5 is an enterprise level cloud based license that combines best in class productivity apps with advanced security, compliance, and analytical capabilities. For more information on what features are included in Microsoft 365 E5, visit the following Microsoft Learn link, Microsoft 365 E5 | Advanced Security 365 | Microsoft.
15. Clicking the upgrade account button allows me to upgrade to the enterprise version. I won’t be upgrading just yet.
16. You’ll also see the option to upgrade to the enterprise version via an icon on the overview page as shown in the image below.
17. Back to the Purview portal, I see several options in the left pane including roles and scopes, data connectors and more. I’ll cover roles and scopes in the next post.
18. Under solution settings, a list of the different Purview solutions are visible.
19. To view all available solutions go back to the home page and click Solutions from the left pane.
I will cover most of the above solutions in later posts.
For now, please explore to get yourself familiar with the Microsoft Purview portal.
![Microsoftaiskillsfestgwrattemptbadge[full]](https://cloudbuild.co.uk/wp-content/uploads/2025/04/MicrosoftAISkillsFestGWRAttemptBadgefull.png)
