You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: Dynamic data masking (DDM) limits sensitive data exposure by masking it to nonprivileged users for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics.
@@ -23,27 +23,30 @@ Azure SQL Database, SQL database in Microsoft Fabric, Azure SQL Managed Instance
23
23
24
24
Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal effect on the application layer. It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database isn't changed.
25
25
26
-
For example, a service representative at a call center might identify a caller by confirming several characters of their email address, but the complete email address shouldn't be revealed to the service representative. A masking rule can be defined that masks all the email address in the result set of any query. As another example, an appropriate data mask can be defined to protect personal data, so that a developer can query production environments for troubleshooting purposes without violating compliance regulations.
26
+
For example, a service representative at a call center might identify a caller by confirming several characters of their email address, but the complete email address shouldn't be revealed to the service representative. A masking rule can be defined that masks the entire email address in the result set of any query. As another example, an appropriate data mask can be defined to protect personal data, so that a developer can query production environments for troubleshooting purposes without violating compliance regulations.
27
27
28
28
## Dynamic data masking basics
29
29
30
-
For Azure SQL Database, you set up a dynamic data masking policy in the Azure portal by selecting the **Dynamic Data Masking** pane under **Security** in your SQL Database configuration pane.
30
+
For Azure SQL Database, you set up a dynamic data masking policy in the Azure portal by selecting the **Dynamic Data Masking** pane under **Security** in your SQL Database configuration pane.
31
31
32
-
This feature can't be set using the Azure portal for SQL Managed Instance or SQL database in Fabric. Instead, use T-SQL, as in the [Dynamic Data Masking example in this article](#granular-permission-example). For more information, see [Dynamic Data Masking](/sql/relational-databases/security/dynamic-data-masking).
32
+
This feature can't be set using the Azure portal for SQL Managed Instance or SQL database in Fabric. Instead, use Transact-SQL (T-SQL), as in the [Granular permission example](#granular-permission-example) in this article. For more information, see [Dynamic data masking](/sql/relational-databases/security/dynamic-data-masking).
33
33
34
34
### Dynamic data masking policy
35
35
36
-
-**SQL users excluded from masking:** A set of SQL users, which can include identities from Microsoft Entra ID ([formerly Azure Active Directory](/entra/fundamentals/new-name)), that get unmasked data in the SQL query results. Users with administrative rights like server admin, Microsoft Entra admin, and db_owner role can view the original data without any mask. (Note: It also applies to sysadmin role in SQL Server)
36
+
-**SQL users excluded from masking:** A set of SQL users, which can include identities from Microsoft Entra ID, that get unmasked data in the SQL query results. Users with administrative rights like server admin, Microsoft Entra admin, and db_owner role can view the original data without any mask. (Note: It also applies to sysadmin role in SQL Server)
37
+
37
38
-**Masking rules:** A set of rules that define the designated fields to be masked and the masking function that is used. The designated fields can be defined using a database schema name, table name, and column name.
39
+
38
40
-**Masking functions:** A set of methods that control the exposure of data for different scenarios.
39
41
40
-
| Masking function | Masking logic |
41
-
| --- | --- |
42
-
|**Default**|**Full masking according to the data types of the designated fields**<br /><br />* Use `XXXX` (or fewer) if the size of the field is fewer than 4 characters for string data types (**nchar**, **ntext**, **nvarchar**).<br />* Use a zero value for numeric data types (**bigint**, **bit**, **decimal**, **int**, **money**, **numeric**, **smallint**, **smallmoney**, **tinyint**, **float**, **real**).<br />* Use `1900-01-01` for date/time data types (**date**, **datetime2**, **datetime**, **datetimeoffset**, **smalldatetime**, **time**).<br />* For **sql_variant**, the default value of the current type is used.<br />* For XML, the document `<masked />` is used.<br />* Use an empty value for special data types (**timestamp**, **table**, **HierarchyID**, **uniqueidentifier**, **binary**, **image**, **varbinary**, and spatial types). |
43
-
|**Credit card**|**Masking method, which exposes the last four digits of the designated fields** and adds a constant string as a prefix in the form of a credit card.<br /><br />`XXXX-XXXX-XXXX-1234`|
44
-
|**Email**|**Masking method, which exposes the first letter and replaces the domain with XXX.com** using a constant string prefix in the form of an email address.<br /><br />`aXX@XXXX.com`|
45
-
|**Random number**|**Masking method, which generates a random number** according to the selected boundaries and actual data types. If the designated boundaries are equal, then the masking function is a constant number.<br /><br /> :::image type="content" source="media/dynamic-data-masking-overview/random-number.png" alt-text="Screenshot that shows the masking method for generating a random number."::: |
46
-
|**Custom text**|**Masking method, which exposes the first and last characters** and adds a custom padding string in the middle. If the original string is shorter than the exposed prefix and suffix, only the padding string is used.<br /><br />`prefix[padding]suffix`<br /> :::image type="content" source="media/dynamic-data-masking-overview/custom-text.png" alt-text="Screenshot of the navigation pane."::: |
42
+
| Masking function | Masking logic |
43
+
| --- | --- |
44
+
|**Default**|**Full masking according to the data types of the designated fields**<br /><br />*Use `XXXX` (or fewer) if the size of the field is fewer than 4 characters for string data types (**nchar**, **ntext**, **nvarchar**).<br />* Use a zero value for numeric data types (**bigint**, **bit**, **decimal**, **int**, **money**, **numeric**, **smallint**, **smallmoney**, **tinyint**, **float**, **real**).<br />*Use `1900-01-01` for date/time data types (**date**, **datetime2**, **datetime**, **datetimeoffset**, **smalldatetime**, **time**).<br />* For **sql_variant**, the default value of the current type is used.<br />*For XML, the document `<masked />` is used.<br />* Use an empty value for special data types (**timestamp**, **table**, **HierarchyID**, **uniqueidentifier**, **binary**, **image**, **varbinary**, and spatial types). |
45
+
|**Credit card**|**Masking method, which exposes the last four digits of the designated fields** and adds a constant string as a prefix in the form of a credit card.<br /><br />`XXXX-XXXX-XXXX-1234`|
46
+
|**Email**|**Masking method, which exposes the first letter and replaces the domain with XXX.com** using a constant string prefix in the form of an email address.<br /><br />`aXX@XXXX.com`|
47
+
|**Random number**|**Masking method, which generates a random number** according to the selected boundaries and actual data types. If the designated boundaries are equal, then the masking function is a constant number.<br /><br />:::image type="content" source="media/dynamic-data-masking-overview/random-number.png" alt-text="Screenshot that shows the masking method for generating a random number."::: |
48
+
|**Custom text**|**Masking method, which exposes the first and last characters** and adds a custom padding string in the middle. If the original string is shorter than the exposed prefix and suffix, only the padding string is used.<br /><br />`prefix[padding]suffix`<br />:::image type="content" source="media/dynamic-data-masking-overview/custom-text.png" alt-text="Screenshot of the navigation pane."::: |
49
+
|**Datetime**|**Enables granular masking for date/time columns**, namely **datetime**, **datetime2**, **date**, **time**, **datetimeoffset**, and **smalldatetime**. You can mask specific components such as year (`datetime("Y")`), month (`datetime("M")`), day (`datetime("D")`), hour (`datetime("h")`), minute (`datetime("m")`), or second (`datetime("s")`). You apply this function using T-SQL.<br /><br />For example:<br /><br />- Mask year: `ALTER COLUMN BirthDay ADD MASKED WITH (FUNCTION = 'datetime("Y")')`.<br />- Mask month: `ALTER COLUMN BirthDay ADD MASKED WITH (FUNCTION = 'datetime("M")')`.<br />- Mask minute: `ALTER COLUMN BirthDay ADD MASKED WITH (FUNCTION = 'datetime("m")')`. |
47
50
48
51
### Recommended fields to mask
49
52
@@ -86,7 +89,7 @@ You can use the REST API to programmatically manage data masking policy and rule
86
89
87
90
## Permissions
88
91
89
-
These are the built-in roles to configure dynamic data masking is:
92
+
You can configure dynamic data masking with the following built-in roles:
-[SQL DB Contributor](/azure/role-based-access-control/built-in-roles#sql-db-contributor)
@@ -110,7 +113,7 @@ To learn more about permissions when using dynamic data masking with T-SQL comma
110
113
111
114
## Granular permission example
112
115
113
-
Prevent unauthorized access to sensitive data and gain control by masking it to an unauthorized user at different levels of the database. You can grant or revoke UNMASK permissions at the database-level, schema-level, table-level or at the column-level to any database user or role. Combined with Microsoft Entra authentication, UNMASK permissions can be managed for users, groups, and applications maintained within your Azure environment. The UNMASK permission provides a granular way to control and limit unauthorized access to data stored in the database and improve data security management.
116
+
Prevent unauthorized access to sensitive data and gain control by masking it to an unauthorized user at different levels of the database. You can grant or revoke `UNMASK` permissions at the database-level, schema-level, table-level or at the column-level to any database user or role. Combined with Microsoft Entra authentication, `UNMASK` permissions can be managed for users, groups, and applications maintained within your Azure environment. The `UNMASK` permission provides a granular way to control and limit unauthorized access to data stored in the database and improve data security management.
114
117
115
118
1. Create schema to contain user tables:
116
119
@@ -122,12 +125,13 @@ Prevent unauthorized access to sensitive data and gain control by masking it to
122
125
1. Create table with masked columns:
123
126
124
127
```sql
125
-
CREATETABLEData.Membership (
126
-
MemberID INT IDENTITY(1, 1) NOT NULL,
127
-
FirstName VARCHAR(100) MASKED WITH (FUNCTION ='partial(1, "xxxxx", 1)') NULL,
128
-
LastName VARCHAR(100) NOT NULL,
129
-
Phone VARCHAR(12) MASKED WITH (FUNCTION ='default()') NULL,
130
-
Email VARCHAR(100) MASKED WITH (FUNCTION ='email()') NOT NULL,
128
+
CREATETABLEData.Membership
129
+
(
130
+
MemberID INT IDENTITY (1, 1) NOT NULL,
131
+
FirstName VARCHAR (100) MASKED WITH (FUNCTION ='partial(1, "xxxxx", 1)') NULL,
132
+
LastName VARCHAR (100) NOT NULL,
133
+
Phone VARCHAR (12) MASKED WITH (FUNCTION ='default()') NULL,
134
+
Email VARCHAR (100) MASKED WITH (FUNCTION ='email()') NOT NULL,
131
135
DiscountCode SMALLINT MASKED WITH (FUNCTION ='random(1, 100)') NULL,
132
136
BirthDay DATETIME MASKED WITH (FUNCTION ='default()') NULL
133
137
);
@@ -137,11 +141,10 @@ Prevent unauthorized access to sensitive data and gain control by masking it to
0 commit comments