Edit

Share via

Get started with SQL Database dynamic data masking with the Azure portal

Applies to: Azure SQL Database

This article shows you how to implement dynamic data masking with the Azure portal. You can also implement dynamic data masking using Azure SQL Database PowerShell cmdlets or the REST API.

Note

This feature cannot be set using the Azure portal for Azure SQL Managed Instance (use PowerShell or REST API). For more information, see Dynamic Data Masking.

Enable dynamic data masking

  1. Launch the Azure portal at https://portal.azure.com.

  2. Go to your database resource in the Azure portal.

  3. Under the Security section, select Dynamic Data Masking.

  4. In the Dynamic Data Masking configuration page, you might see some database columns that the recommendations engine has flagged for masking. In order to accept the recommendations, select Add Mask for one or more columns, and a mask is created based on the default type for this column. You can change the masking function by selecting on the masking rule and editing the masking field format to a different format of your choice. Select Save to save your settings. In the following screenshot, you can see recommended dynamic data masks for the sample AdventureWorksLT database.

    Screenshot that shows the Dynamic Data Masking configuration page, based on the AdventureWorksLT sample database.

  5. To add a mask for any column in your database, at the top of the Dynamic Data Masking configuration page, select Add Mask to open the Add Masking Rule configuration page.

    Screenshot that shows the Add Masking Rule configuration page.

  6. Select the Schema, Table and Column to define the designated field for masking.

  7. Select how to mask from the list of sensitive data masking categories.

    Screenshot that shows the sensitive data masking categories under the Select how to mask section.

  8. Select Add in the data masking rule page to update the set of masking rules in the dynamic data masking policy.

  9. Type the SQL authenticated users or authenticated identities from Microsoft Entra ID (formerly Azure Active Directory) that should be excluded from masking, and have access to the unmasked sensitive data. This should be a semicolon-separated list of users. Users with administrator privileges always have access to the original unmasked data.

    Screenshot from the Azure portal of the SQL users excluded from masking (administrators are always excluded) list box.

    Tip

    To make it so the application layer can display sensitive data for application privileged users, add the SQL user or Microsoft Entra identity the application uses to query the database. It is highly recommended that this list contain a minimal number of privileged users to minimize exposure of the sensitive data.

  10. Select Save in the data masking configuration page to save the new or updated masking policy.

Related content