Dynamic Data Masking
Dynamic Data Masking

Security is a critical concern for anyone who uses the cloud. Microsoft takes this seriously and operates the Azure Platform with security as a key principle. Microsoft secures data centers, and management applications, and provides pay-as-you-go security services. Learn how to take advantage of these security features and services to enable strong security practices in your organization and to protect and secure your own cloud applications.

This course begins by looking at Azure's shared responsibility model before moving on to look at various security topics within Azure: storage security, database security, identity & access management, and networking security. By the end of this course, you should have a basic understanding of all of the key security options and features available in Microsoft Azure.

For any feedback relating to this course, please contact us at

Learning Objectives

  • Understand the shared responsibility model
  • Learn how to secure Azure resources
  • Learn about Azure security services and technologies
  • Learn how to monitor your Azure resources with Azure Security Center

Intended Audience

This course is intended for IT Professionals who need to develop an understanding of the security solutions that are available in Microsoft Azure.


To get the most from this course, you should have a basic understanding of Microsoft Azure and its offerings.


Hello and welcome to Dynamic Data Masking. Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics all support a technology called dynamic data masking. What dynamic data masking does is limit the exposure of sensitive data by masking it for users who shouldn't see it. Dynamic data masking is used to prevent unauthorized access to sensitive data. It allows customers to decide how much sensitive data should be revealed, without any significant impact on the application layer. Dynamic data masking is a policy-based security feature that's used to hide certain sensitive data that's returned as a result of a query of certain database fields. Data masking hides the sensitive data without changing it in the database. 

An example use case for dynamic data masking would be a scenario where a front-line worker at a call center might have to identify the caller by confirming the last four digits of the caller's social security number. In such a scenario, the call center employee doesn't need to see the entire social security number. That being the case, a masking rule can be defined to mask all the social security numbers in the result set of any query made against the database. This allows the customer service rep to perform his or her tasks without having access to more data than is necessary. To setup a dynamic data masking policy, you use the Dynamic Data Masking blade that's found under Security in the SQL Database configuration pane. I should mention, however, that this feature can't be set for a SQL Managed Instance using the Portal. You have to use PowerShell or REST API. 

When you configure a data masking policy, you need to configure several settings. You need to specify SQL users that should be excluded from masking, you need to define the masking rules themselves, and you need to define the masking functions. When you specify SQL users excluded from masking, what you're really doing is defining a set of SQL users or Azure AD identities that are allowed to view the full, unmasked data in SQL query results. I should also point out that users with administrator privileges are always excluded from masking, so they can always see the original data without any masking. The Masking rules that you configure are a set of rules that defines which fields should be masked, along with which masking function should be used. The fields to be masked can be defined using a database schema name, a table name, and a column name. The Masking functions I mentioned are a set of different methods that controls which data is exposed, and under what conditions. The table on your screen shows the different masking functions that are available. To read more about dynamic data masking, visit the URL that you see on your screen.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.