Authentication

Ayush 20 Reputation points
2024-05-22T23:50:34.7466667+00:00

I need to load highly sensitive data into Azure SQL Database using Azure Data Factory. Which authentication types in Linked Service provide the highest level of security?

Azure Data Factory
Azure Data Factory
An Azure service for ingesting, preparing, and transforming data at scale.
9,914 questions
{count} votes

Accepted answer
  1. Harishga 5,110 Reputation points Microsoft Vendor
    2024-05-23T00:42:46.9166667+00:00

    Hi @Ayush
    Welcome to Microsoft Q&A platform and thanks for posting your question here.

    To address your concerns about the security of loading highly sensitive data into Azure SQL Database using Azure Data Factory (ADF), I recommend the following approach to ensure maximum security:

    Authentication:

    • Azure Active Directory (Azure AD) with Managed Identity: This is the recommended approach for high security. It eliminates the need to store credentials in ADF. ADF retrieves credentials through a managed identity assigned to it, granting access based on Azure AD roles. Only authorized users with access to the managed identity can trigger data pipelines.
    • System-assigned Managed Identity: This identity is linked to the lifecycle of the service instance. When the resource is deleted, Azure automatically deletes the identity.
    • User-assigned Managed Identity: This identity is managed separately from the resources that use it. You can create a user-assigned managed identity and assign it to one or more instances of a data factory.

    Additional Security Measures:

    Azure Key Vault: Store connection strings and other secrets used by ADF in Azure Key Vault. Key Vault provides secure storage with access control using Azure AD identities. ADF can access secrets securely using managed identity or a service principal with access to the Key Vault.

    Data Encryption: Encrypt data at rest in Azure SQL Database using Transparent Data Encryption (TDE). This encrypts the entire database with a customer-managed key stored in Azure Key Vault.

    Network Security Groups (NSGs): Use NSGs to restrict access to the Azure SQL Database to specific IP addresses or Azure Virtual Networks. This ensures only authorized sources can access the database.

    Minimize Permissions: Grant the absolute minimum permissions in Azure AD roles for users interacting with ADF and the database.

    Service Principal: This is another type of authentication that can be used in ADF.

    By combining these techniques, you can significantly enhance the security of your sensitive data transfer using ADF.

    Reference:
    https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity
    https://learn.microsoft.com/en-us/azure/data-factory/data-factory-service-identity
    https://learn.microsoft.com/en-us/azure/data-factory/credentials?tabs=data-factory
    Hope this helps. Do let us know if you any further queries.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Nandan Hegde 30,081 Reputation points MVP
    2024-05-23T02:56:05.06+00:00

    Adding on top of Harshiga, the decision depends on 1 important factor: whether your Azure SQL database and ADF are in the same tenant or not?

    In case if both are in the same tenant, Managed Identity authentication is the best and most secure way of authenticating as stated at the top.

    But in case if both are in diff tenants, Managed Identity authentication wont work.

    The best way then would be to use Service principal authentication over SQL authentication.

    Always better to have some AD form of authentication rather than a blind user name/pwd like SQL auth as much as possible

    1 person found this answer helpful.
    0 comments No comments