Share via

Azure SQL Dynamic Data Masking for Group

Rob Head 26 Reputation points
2023-01-06T08:41:04.383+00:00

Hoping someone can answer what maybe a very simple question.

We are looking to setup Dynamic data masking across our AzureSQL databases based on specific groups i.e. if you are in specific groups data will not be masked, otherwise it will be. The relese documentation for DDDM suggests that AzureAD groups are supported, but all the recent documentation suggests that we need to add specific users and does not refer to groups at all. Surely this cannot be right? Can anyone confirm if it is possible to use AzureAD groups to exclude from DDDM in AzureAD?

Also the documentation states that administrators will be excluded from DDDM, while this makes logical sense, it does not define what it means by an Administrator in the context of AzureSQL. Are we talking the sysadmin role, or other privileged roles, if so which ones? Is anyone able to bring some clarity to this please?

Many thanks for your help.

Rob

Azure SQL Database
Accepted answer
  1. Madhumita Tripathy 81 Reputation points Microsoft Employee
    2023-01-09T19:25:14.827+00:00

    Hi @Rob Head ,

    UNMASK permission in Dynamic Data Masking can be granted to AzureAD groups. sysadmin and db_owner roles are the privileged roles through which a user could see masked data in its original form if desired. (Note: In Azure SQL it applies to both Server admin and AAD Admin)

    Could you please point us to the release documentation that you are referring to?

    Thanks Madhu

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rob Head 26 Reputation points
    2023-01-10T15:04:26.573+00:00

    @Madhumita Tripathy Thank you very for your response, this is very reassuring.

    The documentation I refer to is https://learn.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview?view=azuresql. It would be really helpful if this documentation could be updated to show that groups and not just users are supported and clarify what is meant by 'Administrators'.

    Thanks again.

    0 comments
  2. Madhumita Tripathy 81 Reputation points Microsoft Employee
    2023-01-10T15:38:53.84+00:00

    Sure. I have updated the docs regarding permissions and will also add some example queries for Azure AD Group. Thanks for your suggestions. This will bring clarity.

    0 comments
  3. Madhumita Tripathy 81 Reputation points Microsoft Employee
    2023-01-10T16:10:59.327+00:00

    Additionally in case of SQL Server any user which granted CONTROL SERVER or CONTROL in the database context could derive authorization to view unmasked data. Thanks.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.