Avoid previewing data in Copy Data activity in ADF before it gets encrypted

Question

Avoid previewing data in Copy Data activity in ADF before it gets encrypted

Marcelo Barbieri 30

As an entry point in an ADF data pipeline, I have a Copy Data activity that gets plain text data from a spreadsheet on a file share and copy it to an Always Encrypted table on an Azure SQL Database. That’s done using a dedicated ADF Managed Identity that has permissions on the Encryption Key stored in the Azure Key Vault. All the remaining steps in the pipeline is executed using an account that doesn’t have access to the encryption key. So, the only problem I have is that data can be previewed in the Source/Linked Service of the initial Copy Data by an Admin user on production.

Any suggestions on how to avoid this security gap?

Is there anywhere else this data could be visualized by an admin user, like logs, execution plans, etc?

thank you very much.

ShaikMaheer-MSFT 38,546 Reputation points Microsoft Employee Moderator

2023-09-07T17:49:05.66+00:00

Hi Marcelo Barbieri, Kindly consider hitting below as Accepted Answer. Accepted answers help community as well. Please let me know if any further queries. Thank you.

3 answers

Your answer

ShaikMaheer-MSFT 38,546 Reputation points Microsoft Employee Moderator

2023-09-07T17:49:05.66+00:00

Hi Marcelo Barbieri, Kindly consider hitting below as Accepted Answer. Accepted answers help community as well. Please let me know if any further queries. Thank you.

Answer 1

ShaikMaheer-MSFT 38,546 Microsoft Employee Moderator

Hi Marcelo Barbieri,

Thank you for posting query in Microsoft Q&A Platform.

If I understand your query correctly, you created a linked service with dedicated ADF Managed Identity which has permissions for encryption Key in Copy activity. And concern is Admin user who opens ADF can click on preview data in copy activity and view the data, how to avoid it? Please correct me if my understanding is wrong.

One way is, you can avoid giving roles for Admin use to open ADF and perform preview data.

Regarding below query,

Is there anywhere else this data could be visualized by an admin user, like logs, execution plans, etc?

Apart from preview data, no other way admin can visualize this data.

Hope this helps. Please let me know any further queries.

Please consider hitting Accept Answer button. Accepted answers help community as well.

Marcelo Barbieri 30 Reputation points

2023-08-25T13:00:28.8633333+00:00

Hi ShaikMaheer,
Thanks for you answer.
I'm not sure if restricting Admin to preview data is going to be possible. There's always going to be someone in IT that will have permission to preview data.
What I'm trying to do is to add an external knowledge factor to the Linked Service via parameters. A value that gets passed in when the pipeline is executed. An user on ADF will not be able to preview the data without knowing the value of the parameter. That's one idea.
ShaikMaheer-MSFT 38,546 Reputation points Microsoft Employee Moderator

2023-08-28T15:48:12.83+00:00

Hi Marcelo Barbieri, That's really good idea. We can parameterize linked service and then use that in dataset. In below video, I discussed how to parameterize linked service.

Parameterize Linked Services in Azure Data Factory

Hope this helps. Please let me know how it goes.

Please consider hitting Accept Answer button. Accepted answers help community as well. Thank you.
Marcelo Barbieri 30 Reputation points

2023-08-30T10:45:17.7+00:00

I have solved this changing the File Share Linked Service from using Azure Key Vault to Password. I have parameterised the password in the Linked Service and Dataset. I added a Web Activity to get the password from the Key Vault and pass it on to the Copy Data Activity in the pipeline at runtime. This way, no users can preview data in the UI experience without providing the password.
ShaikMaheer-MSFT 38,546 Reputation points Microsoft Employee Moderator

2023-08-30T10:49:20.4466667+00:00

Hi Marcelo Barbieri, Glad to know your issue resolved and thank you for sharing your detailed implementation details. Kindly mark this entire chain as accepted answer. Accepted answers help community as well. Please let me know if any further queries. Thank you.

Answer 2

karthi 0

Hello @Marcelo Barbieri , We are also facing similar issue where users should not be allowed to preview data in the UI experience without providing the password. Can you provide us some additional details on your solution approach. Would like to know where does the password validation happens in your approach. Assuming the user is entering the password, wanted to understand how the password will be validated if it's correct or not. Any additional details will be highly appreciated !!

Marcelo Barbieri 30 Reputation points

2024-02-10T19:21:46.7533333+00:00

Hi Karthi, My solution was to create a SQL Login on the Azure SQL Database (external knowledge factor) and store the password in the key vault. Then I used a Web Activity to get the password and pass it to the Copy Activity as a parameter. With this implementation, the only way to preview data on the UI is by providing the password required by the parameter. I hope this can be useful for you, Regards, Marcelo

Answer 3

Marcelo Barbieri 30

My solution was to create a SQL Login on the Azure SQL Database (external knowledge factor) and store the password in the key vault. Then I used a Web Activity to get the password and pass it to the Copy Activity as a parameter. With this implementation, the only way to preview data on the UI is by providing the password required by the parameter.

karthi 0 Reputation points

2024-02-12T06:32:26.93+00:00

My apologies if this was the silly question as i am bit new to ADF concepts. Assuming user is entering the password , just wanted to understand the necessity to store password in the Vault. Is web activity you referred above is comparing the password entered by the user and password in the vault and pass it to the Copy Activity if it succeeds ? In my case, we are integrating with REST API there is API key which needs to be entered by user to preview data on the UI. Hence looking for a way to implement a similar solution as you might have been already implemented.
Marcelo Barbieri 30 Reputation points

2024-02-12T09:04:34.23+00:00

the idea is to introduce a password to the linked service, so users must enter it if they try to preview data. In my case, I’m using the Web Activity to get the password from the key vault because I want to pipeline to be automated, with no user interaction. But, in your case you don’t seem to need it, so no need for the key vault.
karthi 0 Reputation points

2024-02-12T11:01:32.7566667+00:00

Great for answering the basic question and it will help a lot to understand your thought process. In my case , even we wanted to automate the flow but for any reason developer / engineer tries to view the pipeline, we need to prompt to get the password ? Is the solution proposed works for both automation pipeline and during UI data preview ?
karthi 0 Reputation points

2024-02-12T11:07:28.9166667+00:00

Great, Thanks for sharing your thoughts which is helping me a lot. Even for us, we wanted to automate the pipeline and getting API key from the vault will work during scheduled trigger. But at the same time, when developer / engineer wanted to view / edit the pipeline, they should not be allowed to view the data in preview mode and UI prompt to get password will definitely work for our problem. Is the solution proposed by you will work on both the scenarios ?
karthi 0 Reputation points

2024-02-12T12:29:22.8233333+00:00

Hi @Marcelo Barbieri , Based on your valuable feedback, I am able to accomplish the protection of ADF pipeline from both automated pipeline and through UI experience. I will detail the steps shortly which may help others. Thank you very much for the timely feeback.
Marcelo Barbieri 30 Reputation points

2024-02-12T14:42:18.65+00:00

Hi Karthi, brilliant!! I'm very happy to know I was able to help you. Nice one! Tks.

Share via

Avoid previewing data in Copy Data activity in ADF before it gets encrypted

3 answers

Your answer