Extraction of Dynamic Data Masking Recommendations

Question

Extraction of Dynamic Data Masking Recommendations

Trivedi, Hemang 20

We are investigating the Dynamic Data Masking feature of Azure SQL Database (General Purpose, Serverless). We have several hundred recommended fields to mask when we select the Home->Azure SQL -> Db-Name ->Security -> Dynamic Data Masking Option from the Azure portal..

a) How can we extract these recommendations from the Azure Portal to a file?

b) How can we use SQL to directly query the database for these recommendations?

c) We have attempted using the following SQL, but receive an error - Invalid object name sys.recommended_columns

SELECT schema_name(t.schema_id) AS schema_name,

   t.name AS table_name,

   c.name AS column_name,

   r.masking_function

FROM sys.recommended_columns AS r

JOIN sys.columns AS c ON r.column_id = c.column_id AND r.object_id = c.object_id

JOIN sys.tables AS t ON c.object_id = t.object_id

LEFT JOIN sys.masked_columns AS m ON c.column_id = m.column_id AND c.object_id = m.object_id

WHERE m.column_id IS NULL;

Thank you.

Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2024-10-23T18:26:20.4433333+00:00

Hi @Trivedi, Hemang,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

As we understand that, you are trying to mask the sensitive data in order to prevent unauthorized access using Dynamic data masking(DDM) and also trying to extract DDM recommended fields.

I would like to inform you that, In the Dynamic Data Masking configuration page, you may see some database columns that the recommendations engine has flagged for masking. In order to accept the recommendations, just click Add Mask for one or more columns and a mask is created based on the default type for this column. You can change the masking function by clicking on the masking rule and editing the masking field format to a different format of your choice. Be sure to click Save to save your settings.

Currently, the Azure Portal doesn't provide a direct "export to file" option for Dynamic Data Masking recommendations but you can paste them into a file such as Excel or a text document.

To use SQL to directly query the database for the recommendations for Dynamic Data Masking, you can use the sys.masked_columns view to query for table-columns that have a masking function applied to them.

I request you to refer the below mentioned links for more information.

https://learn.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview?view=azuresql

https://learn.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-configure-portal?view=azuresql

https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16

I hope this information helps. Please do let us know if you have any further queries.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2024-10-23T21:49:41.6633333+00:00

Out of curiosity, from where did you get that query with sys.recommended_columns? Or did you make it up yourself?

Keep in mind that while Microsoft can make recommendations, someone with knowledge and understanding of the database is much better equipped to define a masking scheme. Masking several hundred columns appears a little excessive to me.

Also, what do you want achieve with the masking operation? Masking is mainly an aide for the application. Users with access to the database can find tricks to reveal the values of masked data.
Trivedi, Hemang 20 Reputation points

2024-10-24T13:18:26.5366667+00:00

@ Erland Sommarskog

The query on sys.recommended_columns was from a copilot query (link was provided). This was after an internet search that was not successful.

The number of columns to be masked are due to our use case.

We want to ensure masked data is not viewable by a set of users, due to data sensitivity.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2024-10-24T20:54:58.3+00:00

The query on sys.recommended_columns was from a copilot query (link was provided). This was after an internet search that was not successful.

Oh well, these AI don't like being without an answer, so rather than saying "I don't know", they gladly make things up. Oh, it's called "hallucinate", but let's take it for what is: Lies.

And with that lesson, are you still inclined to believe in those recommendations?

Sure, you can use that list as a starting point, but you need to scrutinise it carefully. If you follow it slavishly, you may mask column which you don't need to mask - and at the same time miss others.
Trivedi, Hemang 20 Reputation points

2024-10-25T10:59:11.48+00:00

@Erland Sommarskog

Thank you for your suggestion. We completed our due diligence and investigated the copilot query as well as the views the query was accessing. The view was missing from the data dictionary.

We are familiar with hallucinations. The query was investigated keeping in mind that it could be a hallucination. My preference is to investigate all provided solutions and proceed with a solution if viable.

Accepted answer

0 additional answers

Your answer

Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2024-10-23T18:26:20.4433333+00:00

Hi @Trivedi, Hemang,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

As we understand that, you are trying to mask the sensitive data in order to prevent unauthorized access using Dynamic data masking(DDM) and also trying to extract DDM recommended fields.

I would like to inform you that, In the Dynamic Data Masking configuration page, you may see some database columns that the recommendations engine has flagged for masking. In order to accept the recommendations, just click Add Mask for one or more columns and a mask is created based on the default type for this column. You can change the masking function by clicking on the masking rule and editing the masking field format to a different format of your choice. Be sure to click Save to save your settings.

Currently, the Azure Portal doesn't provide a direct "export to file" option for Dynamic Data Masking recommendations but you can paste them into a file such as Excel or a text document.

To use SQL to directly query the database for the recommendations for Dynamic Data Masking, you can use the sys.masked_columns view to query for table-columns that have a masking function applied to them.

I request you to refer the below mentioned links for more information.

https://learn.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview?view=azuresql

https://learn.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-configure-portal?view=azuresql

https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16

I hope this information helps. Please do let us know if you have any further queries.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2024-10-23T21:49:41.6633333+00:00

Out of curiosity, from where did you get that query with sys.recommended_columns? Or did you make it up yourself?

Keep in mind that while Microsoft can make recommendations, someone with knowledge and understanding of the database is much better equipped to define a masking scheme. Masking several hundred columns appears a little excessive to me.

Also, what do you want achieve with the masking operation? Masking is mainly an aide for the application. Users with access to the database can find tricks to reveal the values of masked data.
Trivedi, Hemang 20 Reputation points

2024-10-24T13:18:26.5366667+00:00

@ Erland Sommarskog

The query on sys.recommended_columns was from a copilot query (link was provided). This was after an internet search that was not successful.

The number of columns to be masked are due to our use case.

We want to ensure masked data is not viewable by a set of users, due to data sensitivity.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2024-10-24T20:54:58.3+00:00

The query on sys.recommended_columns was from a copilot query (link was provided). This was after an internet search that was not successful.

Oh well, these AI don't like being without an answer, so rather than saying "I don't know", they gladly make things up. Oh, it's called "hallucinate", but let's take it for what is: Lies.

And with that lesson, are you still inclined to believe in those recommendations?

Sure, you can use that list as a starting point, but you need to scrutinise it carefully. If you follow it slavishly, you may mask column which you don't need to mask - and at the same time miss others.
Trivedi, Hemang 20 Reputation points

2024-10-25T10:59:11.48+00:00

@Erland Sommarskog

Thank you for your suggestion. We completed our due diligence and investigated the copilot query as well as the views the query was accessing. The view was missing from the data dictionary.

We are familiar with hallucinations. The query was investigated keeping in mind that it could be a hallucination. My preference is to investigate all provided solutions and proceed with a solution if viable.

Answer 1

Erland Sommarskog 121.4K MVP Volunteer Moderator

I looked at this in the portal and it is quite simple. First go through the list and click Add Mask for all of them. Note that the only thing that happens here is that columns are moved to the upper part of the screen. Nothing is saved until you press the Save icon (which you should not.)

One you have done this, place the cursor to the upper left of the table and select all lines. Copy and paste into Excel. Once you are in Excel there are multiple ways to go. What I did was to save the data has a UTF-8 csv file.

Then I created this table:

CREATE TABLE guest.MaskingRecommendations(schema_name sysname NOT NULL,
                                          table_name  sysname NOT NULL,
                                          colum_name  sysname NOT NULL,
                                          mask        nvarchar(200) NOT NULL)

I used the guest schema to separate it from other table, but you can do as you like.

Then I loaded the file with BCP:

bcp guest.MaskingRecommendations in MaskingRules.csv -c -t; -C 65001 -S MyServer.databases.windows.net -d MyDatabase -U MyLogin -P MyPassword

My separator is semicolon, since that is the European standard. Yours may be comma.

On first attempt it failed with a NOT NULL error, because there were blank lines in the Excel file which resulted in lines with only semicolons. I used a text editor to remove these lines, and I was able to load the table.

I'm uncertain about the mask field. I appears that it only says Default value (0, xxxx, 01-01-1900), but maybe that is my database.

You could use the table to generate the ALTER TABLE ALTER COLUMN commands.

You may also prefer to stay in Excel to make a manual review of which columns to mask and how to mask them, and only when you are done load it into the database.

.

Trivedi, Hemang 20 Reputation points

2024-10-25T13:21:54.4333333+00:00

@Erland Sommarskog

I would like to acknowledge your answer to my question part (a) - though @Vijayalaxmi Kattimani suggested a similar solution. We are yet awaiting a conclusive answer to the question part (b) which is more suitable to automation.

I am new to this platform and am unaware whether partial answers are marked as accepted answer - would appreciate some guidance on this.
Erland Sommarskog 121.4K Reputation points MVP Volunteer Moderator

2024-10-25T14:57:31.6133333+00:00

We are yet awaiting a conclusive answer to the question part (b) which is more suitable to automation.

The answer is that you can't. These recommendations are not stored in the database, they are only in the portal.

But if you have a copy of the database in a test environment, you can press Save to have all the recommendations applied, and then you can query sys.masked_columns as Vijayalaxmi suggested. (I note now that Vijayalaxmi also mention the possibility to copy and paste to Excel.)

I am new to this platform and am unaware whether partial answers are marked as accepted answer - would appreciate some guidance on this.

You can only accept one Answer. Vijayalaxmi posted a comment, but I will convert her post to an Answer, so you can select hers if you prefer.
Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator

2024-10-25T14:58:57.8166667+00:00

Hi @Trivedi, Hemang,

We are yet awaiting a conclusive answer to the question part (b) which is more suitable to automation.

We suggest you to go for the below mentioned SQL query.

SELECT c.name, tbl.name as table_name, c.is_masked, c.masking_function

FROM sys.masked_columns AS c

JOIN sys.tables AS tbl

ON c.[object_id] = tbl.[object_id]

WHERE is_masked = 1;

Note: The query can be modified based on your requirement.

For more information please refer the below mentioned link.

https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16#query-for-masked-columns

I hope this information helps. Please do let us know if you have any further queries.

Share via

Extraction of Dynamic Data Masking Recommendations

0 additional answers

Your answer