SQL information protection policy in Microsoft Defender for Cloud

SQL information protection's data discovery and classification mechanism provides advanced capabilities for discovering, classifying, labeling, and reporting the sensitive data in your databases. It's built into Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics.

The classification mechanism is based on the following two elements:

  • Labels – The main classification attributes, used to define the sensitivity level of the data stored in the column.
  • Information Types – Provides additional granularity into the type of data stored in the column.

The information protection policy options within Defender for Cloud provide a predefined set of labels and information types that serve as the defaults for the classification engine. You can customize the policy, according to your organization's needs, as described below.

The page showing your SQL information protection policy.

How do I access the SQL information protection policy?

There are three ways to access the information protection policy:

  • (Recommended) From the Environment settings page of Defender for Cloud
  • From the security recommendation Sensitive data in your SQL databases should be classified
  • From the Azure SQL DB data discovery page

Each of these is shown in the relevant tab below.

Access the policy from Defender for Cloud's environment settings page

From Defender for Cloud's Environment settings page, select SQL information protection.

Note

This option only appears for users with tenant-level permissions. Grant tenant-wide permissions to yourself.

Accessing the SQL Information Protection policy from the environment settings page of Microsoft Defender for Cloud.

Customize your information types

To manage and customize information types:

  1. Select Manage information types.

    Manage information types for your information protection policy.

  2. To add a new type, select Create information type. You can configure a name, description, and search pattern strings for the information type. Search pattern strings can optionally use keywords with wildcard characters (using the character '%'), which the automated discovery engine uses to identify sensitive data in your databases, based on the columns' metadata.

    Configure a new information type for your information protection policy.

  3. You can also modify the built-in types by adding additional search pattern strings, disabling some of the existing strings, or by changing the description.

    Tip

    You can't delete built-in types or change their names.

  4. Information types are listed in order of ascending discovery ranking, meaning that the types higher in the list attempt to match first. To change the ranking between information types, drag the types to the right spot in the table, or use the Move up and Move down buttons to change the order.

  5. Select OK when you're done.

  6. After you completed managing your information types, be sure to associate the relevant types with the relevant labels, by selecting Configure for a particular label, and adding or deleting information types as appropriate.

  7. To apply your changes, select Save in the main Labels page.

Exporting and importing a policy

You can download a JSON file with your defined labels and information types, edit the file in the editor of your choice, and then import the updated file.

Exporting and importing your information protection policy.

Note

You'll need tenant level permissions to import a policy file.

Permissions

To customize the information protection policy for your Azure tenant, you need the following actions on the tenant's root management group:

  • Microsoft.Security/informationProtectionPolicies/read
  • Microsoft.Security/informationProtectionPolicies/write

Learn more in Grant and request tenant-wide visibility.

Manage SQL information protection using Azure PowerShell

Next steps

In this article, you learned about defining an information protection policy in Microsoft Defender for Cloud. To learn more about using SQL Information Protection to classify and protect sensitive data in your SQL databases, see Azure SQL Database Data Discovery and Classification.

For more information on security policies and data security in Defender for Cloud, see the following articles: