Azure Front Door sensitive data protection
The Azure Front Door log scrubbing tool helps you remove sensitive data (for example, personal identifiable information) from your Azure Front Door logs. It works by enabling log scrubbing at Azure Front Door Standard or Premium profile level and selecting the log fields to be scrubbed. Once enabled, the tool scrubs that information from your logs generated under this profile and replaces it with ****.
Log scrubbing is only supported on Azure Front Door Standard and Premium. If you're using Azure Front Door classic, migrate to Azure Front Door standard or premium to use log scrubbing. For more information, see About Azure Front Door (classic) to Standard/Premium tier migration.
Default log behavior
When Azure Front Door serves a request, Azure Front Door logs the details of the request in clear text. Sensitive data might be included in the request URI (such as passwords), and client IP and socket IP are logged. This data is viewable by anyone with access to the Azure Front Door access logs. To protect customer data, you can set up log scrubbing rules targeting this sensitive data for protection.
Scrubbing fields
The following fields can be scrubbed from the logs:
| Information | Description | Samples after enablement |
|---|---|---|
| Request URI | RequestUri, OriginUrl | **** |
| Request IP address | ClientIp, SocketIp | **** |
| Query string | Querystring in RequestUri and OriginUrl | https://contoso.com/bar/temp.txt?20240423&q=****&foo=**** |
Note
When you enable log scrubbing feature, Microsoft still retains IP addresses in its internal logs to support critical security features.
Next step
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for