Dynamic Data Masking is now generally available for Azure SQL Database


We’re delighted to announce the general availability of Dynamic Data Masking for Azure SQL Database version V12. Dynamic Data Masking (DDM) is used to limit access to sensitive data in the database by obfuscating it on-the-fly in query results. Many customers are already using DDM to protect their sensitive data and we encourage you to try it out for your databases.

Dynamic Data Masking can be used to hide sensitive data in your applications, while the logic of which fields to mask and how to mask is centralized in the database itself. It can also be used to avoid exposure of the data to engineers or ITOps personnel that connect to the production database for maintenance or troubleshooting purposes.  

Andrew Robin, Director of Product at United Public Safety, says:

“Dynamic Data Masking allows UPsafety to ensure customer identified sensitive data provides additional layers of protection, limiting access to authorized users. The dynamic data masking feature was simple to configure and deploy to our live environment.  This feature set is yet another fine example of the Microsoft Azure Cloud team’s understanding that privacy and security are critical to their customers’ continued growth and success.”


You enable DDM by defining masking rules on designated database fields, which determine how you want the data in these fields to appear in query results. You can define a partial mask which exposes some of the data in the selected field, such as the first and last few characters, while masking out the rest. Or, you can define a full mask which doesn’t leave any of the data exposed and always replaces the field’s data with a constant value. We also offer additional masking functions, see the Getting Started page for more details.

When performing queries on the database, whether from an application or directly using a query tool like SSMS, data is masked for the designated fields according to the policy you defined. You can also list specific database users that are excluded from masking – so they will always get the original data when they query the database.


DDM is one of several security features for Azure SQL Database, which serve to protect data, control access and monitor database activity. Each of these features are valuable and in total they provide a comprehensive security solution for your database.

The benefits that DDM specifically offers are:

  • It is exceptionally simple to create a data masking policy, whether via the Azure Portal, Powershell cmdlets or T_SQL Configuration.
  • There is no need to modify database procedures or application code
  • DDM introduces little if any performance impact on database operations
  • DDM supports AAD authentication, and AAD users and groups can be granted DDM exclusion permissions


We’ve also made some interesting improvements recently, such as helping users find potentially sensitive data that may be a good candidate for masking. You can find this list of Masking Recommendations on the DDM blade in the Azure Preview Portal.



We’ve gotten some great feedback from our preview customers and we’ve incorporated improvements into this GA release of Dynamic Data Masking. We’ll be glad to get more inputs on how this feature is serving your data protection requirements, so if you have any feedback or questions please leave us a comment below.

To get started, check out our Getting Started page. Learn more about our latest improvements in this blog post, and you can also check out our recent Channel 9 video.