Azure Data Security – Data Classification – Part 3

Hello and welcome to the final part of our three part series on Azure data security where we will demo Data Classification and Data Masking.  In the previous posts we looked at network level security for protecting data at the perimeter.  From there we explained that after the network level we need to protect the authentication layer. The authentication layer controls who has access and what level of access they have. The goal is to ensure we limit access to only the data and operations required.

In this post and video we look at what we can do to protect our data once we have secured the network and authentication layers.

Azure Data Security Part 3 Video

Azure Data Security Part 3 Video

Azure SQL Data Masking and Classification

Azure Data Security Layers

Azure Data Security Layers

This post and demo, look at how we leverage the Advanced Data Security feature of Azure SQL Server which includes Threat Detection, Data Classification and Data Masking.  With this feature we can control how our data is classified and even obfuscated for sensitive information, to ensure only allowed identities have the correct access.  We also need to know who is accessing the sensitive data, when they are accessing it and from where.

We will demonstrate how data columns in a SQL Server database can be classified to allow reporting and visibility of sensitive information.  We will also show how this information can be managed, reported on and monitored.

Securing Data in Azure – Data Classification Dashboard

Securing Data in Azure - Data Classification Dashboard


Code example here for granting an Azure AD identity read access to an Azure SQL Database

GRANT SELECT ON dbo.Customers TO "" >

Data can also be classified using the “add” or “drop” T-SQL statement as shown below.

DROP sensitivity classification FROM dbo.customers.email_address
DROP sensitivity classification FROM dbo.customers.first_name
DROP sensitivity classification FROM dbo.customers.last_name
DROP sensitivity classification FROM dbo.customers.NationalInsuranceNo
DROP sensitivity classification FROM dbo.customers.SocialSecurityNo
DROP sensitivity classification FROM dbo.customers.AccountManager

Log Analytics Query

| WHERE Category == "SQLSecurityAuditEvents"
| WHERE data_sensitivity_information_s contains "Confidential" AND server_principal_name_s != ""
| project TimeGenerated, server_instance_name_s, database_name_s , statement_s, affected_rows_d , server_principal_name_s, client_ip_s ,data_sensitivity_information_s
| ORDER BY TimeGenerated DESC

We hope you found the information in this post and video useful !

Please visit our YouTube channel (and subscribe) to see our other videos in this series and more at https://LANETYouTube
Also, visit us at and check out our Azure Market place offering/s here

LANET is a Microsoft Gold Cloud Platform and Silver Security Partner specialising in Microsoft Azure cloud infrastructure security.

The Part 1 link is provided here for reference.

Leave a comment below if you thought this was useful !

Thank you


1 Comment. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.
You need to agree with the terms to proceed