We are excited to announce that Azure SQL Database now supports the ability to enforce label-based access control on columns with sensitive data that have been labeled with Microsoft Purview Information Protection (MIP) sensitivity labels, using MIP protection policies. This feature is available in preview.
Azure SQL Database today provides capabilities to discover, classify, label, and report the sensitive data in your databases through the Data Classification feature, enabling customers to control access to and harden the security of databases that contain highly sensitive data, as well as meet auditing and compliance requirements. Sensitive data can be classified by using Microsoft Purview Information Protection (MIP) sensitivity labels that are centrally created and managed via the Microsoft Purview portal. In addition, an Azure SQL database can also be registered and scanned using Microsoft Purview. Purview automatically scans the database, identifies columns with sensitive data and assigns MIP sensitivity labels to those columns. MIP policies can then be used to enforce access control on the classified data based on the sensitivity label.
What are protection policies in Purview?
Protection access control policies (or protection policies) in Purview enable organizations to automatically protect sensitive data across their data sources. They enable personas like Chief Data Officer (CDO) and/or enterprise security admins to configure and enforce access control actions on sensitive data in their databases, ensuring that data in columns with particular sensitivity labels cannot be accessed by unauthorized users.
When you create a protection policy, you can choose which data sources e.g. databases, or storage buckets are included, and which users or groups are allowed access based on the sensitivity of the data (via sensitivity labels). Users who do not meet these criteria will be prevented from accessing the data. As data moves from one system to another – for example: data moving from Azure SQL Database to Power BI to Excel - the protections will persist.
Configuring a Purview policy to enforce access control for sensitive data in Azure SQL Database
Let’s take an example of an Azure SQL database named ContosoDB containing financial and PII data. Once the database is registered and scanned in Microsoft Purview, Purview assigns the sensitivity label “Highly Confidential” to the database columns aba_routing_number, ssn, credit_card_number and passport_number.
To restrict access to the sensitive data in these columns, a protection policy can now be created that enforces ‘deny’ actions on the database columns having sensitivity label as “Highly Confidential”. This policy restricts access to these columns to only an allowed user or group of users listed in the policy. The policy can be stated as:
Deny “Read” on data classified as “Highly Confidential” to everyone except “Purview admin”
Note – Only ‘deny’ actions are currently supported with Purview protection policies in preview.
Below is an example of this policy on the Purview portal, which enforces ‘deny’ actions on SQL columns labeled as “Highly Confidential”. Only users specifically included in the policy are allowed access. The policy can be applied on one or more Azure SQL servers, which are selected while configuring the policy.
Once the above policy has been configured and published in Purview, any attempt by an unauthorized user to access the columns labeled as “Highly Confidential” in ContosoDB database (such as, by executing a T-SQL query which references these columns) will fail with a “permission denied” error, as below:
To get started with configuring label-based access control for your databases, please refer the detailed instructions in the links below.
We hope you find this feature useful for your organization's data classification and data governance needs and we look forward to any feedback you may have during the preview.
Learn More
- Azure SQL Database documentation
- Microsoft Purview documentation
- Prerequisites
- Configure roles and permissions
- Create and publish MIP sensitivity labels
- Register and scan Azure SQL database using Purview
- Create and publish access policy in Purview
- Securing your data with Purview (blog) - https://techcommunity.microsoft.com/t5/security-compliance-and-identity/seamlessly-secure-your-data-estate-with-microsoft-purview/ba-p/4095930