Azure 门户的 SQL 数据库动态数据掩码入门Get started with SQL Database dynamic data masking with the Azure portal

本文介绍如何使用 Azure 门户实现动态数据掩码This article shows you how to implement dynamic data masking with the Azure portal. 还可以使用 Azure SQL 数据库 cmdletREST API 实现动态数据掩码。You can also implement dynamic data masking using Azure SQL Database cmdlets or the REST API.

使用 Azure 门户为数据库设置动态数据掩码Set up dynamic data masking for your database using the Azure portal

  1. 中启动 Azure 门户。Launch the Azure portal at

  2. 导航到要掩码的敏感数据所在数据库的设置页。Navigate to the settings page of the database that includes the sensitive data you want to mask.

  3. 单击“动态数据掩码” 磁贴,这会启动“动态数据掩码” 配置页。Click the Dynamic Data Masking tile that launches the Dynamic Data Masking configuration page.

    • 或者,可以向下滚动到“操作” 部分并单击“动态数据屏蔽” 。Alternatively, you can scroll down to the Operations section and click Dynamic Data Masking.


  4. 在“动态数据掩码” 配置页中,可能会看到一些数据库列,建议引擎已将这些列标记为需要进行掩码。In the Dynamic Data Masking configuration page, you may see some database columns that the recommendations engine has flagged for masking. 要接受这些建议,可直接针对一个或多个列单击“添加掩码” ,系统就会根据该列的默认类型来创建掩码。In order to accept the recommendations, just click Add Mask for one or more columns and a mask is created based on the default type for this column. 可以更改屏蔽函数,只需单击屏蔽规则,并将屏蔽字段格式编辑成所选的其他格式即可。You can change the masking function by clicking on the masking rule and editing the masking field format to a different format of your choice. 请确保单击“保存” 以保存设置。Be sure to click Save to save your settings.


  5. 若要为数据库中的任意列添加掩码,请在“动态数据掩码” 配置页的顶部单击“添加掩码” 以打开“添加掩码规则” 配置页。To add a mask for any column in your database, at the top of the Dynamic Data Masking configuration page, click Add Mask to open the Add Masking Rule configuration page.


  6. 选择“架构” 、“表” 和“列” ,以定义要掩码的指定字段。Select the Schema, Table and Column to define the designated field for masking.

  7. 从敏感数据屏蔽类别列表中选择“屏蔽字段格式” 。Choose a Masking Field Format from the list of sensitive data masking categories.


  8. 在数据掩码规则页中单击“保存” ,以更新动态数据掩码策略中的掩码规则集。Click Save in the data masking rule page to update the set of masking rules in the dynamic data masking policy.

  9. 键入不应对其进行屏蔽的 SQL 用户或 AAD 标识,允许其访问未屏蔽的敏感数据。Type the SQL users or AAD identities that should be excluded from masking, and have access to the unmasked sensitive data. 这些用户在键入时应该采用分号分隔用户列表的形式。This should be a semicolon-separated list of users. 拥有管理员权限的用户始终可以访问原始的未掩码数据。Users with administrator privileges always have access to the original unmasked data.



    若要使应用程序层向应用程序特权用户显示敏感数据,请添加应用程序查询数据库时需要使用的 SQL 用户或 AAD 标识。To make it so the application layer can display sensitive data for application privileged users, add the SQL user or AAD identity the application uses to query the database. 强烈建议在此列表中包含最少量的特权用户,以最大程度地降低泄露敏感数据的风险。It is highly recommended that this list contain a minimal number of privileged users to minimize exposure of the sensitive data.

  10. 在数据掩码配置页中单击“保存” ,以保存新的或更新的掩码策略。Click Save in the data masking configuration page to save the new or updated masking policy.

后续步骤Next steps