Hello, I understand that Microsoft Purview DLP policies can be commonly used for Exchange, OneDrive, Teams, SharePoint, Endpoints, etc. which are commonly used exfiltration channels. But can we also use a dlp policy for Azure SQL databases, is there any use case for a DLP policy for Azure SQL database or any other structured data?

To my knowledge you cannot create DLP policies that apply directly on Azure SQL databases. However, you can create DLP policies in Microsoft Purview for scenarios like data exfiltration from Azure SQL to other Microsoft 365 services (commonly Excel and SharePoint are used to query data from Azure SQL). If data is exported from Azure SQL and used in Office files, the DLP policies in Microsoft 365 can prevent sharing information that you have classified as sensitive on Azure SQL. Enabling Azure SQL Auditng can help track activities that might involve sensitive data and detect possible violations.

@Kansara, Ankit - Thanks for the question and using MS Q&A platform. Unfortunately, Microsoft Purview DLP policies cannot be applied to Azure SQL or Azure SQL Databases. According to the official documentation: Learn about data loss prevention You can apply DLP policies to data at rest, data in use, and data in motion in locations such as: Exchange Online email SharePoint sites OneDrive accounts Teams chat and channel messages Microsoft Defender for Cloud Apps (Instances) Windows 10, Windows 11, and macOS (three latest released versions) devices On-premises repositories Fabric and Power BI workspaces Each one has different prerequisites. Sensitive items in some locations, like Exchange online, can be brought under the DLP umbrella by just configuring a policy that applies to them. Others, such as on-premises file repositories, require a deployment of Microsoft Purview Information Protection scanner . You'll need to prepare your environment, code draft policies, and test them thoroughly before activating any blocking actions. Appreciate if you could share the feedback on our feedback channel . Which would be open for the user community to upvote & comment on. This allows our product teams to effectively prioritize your request against our existing feature backlog and gives insight into the potential impact of implementing the suggested feature. Hope this helps. Do let us know if you any further queries. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Microsoft Purview DLP for Azure SQL

Accepted answer

Alberto Morillo 33,861 Reputation points MVP

2024-09-13T01:43:18.2233333+00:00

To my knowledge you cannot create DLP policies that apply directly on Azure SQL databases. However, you can create DLP policies in Microsoft Purview for scenarios like data exfiltration from Azure SQL to other Microsoft 365 services (commonly Excel and SharePoint are used to query data from Azure SQL). If data is exported from Azure SQL and used in Office files, the DLP policies in Microsoft 365 can prevent sharing information that you have classified as sensitive on Azure SQL.

Enabling Azure SQL Auditng can help track activities that might involve sensitive data and detect possible violations.
Please sign in to rate this answer.
Kansara, Ankit 20 Reputation points

2024-09-17T19:53:52.6966667+00:00

@Alberto Morillo Thank you for your answer. It looks like there is no direct DLP policy configuration for Azure SQL. But could you please provide more information on preventing data export from Azure SQL that you have mentioned?

Alberto Morillo 33,861 Reputation points MVP

2024-09-17T22:37:13.3333333+00:00

Imagine you want to protect data exported from Azure SQL to Excel and SharePoint:

Create and Configure DLP Policies in Microsoft Purview

Microsoft Purview allows you to create DLP policies that govern the classification and protection of sensitive data. Here's how to configure a policy:

Access Microsoft Purview:

Log in to the Microsoft Purview Compliance Portal.

Navigate to Solutions > Data Loss Prevention.

Choose Policies and click on Create Policy.

Identify Sensitive Data in Excel/SharePoint:
- When creating the policy, choose from pre-defined sensitive information types (e.g., financial, healthcare, personal information) or define custom types. - **Define conditions** for when the DLP policy applies (e.g., when files are uploaded to SharePoint or downloaded to Excel). - Configure the **actions** to take when the policy detects sensitive information (e.g., block access, log the event, notify users). **Scope the Policy:** - In the **Locations** section of the DLP policy, select **SharePoint** and **OneDrive for Business** as file storage locations. - For Excel files, DLP can monitor files in these cloud locations, or if you are using **Excel Online** (files saved in SharePoint/OneDrive), it will automatically be covered.

Connect Azure SQL Data to Excel or SharePoint

When Excel pulls data from an Azure SQL Database or data is stored in SharePoint from Azure, ensure that the policy can scan and protect these files:

Excel Power Query for Azure SQL:

If Excel users are using Power Query to connect to Azure SQL Database, the files containing this data will be stored in OneDrive or SharePoint.

The DLP policies you set up in Purview will automatically monitor these Excel files if they are shared, downloaded, or moved to/from SharePoint.

SharePoint Lists or PowerApps with Azure SQL:
- If SharePoint is used to store data or is connected to Azure SQL via SharePoint Lists or PowerApps, DLP policies can scan SharePoint document libraries and lists.

Define Access Controls and Encryption Policies

Alongside DLP policies, you should also ensure the following are configured to protect files:

Apply Sensitivity Labels to Excel files or SharePoint documents pulling data from Azure SQL. These can encrypt and restrict access based on user roles.

Set up Conditional Access Policies via Azure Active Directory to restrict how users can access SharePoint and Excel files, especially when accessing data externally.

Monitoring and Remediation

Use Activity Explorer in Purview to monitor the usage and sharing of files.

Configure alerts and incident reports for any DLP policy violations detected in SharePoint or Excel files.

Best Practices

Data Classification: Ensure that data in Azure SQL is classified, so when pulled into SharePoint/Excel, it inherits the classification.

Review Sharing and Access Policies in SharePoint to ensure external sharing is restricted or monitored according to your DLP policy.

Create and Configure DLP Policies in Microsoft Purview

Microsoft Purview allows you to create DLP policies that govern the classification and protection of sensitive data. Here's how to configure a policy:

Access Microsoft Purview:

Log in to the Microsoft Purview Compliance Portal.

Navigate to Solutions > Data Loss Prevention.

Choose Policies and click on Create Policy.

Identify Sensitive Data in Excel/SharePoint:

When creating the policy, choose from pre-defined sensitive information types (e.g., financial, healthcare, personal information) or define custom types.

Define conditions for when the DLP policy applies (e.g., when files are uploaded to SharePoint or downloaded to Excel).

Configure the actions to take when the policy detects sensitive information (e.g., block access, log the event, notify users).

Scope the Policy:

In the Locations section of the DLP policy, select SharePoint and OneDrive for Business as file storage locations.

For Excel files, DLP can monitor files in these cloud locations, or if you are using Excel Online (files saved in SharePoint/OneDrive), it will automatically be covered.

Connect Azure SQL Data to Excel or SharePoint

When Excel pulls data from an Azure SQL Database or data is stored in SharePoint from Azure, ensure that the policy can scan and protect these files:

Excel Power Query for Azure SQL:

If Excel users are using Power Query to connect to Azure SQL Database, the files containing this data will be stored in OneDrive or SharePoint.

The DLP policies you set up in Purview will automatically monitor these Excel files if they are shared, downloaded, or moved to/from SharePoint.

SharePoint Lists or PowerApps with Azure SQL:

If SharePoint is used to store data or is connected to Azure SQL via SharePoint Lists or PowerApps, DLP policies can scan SharePoint document libraries and lists.

Define Access Controls and Encryption Policies

Alongside DLP policies, you should also ensure the following are configured to protect files:

Apply Sensitivity Labels to Excel files or SharePoint documents pulling data from Azure SQL. These can encrypt and restrict access based on user roles.

Set up Conditional Access Policies via Azure Active Directory to restrict how users can access SharePoint and Excel files, especially when accessing data externally.

Monitoring and Remediation

Use Activity Explorer in Purview to monitor the usage and sharing of files.

Configure alerts and incident reports for any DLP policy violations detected in SharePoint or Excel files.

Best Practices

Data Classification: Ensure that data in Azure SQL is classified, so when pulled into SharePoint/Excel, it inherits the classification.

Review Sharing and Access Policies in SharePoint to ensure external sharing is restricted or monitored according to your DLP policy.

Yanli Jiang - MSFT 26,016 Reputation points Microsoft Vendor

2024-10-02T07:16:27.5+00:00

Very nice sharing, thank you for all.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Microsoft Purview DLP for Azure SQL

1 additional answer

Your answer