November 20th, 2025
0 reactions

Announcing: Dynamic Data Masking for Azure Cosmos DB (Preview)

Sudhanshu Khera
Sudhanshu Khera

Today marks a big step forward with the public preview of Dynamic Data Masking (DDM) for Azure Cosmos DB. This feature helps organizations protect sensitive data without requiring changes to application logic or database interactions.

What is Dynamic Data Masking?

Dynamic Data Masking (DDM) is a server-side, policy-driven security feature that automatically masks sensitive information for non-privileged users. When enabled, DDM ensures that only authorized users can view unmasked data, while others see masked or redacted values. The original data remains unchanged in the database, and masking occurs in real time during query execution.

This capability is especially valuable for protecting Personally Identifiable Information (PII), Protected Health Information (PHI), and other confidential data—helping organizations comply with privacy regulations and internal policies.

Why is This Important?

Before, teams had to build their own masking logic in the application layer to keep sensitive data safe. It was a messy, error-prone process that got harder to manage as access controls and compliance rules kept changing. Since Azure Cosmos DB didn’t have a built-in way to mask data in real time based on user roles, the risk of data exposure was higher and audits were more painful.

Now, with Dynamic Data Masking, those protections happen right in the database. Data is masked instantly according to user roles and permissions, without altering the actual data underneath. It makes compliance simpler, cuts down on maintenance work, and lightens the load for both developers and security teams.

Key Benefits

  • Keeps sensitive data safe: Only authorized users can see real values, while everyone else just sees masked information.
  • Automatic role-based protection: Data masking happens automatically based on each user’s role and permissions.
  • Simplifies compliance: Makes it easier to meet privacy and security regulations without extra manual effort.
  • No change to your actual data: The data itself stay untouched since masking only happens when it’s accessed or queried.

How Does It Work?

You can configure Dynamic Data Masking for your Azure Cosmos DB account through the Azure portal. The process involves:

  • Enabling Dynamic Data Masking in the Features tab under Settings.

Enabling Dynamic Data Masking in the Features tab under Settings.

  • Defining roles and permissions using Azure Cosmos DB’s data plane role-based access control (RBAC).
  • Assigning users to roles – privileged users get unmask permissions, while others receive standard roles.
  • Applying a masking policy at the container level, specifying which fields to mask and which masking strategies to use.

Applying a masking policy at the container level, specifying which fields to mask and which masking strategies to use.

Supported Masking Strategies

Type

Description

Example

Default

String values are replaced with a fixed mask as XXXX

Numeric values are replaced with a default value of 0

Boolean values are always set to false

Original: Redmond
Masked: XXXX

Original: 95
Masked: 0

Original: true
Masked: false

Custom String

A portion of the string is masked based on a defined starting index and length using MaskSubstring(Start, Length)

MaskSubstring(3,5)

Original: Washington
Masked: WasXXXXXon

Email

Only the first letter of the username and the domain ending (such as .com) remain visible. All other characters are replaced with Xs.

Original: alpha@microsoft.com

Masked: aXXXX@XXXXXXXXX.com

Example Masking Policy

Here’s a sample policy that masks credit card numbers, social security numbers, phone numbers, and email addresses:

"dataMaskingPolicy": 
{
  "includedPaths": [
    {
      "path": "/" // Mask all fields
    },
    {
      "path": "/profile/contact/email", 
      "strategy": "Email" //Email strategy overrides the default mask
    },
    {
      "path": "/employment/history/[]/company",
      "strategy": "MaskSubstring", // MaskSubstring overrides the default mask
      "startPosition": 2,
      "length": 4
    }
  ],
  "excludedPaths": [
    {
      "path": "/projects/[]/projectId" //Exclude projectId from masking
    },
    {
      "path": "/id"
    },
    {
      "path": "/department"
    },
    {
      "path": "/employment/history/[]/duration" 
    },
    {
      "path": "/projects/[]/details/technologies"
    }
  ],
  "isPolicyEnabled": true
}

Learn More

Try Dynamic Data Masking today and take a proactive step toward protecting your sensitive data in Azure Cosmos DB. To learn more about this feature, see:

Dynamic Data Masking in Azure Cosmos DB

About Azure Cosmos DB

Azure Cosmos DB is a fully managed and serverless NoSQL and vector database for modern app development, including AI applications. With its SLA-backed speed and availability as well as instant dynamic scalability, it is ideal for real-time NoSQL and MongoDB applications that require high performance and distributed computing over massive volumes of NoSQL and vector data.

To stay in the loop on Azure Cosmos DB updates, follow us on X, YouTube, and LinkedIn.

Category
Azure Cosmos DB for NoSQLSecurity

Author

Sudhanshu Khera

Sudhanshu is a seasoned product manager focusing on security in Azure Cosmos DB.

0 comments

Read next