This post is a part of the DP-700: Implementing Data Engineering Solutions Using Microsoft Fabric Exam Prep Hub.
This topic falls under these sections:
Implement and manage an analytics solution (30–35%)
--> Configure security and governance
--> Implement dynamic data masking
Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 2 practice tests with 60 questions each available from the hub's main page below the exam topics section.
Introduction
Protecting sensitive data is a critical responsibility for data engineers. Organizations routinely store confidential information such as:
- Personally Identifiable Information (PII)
- Social Security numbers
- Credit card information
- Email addresses
- Phone numbers
- Employee salaries
- Customer account details
While some users require access to this information, many others only need access to the surrounding business data. Granting unrestricted visibility to sensitive values can increase security risks and create compliance concerns.
Dynamic Data Masking (DDM) is a security feature that limits the exposure of sensitive data by masking values for non-privileged users while allowing authorized users to see the original values.
For the DP-700 exam, it is important to understand how Dynamic Data Masking works, its use cases, limitations, and how it differs from other security mechanisms such as Row-Level Security (RLS), Column-Level Security (CLS), and encryption.
What Is Dynamic Data Masking?
Dynamic Data Masking is a security feature that obscures sensitive data at query time.
The actual data remains unchanged in storage.
Instead, unauthorized users see a masked version of the data.
Example:
Actual data:
| CustomerName | |
|---|---|
| John Smith | john.smith@contoso.com |
Masked view:
| CustomerName | |
|---|---|
| John Smith | jXXXXXXX@XXXX.com |
The original data still exists in the database.
Only the displayed results are modified.
Why Use Dynamic Data Masking?
Organizations often need to:
- Protect confidential information
- Limit exposure of sensitive fields
- Support regulatory compliance
- Reduce accidental data disclosure
- Allow broader access to datasets without exposing confidential values
Dynamic Data Masking provides a simple way to accomplish these goals.
How Dynamic Data Masking Works
The masking process occurs during query execution.
User Query ↓Security Evaluation ↓Masking Applied ↓Results Returned
Authorized users:
john.smith@contoso.com
Unauthorized users:
jXXXXXXX@XXXX.com
The underlying stored value never changes.
Common Dynamic Data Masking Use Cases
Customer Contact Information
Sensitive fields:
- Email addresses
- Phone numbers
- Mailing addresses
Example:
Actual:john.smith@contoso.comMasked:jXXXXXXX@XXXX.com
Employee Information
Sensitive fields:
- Salary
- Bonus information
- Tax identifiers
Example:
Actual:$120,000Masked:$XXXXXX
Financial Information
Sensitive fields:
- Credit card numbers
- Bank account numbers
- Account balances
Example:
Actual:4321-5678-9876-1234Masked:XXXX-XXXX-XXXX-1234
Types of Data That Can Be Masked
Common candidates include:
- Email addresses
- Phone numbers
- National identification numbers
- Credit card numbers
- Salary data
- Medical information
- Customer account information
Generally, highly sensitive columns are good candidates for masking.
Dynamic Data Masking vs Encryption
This distinction is frequently tested on certification exams.
| Dynamic Data Masking | Encryption |
|---|---|
| Protects displayed results | Protects stored data |
| Data remains visible to privileged users | Data is encrypted at rest or in transit |
| User-facing security feature | Storage and transport security feature |
| Does not alter stored values | Changes stored representation |
Example
Dynamic Data Masking:
Stored:123-45-6789Displayed:XXX-XX-6789
Encryption:
Stored:A7F4D93C12...
Dynamic Data Masking vs Row-Level Security
These concepts are often confused.
| Dynamic Data Masking | Row-Level Security |
|---|---|
| Hides data values | Filters rows |
| Same rows visible | Different rows visible |
| Column-focused | Row-focused |
| Data remains visible in masked form | Rows may be completely hidden |
Example:
RLS:
East Region Manager→ East Region Rows Only
DDM:
All Rows Visible→ Sensitive Values Masked
Dynamic Data Masking vs Column-Level Security
Another important distinction.
| Dynamic Data Masking | Column-Level Security |
|---|---|
| Shows masked values | Hides column entirely |
| User sees partial data | User cannot access column |
| More flexible visibility | More restrictive security |
Example:
DDM:
SalaryXXXXXX
CLS:
Salary ColumnNot Visible
Dynamic Data Masking vs Object-Level Security
| Dynamic Data Masking | Object-Level Security |
|---|---|
| Masks data values | Hides objects |
| User accesses table | Table may be hidden |
| Granular data visibility | Object visibility control |
Example:
DDM:
Salary = XXXXX
OLS:
Payroll Table Hidden
Benefits of Dynamic Data Masking
Simplified Security
Protects sensitive values without redesigning datasets.
Reduced Data Exposure
Users only see the information necessary for their role.
Regulatory Support
Can help support compliance initiatives involving:
- GDPR
- HIPAA
- PCI DSS
- Internal governance policies
Easier Data Sharing
Organizations can provide broader dataset access while reducing risk.
Limitations of Dynamic Data Masking
For the DP-700 exam, understanding limitations is important.
Dynamic Data Masking:
Does NOT Encrypt Data
Data remains stored in its original form.
Does NOT Replace Access Controls
Users still require appropriate permissions.
Does NOT Replace RLS
Rows remain visible.
Does NOT Replace CLS
Columns remain accessible.
Is Not a Complete Security Solution
DDM should be combined with other security mechanisms.
Layered Security Approach
Organizations commonly combine:
Workspace Security ↓Item Security ↓Row-Level Security ↓Column-Level Security ↓Dynamic Data Masking ↓Encryption
Each layer provides additional protection.
Common DP-700 Exam Scenarios
Scenario 1
Requirement:
Customer service representatives should view customer records but not full credit card numbers.
Solution:
Implement Dynamic Data Masking.
Scenario 2
Requirement:
Managers should only see employees within their region.
Solution:
Implement Row-Level Security.
Scenario 3
Requirement:
Payroll data should be completely hidden from analysts.
Solution:
Implement Object-Level Security or Column-Level Security.
Scenario 4
Requirement:
Protect sensitive data stored on disk.
Solution:
Use encryption rather than Dynamic Data Masking.
Best Practices
Mask Sensitive Columns
Focus on:
- PII
- Financial data
- Healthcare information
- Confidential business information
Combine DDM with Other Controls
Use:
- Workspace permissions
- Item permissions
- RLS
- CLS
- OLS
for comprehensive protection.
Follow Least Privilege
Limit access to unmasked data.
Regularly Review Security Policies
Verify masking requirements align with governance policies.
Protect Production Data
Apply masking wherever sensitive data exposure could occur.
DP-700 Exam Focus Areas
You should understand:
✓ Dynamic Data Masking concepts
✓ How masking works
✓ Common masking scenarios
✓ Sensitive data protection
✓ Dynamic Data Masking vs Encryption
✓ Dynamic Data Masking vs RLS
✓ Dynamic Data Masking vs CLS
✓ Dynamic Data Masking vs OLS
✓ Security best practices
✓ Layered security approaches
Practice Exam Questions
Question 1
What is the primary purpose of Dynamic Data Masking?
A. Encrypt stored data
B. Restrict workspace access
C. Filter rows returned by a query
D. Hide sensitive data values from unauthorized users
Answer: D
Explanation
Dynamic Data Masking obscures sensitive data values in query results while leaving the underlying stored data unchanged.
Question 2
Which statement about Dynamic Data Masking is true?
A. It permanently modifies stored data.
B. It encrypts data at rest.
C. It masks data at query time for unauthorized users.
D. It removes sensitive columns.
Answer: C
Explanation
DDM operates at query time and displays masked values to users who do not have permission to view the actual data.
Question 3
A company wants customer service agents to view customer records while masking credit card numbers.
Which feature should be implemented?
A. Dynamic Data Masking
B. Row-Level Security
C. Deployment Rules
D. Workspace Viewer Role
Answer: A
Explanation
DDM allows users to view records while hiding sensitive portions of specific data fields.
Question 4
What is the primary difference between Dynamic Data Masking and Row-Level Security?
A. DDM encrypts data while RLS does not.
B. DDM controls workspace permissions while RLS controls item permissions.
C. DDM hides columns while RLS hides tables.
D. DDM masks values while RLS filters rows.
Answer: D
Explanation
RLS determines which rows are visible, while DDM determines how sensitive values are displayed.
Question 5
Which security feature completely hides a column from users?
A. Dynamic Data Masking
B. Column-Level Security
C. Row-Level Security
D. Encryption
Answer: B
Explanation
Column-Level Security removes access to the column entirely, whereas DDM displays masked values.
Question 6
A company needs to protect sensitive data stored on disk.
Which technology should be used?
A. Dynamic Data Masking
B. Build Permission
C. Encryption
D. Row-Level Security
Answer: C
Explanation
Encryption protects stored data, while DDM only affects how data is displayed.
Question 7
Which type of data is commonly protected using Dynamic Data Masking?
A. Email addresses
B. Credit card numbers
C. Social Security numbers
D. All of the above
Answer: D
Explanation
DDM is commonly used to protect various forms of sensitive personal and financial information.
Question 8
A user can access a salary column but sees masked values instead of actual salaries.
Which security feature is being used?
A. Row-Level Security
B. Dynamic Data Masking
C. Object-Level Security
D. Folder-Level Security
Answer: B
Explanation
DDM allows access to the column while masking sensitive values.
Question 9
Which statement accurately describes Dynamic Data Masking?
A. It replaces all other security controls.
B. It prevents users from accessing tables.
C. It should be combined with other security mechanisms.
D. It filters data based on user region.
Answer: C
Explanation
DDM is one layer of security and should be used alongside permissions, RLS, CLS, and encryption.
Question 10
A company wants users to see the last four digits of credit card numbers while masking the rest.
Which solution is most appropriate?
A. Object-Level Security
B. Workspace-Level Security
C. Encryption
D. Dynamic Data Masking
Answer: D
Explanation
Dynamic Data Masking can reveal portions of sensitive values while masking the remaining characters.
Exam Tip
One of the most common DP-700 exam traps is confusing Dynamic Data Masking with other security technologies.
Remember:
| Requirement | Solution |
|---|---|
| Hide sensitive values | Dynamic Data Masking |
| Filter rows | Row-Level Security |
| Hide columns | Column-Level Security |
| Hide tables or measures | Object-Level Security |
| Protect stored data | Encryption |
If users should still be able to access a column but only see a masked version of its contents, Dynamic Data Masking is usually the correct answer.
Go to the DP-700 Exam Prep Hub main page.
The Data Community 