Azure Synapse Analytics Documentation

Secure Azure Synapse Analytics

Azure Synapse Analytics provides a comprehensive set of security features to protect data at rest, in motion, and during processing. This guide covers authentication, network security, encryption, and governance best practices.

Authentication & Access Control

  • Azure Active Directory (AAD) – Centralized identity management with role‑based access control (RBAC).
  • Managed Identities – Allow Synapse to access other Azure services without storing credentials.
  • SQL Authentication – Supported for backward compatibility; use strong passwords and rotation policies.
-- Example: Create a database user mapped to an AAD group
CREATE USER [aad_group_name] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [aad_group_name];

Network Isolation

  • Managed Private Endpoints – Connect Synapse workspace to Azure resources over a private link.
  • Virtual Network (VNet) Integration – Deploy workspaces within a VNet to restrict inbound/outbound traffic.
  • Firewall Rules – Define allowed IP ranges for portal access.
// ARM template snippet for a private endpoint
{
  "type": "Microsoft.Network/privateEndpoints",
  "name": "synapse-pe",
  "properties": {
    "subnet": { "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('vnetName'), variables('subnetName'))]" },
    "privateLinkServiceConnections": [
      {
        "name": "synapse-connection",
        "properties": {
          "privateLinkServiceId": "[resourceId('Microsoft.Synapse/workspaces', parameters('workspaceName'))]",
          "groupIds": [ "sql" ]
        }
      }
    ]
  }
}

Encryption

  • Transparent Data Encryption (TDE) – Automatic encryption at rest using service‑managed keys.
  • Customer‑Managed Keys (CMK) – Use your own Azure Key Vault keys for TDE.
  • Always Encrypted – Protect sensitive columns end‑to‑end.
  • Data in Transit – TLS 1.2 enforced for all connections.
# Enable Customer‑Managed Key for a Synapse workspace
az synapse workspace update \
  --name myWorkspace \
  --resource-group myRG \
  --key-name myKey \
  --key-vault-url https://myKeyVault.vault.azure.net/

Governance & Auditing

  • Azure Policy – Enforce security configurations across Synapse resources.
  • Auditing – Log queries, login events, and data changes to Log Analytics or Storage.
  • Data Classification – Tag sensitive data for automated protection.
// Enable auditing to a storage account
az synapse workspace audit-policy update \
  --name myWorkspace \
  --resource-group myRG \
  --state Enabled \
  --storage-account myauditstorage \
  --storage-key-type Primary

Table of Contents