The database holds the truth. Microsoft Entra Sensitive Columns decide who gets to see it.

Sensitive Columns in Microsoft Entra define and protect fields that carry critical or private data. Think names, addresses, financial records, or unique identifiers. By marking a column as sensitive, you create a security boundary that controls access at the field level, even inside authorized tables. This approach limits exposure and enforces compliance without locking down the entire dataset.

Microsoft Entra integrates Sensitive Columns with role-based access control (RBAC) and conditional checks. Permissions apply directly to columns, not just tables. When a request comes through, Entra evaluates the user's identity, group membership, and policy rules before returning the data. If the user fails the check, the column stays hidden or returns null. This prevents data leakage in shared queries, API responses, and reporting dashboards.

Defining Sensitive Columns in Entra is done in the data security policy configuration. You identify the dataset, select the column, and set sensitivity levels. Sensitivity classification can be integrated with Microsoft Purview for automated discovery based on data type patterns, matching rules, or external compliance requirements. Once defined, restrictions apply across services that rely on Entra policies, including Azure SQL Database, Synapse, and custom applications wired into Entra ID.

Sensitive Columns are essential for adhering to regulations like GDPR, HIPAA, and PCI DSS. They enforce least privilege access without massive schema changes. They also reduce the blast radius of compromised accounts, since exposed datasets return only non-sensitive fields. Auditing capabilities in Entra log every access attempt for review by security teams.

To see Microsoft Entra Sensitive Columns in action without long integrations, deploy a test in hoop.dev. Build the policies, run queries, and watch the filters work in minutes.