Skip to content

Commit a322e22

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #36803 from HugoMSFT/docs-editor/sql-data-sync-best-practices-1773079266
Update sql-data-sync-best-practices.md
2 parents 3857e47 + bed690b commit a322e22

1 file changed

Lines changed: 9 additions & 1 deletion

File tree

azure-sql/database/sql-data-sync-best-practices.md

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Learn about best practices for configuring and running Azure SQL Da
44
author: WilliamDAssafMSFT
55
ms.author: wiassaf
66
ms.reviewer: mathoma, hudequei
7-
ms.date: 09/23/2024
7+
ms.date: 03/12/2026
88
ms.service: azure-sql-database
99
ms.subservice: sql-data-sync
1010
ms.topic: best-practice
@@ -58,6 +58,14 @@ Azure SQL Database supports only a single set of credentials. To accomplish thes
5858
- Change the credentials for different phases (for example, *credentials1* for setup and *credentials2* for ongoing).
5959
- Change the permission of the credentials (that is, change the permission after sync is set up).
6060

61+
### Minimize credential exposure
62+
63+
- **Use a dedicated database user with minimal permissions.** When configuring SQL Data Sync, create a dedicated SQL user whose access is restricted to only the tables and operations required for synchronization. Avoid using a broadly privileged account. For the specific permissions needed during each phase, see [Database accounts with least required privileges](#database-accounts-with-least-required-privileges).
64+
65+
- **Create a separate SQL user for each database in the sync group.** For every database that participates in synchronization (hub and members), create and use a distinct SQL user account with permissions scoped to that database. If one set of credentials is compromised, exposure is limited to the data in that single database rather than the entire sync topology.
66+
67+
- **Delete sync groups that are no longer in use.** SQL Data Sync stores the SQL authentication credentials you provide for the lifetime of the sync group. Once synchronization is no longer needed [delete the sync group](sql-data-sync-sql-server-configure.md) to remove stored credentials, including any sync groups created for one-time data moves.
68+
6169
### Auditing
6270

6371
It is recommended to enable auditing at the level of the databases in the sync groups. Learn how to [enable auditing on your Azure SQL database](auditing-overview.md) or [enable auditing on your SQL Server database](/sql/relational-databases/security/auditing/sql-server-audit-database-engine).

0 commit comments

Comments
 (0)