Microsoft's April 2026 Azure Database Security Newsletter highlights critical encryption enhancements, new auditing capabilities, and key management best practices for Azure SQL Database and Fabric SQL Database.
Welcome to the quarterly edition of Azure Database Platform Security Newsletter. In this newsletter we highlight the importance of strong encryption for data security, and call out recent encryption, key management, and auditing enhancements designed to help you strengthen your security posture while simplifying operational management.
Data is one of the most critical assets organizations manage, and protecting it is essential to maintaining trust, resilience, and long-term success. As cyber threats continue to evolve and regulatory expectations increase, strong encryption has become a foundational requirement rather than an optional safeguard. Encryption protects sensitive data across its entire lifecycle. Data is encrypted at rest using Transparent Data Encryption (TDE) to protect stored information, in transit using Transport Layer Security (TLS) to secure data as it moves across your application and server, and in use through Always Encrypted to help ensure data remains protected even from high-privileged users. Together, these capabilities reduce risk and support compliance obligations.
Feature Highlights
Customer-Managed Keys in Fabric SQL Database
Customer-Managed Keys (CMK) are now generally available for Fabric SQL Database, allowing you to use Azure Key Vault keys to encrypt all workspace data, including all SQL Database data. This feature gives organizations greater control over key management and helps meet data governance and encryption requirements. More information on How to encrypt Fabric SQL Database with Customer Managed Keys (Video).
Versionless keys for Transparent Data Encryption in Azure SQL Database
Azure SQL Database now lets you use versionless key URIs for Transparent Data Encryption (TDE) with customer-managed keys, automatically applying the latest enabled key from Azure Key Vault or Managed HSM. This update simplifies encryption management.
Auditing in Fabric SQL Database
Auditing for Fabric SQL Database is now generally available. Organizations can track and log database activities, addressing questions about data access for compliance, threat detection, and forensic analysis. Audit logs are stored in One Lake, and access is controlled by Fabric workspace roles and SQL permissions.
Best Practices Corner
Retain all historical TDE keys and key versions
Always keep all historical Transparent Data Encryption (TDE) keys and their versions. Databases and backups remain encrypted with the key version that was active at the time of encryption. Restoring an older database requires access to the exact key version used. Deleting older keys or versions can make database restore impossible and result in permanent data loss. See Everything you need to know about TDE key management for database restore.
Apply the Principle of Least Privilege
Always grant users, applications, and services the minimum level of access required to perform their database tasks. Avoid broad administrative or owner-level permissions unless absolutely necessary. Regularly review, restrict, and remove excessive or unused privileges to reduce the attack surface and limit the impact of compromised credentials or configuration errors. This control aligns with established security standards such as NIST SP 800-53 (AC-6: Least Privilege), CIS Critical Security Controls, ISO/IEC 27002, and OWASP database security guidance.
Enable Auditing on Azure SQL and SQL Server
Always enable auditing on Azure SQL to record database activities for security monitoring, compliance, and forensic investigation. Auditing provides visibility into database access and changes, helping detect unauthorized or suspicious behavior and supporting incident response and regulatory requirements. See Auditing - Azure SQL Database.
Blogs and Video Spotlight
In the last three months, we've published blog posts on major releases and features. These updates offer practical insights and highlight the latest in data security and database management:
- Why ledger verification is non-negotiable
- How to Enable Microsoft Entra ID for Azure Cosmos DB (NoSQL)
- Why Developers and DBAs love SQL's Dynamic Data Masking (Series-Part 1)
- Announcing Preview of bulkadmin role support for SQL Server on Linux
- Zero Trust for data: Make Microsoft Entra authentication for SQL your policy baseline
Community & Events
The data platform security team will be on-site at several upcoming events. Come and say hi!
Previous events
- SQL Konferenz
- FABCON 26 - Microsoft Fabric Community Conference
- SQLCON - Microsoft SQL Community Conference
Upcoming events
- SQLBits
- DataGrillen
Call to action
Take 15 minutes this week to validate your database encryption posture: confirm TDE is enabled, review your key management plan (including retaining historical key versions), and ensure TLS is enforced for all connections. If you are using Fabric SQL Database, consider enabling Customer-Managed Keys and turning on Auditing to strengthen governance and investigation readiness. Share this newsletter with your security and DBA partners and align on one concrete improvement you can complete.
Updated Apr 01, 2026 VERSION 1.0 DATA PLATFORM DATA PROTECTION DATA SECURITY NEWSLETTER
Like 0 Comment PieterVanhove MICROSOFT Joined March 29, 2019 View Profile Core Infrastructure and Security Blog Follow this blog board to get notified when there's new activity
Comments
Please log in or register to join the discussion