Checks and updates

whhender · whhender · commit 4edef3681125 · 2025-06-17T17:52:08.000-04:00
diff --git a/articles/data-factory/secure-your-azure-data-factory.md b/articles/data-factory/secure-your-azure-data-factory.md
@@ -1,86 +1,63 @@
 ---
 title: Secure your Azure Data Factory
-description: Learn how to secure <service>, with best practices for <summary of #Required; article description that is displayed in search results. Include the word "secure" or "security", as well as the Azure service name.
+description: Learn how to secure Azure Data Factory, with best practices for network security, identity management, data protection, and recovery.
 author: whhender #Required; your GitHub user alias.
 ms.author: whhender #Required; Microsoft alias of author; optional team alias.
 ms.service: azure-data-factory #Required; service per approved list. service slug assigned to your service by ACOM.
 ms.topic: concept-article #Required
 ms.custom: horz-security #Required
-ms.date: 06/04/2025 #Required; mm/dd/yyyy format.
+ms.date: 06/17/2025 #Required; mm/dd/yyyy format.
+ai-usage: ai-assisted
 ---
 
 # Secure your Azure Data Factory deployment
 
-Azure Data Factory is a cloud-based data integration service that allows you to create data-driven workflows for orchestrating and automating data movement and data transformation. Securing Azure Data Factory is crucial to protect sensitive data, ensure compliance, and maintain the integrity of your data workflows.
+Azure Data Factory is a cloud-based data integration service that allows you to create workflows for orchestrating and automating data movement and data transformation. Securing Azure Data Factory is crucial to protect sensitive data, ensure compliance, and maintain the integrity of your data workflows.
 
 This article provides guidance on how to best secure your Azure Data Factory deployment.
 
 ## Network security
 
-Network security is essential for protecting your Azure Data Factory from unauthorized access and potential threats. Implementing robust network security measures helps to isolate and secure your data integration processes.
+Network security is essential for protecting your Azure Data Factory from unauthorized access and potential threats, and protecting your data in movement. Implementing robust network security measures helps to isolate and secure your data integration processes.
 
-* **Isolate and segment workloads using Virtual Networks (VNets)**: Use VNets to create isolated network environments for your data factory, enabling segmentation of workloads based on risk. VNets help control traffic within the cloud infrastructure. See [Azure Virtual Network](/azure/virtual-network/virtual-networks-overview).
+* **Isolate and segment workloads using Virtual Networks (VNets)**: Use VNets to create isolated network environments for your data factory and data sources, enabling segmentation of workloads based on risk. VNets help control traffic within the cloud infrastructure. Depending on your source locations, see:
+    - [Join Azure-SSIS integration runtime to a virtual network](join-azure-ssis-integration-runtime-virtual-network.md)
+    - [Join your Azure integration runtime to a managed virtual network](tutorial-managed-virtual-network-migrate.md)
 
-* **Secure service access using Private Links**: Securely connect to Azure Data Factory within your virtual network, preventing exposure to the public internet. This enhances data privacy and reduces attack vectors. See [Azure Private Link]private-link-overview.
+* **Control traffic flow with Network Security Groups (NSGs)**: Apply NSGs to control inbound and outbound traffic for virtual machines and subnets within VNets. Use a "deny by default, permit by exception" approach to restrict traffic flow and protect sensitive resources. If you've joined Azure Data Factory to a virtual network, on the NSG that is automatically created by Azure Data Factory, Port 3389 is open to all traffic by default. Lock the port down to make sure that only your administrators have access. To manage your NSGs, see [Network security groups](../virtual-network/network-security-groups-overview.md).
 
-* **Control traffic flow with Network Security Groups (NSGs)**: Apply NSGs to control inbound and outbound traffic for virtual machines and subnets within VNets. Use a "deny by default, permit by exception" approach to restrict traffic flow and protect sensitive resources. See [Network security groups](/azure/virtual-network/network-security-groups-overview).
+* [Secure your self-hosted integration runtime nodes by enabling remote access from intranet with TLS/SSL certificates](https://learn.microsoft.com/en-us/azure/data-factory/tutorial-enable-remote-access-intranet-tls-ssl-certificate.md) - Multiple self-hosted integration runtime nodes can be deployed to balance load and provide high availability, and enabling remote access from intranet with TLS/SSL certificates ensures secure communication between integration runtime nodes.
 
-* **Use a centralized firewall for enhanced network security**: Deploy Azure Firewall to provide centralized, network-layer protection for your cloud environment. Azure Firewall helps filter traffic between subnets and VMs and supports high availability and scalability. See the [Azure Firewall documentation](/azure/firewall/).
+* **Secure service access using Private Links**: Securely connect to Azure Data Factory from your self-hosted integration runtime and your Azure platform resources, preventing exposure to the public internet. This enhances data privacy and reduces attack vectors. By using Azure Private Link, you can connect to various platforms as a service (PaaS) deployments in Azure via a private endpoint. See [Azure Private Link for Data Factory](data-factory-private-link).
 
 ## Identity management
 
 Identity management ensures that only authorized users and services can access your Azure Data Factory. Implementing strong identity management practices helps to prevent unauthorized access and protect sensitive data.
 
-* **Centralize identity and access management**: Use Microsoft Entra as your centralized identity and authentication management system for governing access to Azure Data Factory and other resources. Standardizing on Microsoft Entra ensures consistent identity management and reduces risks. See /entra.
+* **Apply least privilege principles**: Use Azure Data Factory's role-based access control (RBAC) to assign the minimum necessary permissions to users and services, ensuring that they only have access to what is needed to perform their duties. Regularly review and adjust roles to align with the principle of least privilege. See [Roles and permissions in Azure Data Factory](concepts-roles-permissions.md).
 
-* **Implement single sign-on (SSO)**: Implement SSO through Microsoft Entra to provide seamless access to Azure Data Factory using a single identity. This improves user experience and reduces the attack surface by minimizing the need for multiple passwords. See [Microsoft Entra Single Sign-On](/entra/identity/hybrid/connect).
-
-* **Use managed identities for secure application access**: Use managed identities in Azure to securely authenticate applications and services without the need to manage credentials. This provides a secure and simplified way to access resources like Azure Key Vault or Azure SQL Database. See [Managed Identities](/entra/identity/managed-identities-azure-resources).
-
-* **Security through conditional access policies**: Set up conditional access policies in Microsoft Entra to enforce security controls based on user, location, or device context. These policies allow dynamic enforcement of security requirements based on risk, enhancing overall security posture. See [Microsoft Entra Conditional Access](/entra/identity/conditional-access)
-
-* **Privileged access management** is critical for securing administrative access to Azure Data Factory. Implementing strict access controls and monitoring privileged accounts helps to minimize the risk of unauthorized access to sensitive resources.
-
-* **Apply least privilege principles**: Use role-based access control (RBAC) to assign the minimum necessary permissions to users and services, ensuring that they only have access to what is needed to perform their duties. Regularly review and adjust roles to align with the principle of least privilege. See [Azure RBAC](/azure/role-based-access-control/overview).
-
-* **Limit privileged access using just-in-time (JIT) elevation**: Use Entra Privileged Identity Management (PIM) to grant privileged roles only when needed. This reduces the risk of long-standing elevated access and ensures that users have elevated permissions only for the time required to complete their tasks. See [Privileged Identity Management](/entra/id-governance/privileged-identity-management)
-
-* **Multifactor authentication (MFA) for privileged accounts**: Require MFA for all users with elevated permissions to ensure an additional layer of security. This significantly reduces the risk of account compromise even if passwords are stolen or guessed. See [How Microsoft Entra multifactor authentication works](/entra/identity/authentication/concept-mfa-howitworks).
-
-* **Monitor and log privileged activities**: Ensure all privileged actions are logged for auditing purposes. Use Azure Monitor and Microsoft Sentinel to track administrative activities and detect suspicious behavior in real-time. See [Azure Monitor](/azure/azure-monitor/fundamentals/overview) and [Azure Sentinel](/azure/sentinel/).
+* **Use managed identities for secure access without credentials**: Use managed identities in Azure to securely authenticate Azure Data Factory with Azure services, without the need to manage credentials. This provides a secure and simplified way to access resources like Azure Key Vault or Azure SQL Database. See [Managed Identities for Azure Data Factory](data-factory-service-identity.md).
 
 ## Data protection
 
-Data protection is vital for ensuring the confidentiality, integrity, and availability of your data within Azure Data Factory. Implementing robust data protection measures helps to safeguard sensitive information and comply with regulatory requirements.
+Implementing robust data protection measures helps to safeguard sensitive information and comply with regulatory requirements. Azure Data Factory doesn't store data itself, so implementing [network security](#network-security) and [identity management](#identity-management) is essential to protect the data in transit. However, there are some tools and practices you can use to further protect your data in process.
 
-* **Encrypt data at rest and in transit**: Use Azure Storage encryption to protect data at rest and Azure Key Vault to manage encryption keys. Ensure that data in transit is encrypted using TLS. See [Azure Storage encryption](/azure/storage/common/storage-service-encryption)
+* **Use Microsoft Purview to identify and track sensitive data**: Integrate Azure Data Factory with Microsoft Purview to discover, classify, and manage sensitive data through its lifecycle. This helps to ensure that sensitive information is handled appropriately and complies with data protection regulations. See [Microsoft Purview integration with Data Factory](connect-data-factory-to-azure-purview.md).
 
-* **Implement data masking and tokenization**: Use Azure Data Factory's built-in data masking and tokenization features to protect sensitive data during processing. This helps to prevent unauthorized access to sensitive information. See [Data masking in Azure Data Factory](/azure/data-factory/solution-template-pii-detection-and-masking)
+* **Encrypt data at rest and in transit**: Azure Data Factory encrypts data at rest, including entity definitions and any data cached while runs are in progress. By default, data is encrypted with a randomly generated Microsoft-managed key that is uniquely assigned to your data factory. For extra security guarantees, you can now enable Bring Your Own Key (BYOK) with customer-managed keys feature in Azure Data Factory. See [Encrypt Azure Data Factory with customer-managed keys](enable-customer-managed-key.md)
 
-* **Use Azure Policy to enforce data protection standards**: Apply Azure Policy to enforce data protection standards across your Azure Data Factory deployment. This helps to ensure compliance with organizational and regulatory requirements. See [Azure Policy](/azure/governance/policy/overview).
+* **Restrict the exposure of credentials and secrets**: Use Azure Key Vault to securely store and manage sensitive information such as connection strings, secrets, and certificates. Integrate Azure Data Factory with Azure Key Vault to retrieve secrets at runtime, ensuring that sensitive data isn't hard-coded in pipelines or datasets. See [Azure Key Vault integration with Data Factory](store-credentials-in-key-vault.md).
 
-## Logging and threat detection
-
-Logging and threat detection are essential for identifying and responding to security incidents in Azure Data Factory. Implementing comprehensive logging and monitoring helps to detect threats and ensure timely response to potential security issues.
-
-* **Centralize log collection and analysis with Microsoft Sentinel**: Aggregate and analyze logs from Azure Data Factory using Microsoft Sentinel. This helps correlate security events and provides a comprehensive view for detecting threats and investigating incidents. See [Microsoft Sentinel](/azure/sentinel/).
-
-* **Enable native threat detection and security monitoring**: Use Microsoft Defender for Cloud to monitor threats across Azure Data Factory. It provides built-in threat detection and security alerting capabilities. See [Microsoft Defender for Cloud](/azure/defender-for-cloud)
-
-* **Analyze performance and security with Azure Monitor**: Use Azure Monitor to collect data from Azure Data Factory. It helps track performance metrics, provides real-time monitoring, and offers analytics capabilities for troubleshooting and proactive threat detection. See [Azure Monitor](/azure/azure-monitor/overview).
-
-* **Enable and configure network logging**: Configure network security logging using Azure tools like Network Security Group (NSG) flow logs and Azure Firewall logs. These logs can be sent to Azure Monitor for analysis and visualized using Traffic Analytics to provide insights into network traffic and detect suspicious activity. See [NSG Flow Logs](/azure/network-watcher/nsg-flow-logs-overview).
+* **Use Azure Policy to enforce data protection standards**: Apply Azure Policy to enforce data protection standards across your Azure Data Factory deployment. This helps to ensure compliance with organizational and regulatory requirements. See [Azure Policy built-in definitions for Data Factory](policy-reference.md).
 
 ## Backup and recovery
 
-Backup and recovery are critical for ensuring that data and configurations in Azure Data Factory are protected and recoverable in case of failures or disasters. Implementing robust backup and recovery measures helps to maintain business continuity and minimize data loss.
-
-* **Automate backups for critical resources**: Use Azure Backup to automate regular backups for Azure Data Factory. Ensure that the backup frequency and retention policies align with your business requirements. Use Azure Policy to automatically enable backups for new resources. See [Azure Backup](/azure/backup/).
+Backup and recovery are critical for ensuring that data and configurations in Azure Data Factory are protected and recoverable in case of failures or disasters.
 
-* **Protect backup data with encryption and access controls**: Secure your backup data using encryption at rest and in transit. Apply Azure RBAC and multi-factor authentication (MFA) to control access to backup operations and data. Enable soft delete to protect against accidental or malicious deletions. See See [Azure Backup Security](/azure/backup/security-overview).
+* **Implement source control for Azure Data Factory**: Use Azure Repos or GitHub to manage your Azure Data Factory configurations and pipelines. This allows you to version control your data factory resources, track changes, and collaboration. See [Source control for Azure Data Factory](source-control.md).
 
-* **Ensure disaster recovery with cross-region and geo-redundant storage**: Use geo-redundant storage (GRS) to replicate backup data across different Azure regions, ensuring data availability in case of regional outages. For zone-specific protection, enable zone-redundant storage (ZRS) for resilient backups. Consider cross-region restore to recover data in case of a disaster in the primary region. See [Azure Backup Geo-Redundancy](/azure/backup/backup-create-rs-vault#set-cross-region-restore).
+* **Implement continuous integration and continuous delivery (CI/CD)**: Azure Data Factory utilizes Azure Resource Manager templates to store the configuration of your various ADF entities (pipelines, datasets, data flows, and so on). This protects your production deployments from accidental changes, and can provide a deployable backup of your environment. See [CI/CD for Azure Data Factory](continuous-integration-delivery.md).
 
-* **Monitor backup health and compliance**: Use Azure Backup Center to monitor backup health, get alerts for critical incidents, and audit user actions on vaults. Ensure that all business-critical resources are compliant with defined backup policies by auditing through Azure Policy. See [Backup Center](/azure/backup/backup-center-govern-environment).
+## Related content
 
-* **Test recovery processes regularly**: Periodically perform recovery tests to validate the integrity and availability of backup data. Ensure that the tests align with your RTO and RPO goals to meet business continuity requirements. Use Azure Backup’s built-in recovery testing features to simplify and automate the process. See [Azure Backup Testing](/azure/backup/backup-azure-restore-files-from-vm)
+* For scenario-based security considerations, see [Security considerations for Azure Data Factory](data-movement-security-considerations.md).
