Share via

CosmosDB TTL changes:Data Masking Policy is not enabled on this account

Harpreet Gill 0 Reputation points
2025-10-28T20:38:52.8566667+00:00

Hi,

I am trying to update the TTL setting on the existing CosmosDB container, but I receive the following error message. Do you know how to fix it and why it is happening

Failed to update container TestTTL:

Message: {"code":"BadRequest","message":"Message:

{"Errors":["Data Masking Policy is not enabled on this account."]}\r\n

ActivityId: 756a27c9-b856-4ebe-a10b-31ae9bc250d0,

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Amira Bedhiafi 39,646 Reputation points Volunteer Moderator
    2025-10-29T13:30:43.5666667+00:00

    Hello Harpeet !

    Thank you for posting on Microsoft Learn Q&A.

    Cosmos DB recently added support in the control plane for defining a dataMaskingPolicy object on a container.

    When you use the Portal or some SDK/ARM to update the container (for example to change TTL), the request body that gets sent can include all container properties including dataMaskingPolicy.

    If your account does not have data masking enabled, Cosmos will reject any request that even mentions that property even if you're not trying to turn it on.

    If you use the Cosmos DB REST API or ARM template/PUT call and only send the allowed properties (like defaultTtl) without any dataMaskingPolicy, the update should succeed.

    For a Core (SQL) API container, the body for replace container looks like this shape:

    {
  "id": "TestTTL",
  "partitionKey": {
    "paths": ["/yourPartitionKey"],
    "kind": "Hash"
  },
  "defaultTtl": 3600
}

    I

  2. Mahesh Kurva 9,800 Reputation points Microsoft External Staff Moderator
    2025-10-30T14:13:13.6033333+00:00

    Hi Harpreet Gill •,

    Thanks for getting back.

    How can I enable the Data Masking Policy in the control plane to use the portal for making changes in the container?

    As of now, data masking in Cosmos DB is a new feature and not enabled by default. Microsoft has not yet published a direct toggle in the portal or CLI to enable it universally.

    However, here are your options:

    option 1: Use REST API or ARM Template Without dataMaskingPolicy

    You can bypass the issue by explicitly excluding the dataMaskingPolicy field when updating the container. Example payload for updating TTL:

    {
  "id": "TestTTL",
  "partitionKey": {
    "paths": ["/yourPartitionKey"],
    "kind": "Hash"
  },
  "defaultTtl": 3600
}

    Option 2: Use Always Encrypted (Alternative)

    If your goal is to protect sensitive data, consider using Always Encrypted with client-side encryption. This allows you to encrypt specific fields before storing them in Cosmos DB. You’ll need:

    • Azure Key Vault
    • Encryption libraries in your client application
    • Configuration of Column Master Keys (CMKs)

    More details: Use client-side encryption with Always Encrypted for Azure Cosmos DB

    I hope this information helps. Please do let us know if you have any further queries.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.