Joey D’Antoni shows how to use Dynamic Data Masking to help prevent sensitive production data from getting to lower environments:
Well at PASS Summit, both in our booth and during my presentation on security in Azure DB, another idea came up—exporting data from production to development, while not releasing any sensitive data. This is a very common scenario—many DBAs have to export sensitive data from prod to dev, and frequently it is done in an insecure fashion.
Doing this requires a little bit of trickery, as dynamic data masking does not work for administrative users. So you will need a second user.
Read on for details.