We would like to restrict access to downloading the production database from the PAAS portal.

Currently, anyone with access to the PAAS portal can download a copy of the production database. This represents a risk of PII exposer.

We need to grant access to the PAAS portal to various users to assist in tasks such as deployments and troubleshooting... but not all of these users should have access to the production database.

Ideally, users of the PAAS portal could download copies of the Preproduction and Integration databases but not production. This would allow us to configure the Preproduction and Integration sites with logic that wipes all PII from the database at startup. That way, when data is copied back from production the data is wiped automatically. This ensures that any databases generated from the PAAS portal do not contain PII.

Additionally, it would be great to have the ability to run scripts on the database before the bacpac is generated. The management of scripts would need to be restricted to certain roles too.