As this official document states about DDM:
Dynamic data masking helps prevent unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It’s a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed.
Dynamic data masking policy
SQL users excluded from masking - A set of SQL users or AAD identities that will get unmasked data in the SQL query results. Note that users with administrator privileges will always be excluded from masking, and will see the original data without any mask.
And the purpose of dynamic data masking is to limit exposure of sensitive data, preventing users who should not have access to the data from viewing it.
According to your description, I assumed that your SQL user has write permissions but without UNMASK privileges. At this point, when you update SSN field into Azure SQL database, then your SSN field would contain statically masked data.
For granting Permissions to View Unmasked Data, you could grant the UNMASK permission to your SQL user as follows:
GRANT UNMASK TO TestUser;
EXECUTE AS USER = 'TestUser';
SELECT * FROM Membership;
REVERT;
-- Removing the UNMASK permission
REVOKE UNMASK TO TestUser;
Or you could log into Azure Portal, type the SQL users or AAD identities that should be excluded from masking as follows:
In summary, since you are using DDM to hide the sensitive data in the result of a query, you'd better do not grant the user with write permissions (db_datawriter db role). You could follow the "Best Practices and Common Use Cases" section from this tutorial. Also, you could refer to this tutorial about configure and Customize SQL Azure Dynamic Data Masking.