🛡️ Azure SQL Server Microsoft Entra authentication is not configured🟢

• Contextual name: 🛡️ Server Microsoft Entra authentication is not configured🟢
• ID: /ce/ca/azure/sql-database/server-microsoft-entra-authentication
• Tags:
  • 🟢 Policy with categories
  • 🟢 Policy with type
  • 🟢 Production policy
• Policy Type: COMPLIANCE_POLICY
• Policy Categories: SECURITY

Logic

• 🧠 prod.logic.yaml🟢
  • 📗 Azure SQL Server
  • 🔌 Azure SQL Server - object.extracts.yaml
  • 🧪 test-data.json

Similar Policies

• Cloud Conformity: Enable Transparent Data Encryption for SQL Databases
• Internal: dec-x-2fcb6d85

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-2fcb6d85	2

Description

Open File

Description

Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.

Rationale

Microsoft Entra authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in the Microsoft Entra ID directory. With Entra ID authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management.

• It provides an alternative to SQL Server authentication.
• Helps stop the proliferation of user identities across database servers.
• Allows password rotation in a single place.
• Customers can manage database permissions using external (Entra ID) groups.
• It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra.
• Entra ID authentication uses contained database users to authenticate identities at the database level.

... see more

Remediation

Open File

Remediation

From Azure Portal

1. Go to SQL servers.
2. For each SQL server, under Settings, click Microsoft Entra admin.
3. Click on Set admin.
4. Select an admin.
5. Click Select.
6. Click Save.

From Azure CLI

az ad user show --id

For each Server, set AD Admin:

az sql server ad-admin create --resource-group <resource group name> --server <server name> --display-name <display name> --object-id <object id of user>

From PowerShell

For each Server, set Entra ID Admin:

Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName <resource group name> -ServerName <server name> -DisplayName "<Display name of AD account to set as DB administrator>"

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 CIS Azure v1.1.0 → 💼 4.8 Ensure that Azure Active Directory Admin is configured		1	1		no data
💼 CIS Azure v1.3.0 → 💼 4.4 Ensure that Azure Active Directory Admin is configured - Level 1 (Automated)		1	1		no data
💼 CIS Azure v1.4.0 → 💼 4.5 Ensure that Azure Active Directory Admin is configured - Level 1 (Automated)		1	1		no data
💼 CIS Azure v1.5.0 → 💼 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.0.0 → 💼 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers - Level 1 (Automated)		1	1		no data
💼 CIS Azure v2.1.0 → 💼 4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers - Level 1 (Automated)		1	1		no data
💼 CIS Azure v3.0.0 → 💼 5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers (Automated)			1		no data
💼 Cloudaware Framework → 💼 Secure Access			57		no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			18		no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		37	68		no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)			18		no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)			68		no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control		14	31		no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management		4	18		no data
💼 SOC 2 → 💼 CC7.1-1 Uses Defined Configuration Standards		4	5		no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet		36	38		no data
💼 UK Cyber Essentials → 💼 2.1.2 Change any default or guessable account passwords		2	3		no data
💼 UK Cyber Essentials → 💼 4.2.2 Use technical controls to manage the quality of passwords.		2	3		no data
💼 UK Cyber Essentials → 💼 4.2.4 The password element of the multi-factor authentication		2	3		no data