Skip to main content

πŸ“ Azure SQL Server Microsoft Entra authentication is not configured 🟒

  • Contextual name: πŸ“ Server Microsoft Entra authentication is not configured 🟒
  • ID: /ce/ca/azure/sql-database/server-microsoft-entra-authentication
  • Located in: πŸ“ Azure SQL Database

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-2fcb6d852

Logic​

Description​

Open File

Description​

Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.

Rationale​

Microsoft Entra authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in the Microsoft Entra ID directory. With Entra ID authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management.

  • It provides an alternative to SQL Server authentication.
  • Helps stop the proliferation of user identities across database servers.
  • Allows password rotation in a single place.
  • Customers can manage database permissions using external (Entra ID) groups.
  • It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra.
  • Entra ID authentication uses contained database users to authenticate identities at the database level.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. Go to SQL servers.
  2. For each SQL server, under Settings, click Microsoft Entra admin.
  3. Click on Set admin.
  4. Select an admin.
  5. Click Select.
  6. Click Save.

From Azure CLI​

az ad user show --id

For each Server, set AD Admin:

az sql server ad-admin create --resource-group <resource group name> --server <server name> --display-name <display name> --object-id <object id of user>

From PowerShell​

For each Server, set Entra ID Admin:

Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName <resource group name> -ServerName <server name> -DisplayName "<Display name of AD account to set as DB administrator>"

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 4.8 Ensure that Azure Active Directory Admin is configured11
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 4.4 Ensure that Azure Active Directory Admin is configured - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.4.0 β†’ πŸ’Ό 4.5 Ensure that Azure Active Directory Admin is configured - Level 1 (Automated)11
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers - Level 1 (Automated)11
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers - Level 1 (Automated)11
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Secure Access43
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3747
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-2(1) Automated System Account Management (M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)47
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.15 Access control1416
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-2(1) Account Management _ Automated System Account Management416
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 1.2 Prevent access to the administrative interface from the internet3537
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 2.1.2 Change any default or guessable account passwords23
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.2 Use technical controls to manage the quality of passwords.23
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 4.2.4 The password element of the multi-factor authentication23