🛡️ Azure SQL Server Microsoft Entra authentication is not configured🟢

Contextual name: 🛡️ Server Microsoft Entra authentication is not configured🟢
ID: /ce/ca/azure/sql-database/server-microsoft-entra-authentication
Tags:
- 🟢 Policy with categories
- 🟢 Policy with type
- 🟢 Production policy
Policy Type: COMPLIANCE_POLICY
Policy Categories: SECURITY

Stats

not available

Logic

🧠 prod.logic.yaml🟢
- 📗 Azure SQL Server
- 🔌 Azure SQL Server - object.extracts.yaml
- 🧪 test-data.json

Similar Policies

Cloud Conformity: Enable Transparent Data Encryption for SQL Databases
Internal: dec-x-2fcb6d85

Similar Internal Rules

Rule	Policies	Flags
✉️ dec-x-2fcb6d85	2

Description

Open File

Description

Use Microsoft Entra authentication to manage SQL Database credentials in a single place.

Rationale

Microsoft Entra authentication is a mechanism to connect to Microsoft Azure SQL Database and SQL Data Warehouse by using identities in the Microsoft Entra ID directory. With Entra ID authentication, identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management.

It provides an alternative to SQL Server authentication.

Helps stop the proliferation of user identities across database servers.

Allows password rotation in a single place.

Customers can manage database permissions using external (Entra ID) groups.

It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra.

Entra ID authentication uses contained database users to authenticate identities at the database level.

Entra ID supports token-based authentication for applications connecting to SQL Database.

... see more

Remediation

Open File

Remediation

From Azure Portal

Go to SQL servers.

For each SQL server, under Settings, click Microsoft Entra admin.

Click on Set admin.

Select an admin.

Click Select.

Click Save.

From Azure CLI
az ad user show --id {{user-principal-id}}
For each Server, set AD Admin:
az sql server ad-admin create \
    --resource-group {{resource-group-name}} \
    --server {{server-name}} \
    --display-name {{display-name}} \
    --object-id {{object-id}}
From PowerShell

For each Server, set Entra ID Admin:
Set-AzSqlServerActiveDirectoryAdministrator `
    -ResourceGroupName {{resource-group-name}} `
    -ServerName {{server-name}} `
    -DisplayName "{{display-name}}"

policy.yaml

Open File

Linked Framework Sections

Section	Internal Rules	Policies	Compliance
💼 CIS Azure v1.1.0 → 💼 4.8 Ensure that Azure Active Directory Admin is configured	1	1	no data
💼 CIS Azure v1.3.0 → 💼 4.4 Ensure that Azure Active Directory Admin is configured - Level 1 (Automated)	1	1	no data
💼 CIS Azure v1.4.0 → 💼 4.5 Ensure that Azure Active Directory Admin is configured - Level 1 (Automated)	1	1	no data
💼 CIS Azure v1.5.0 → 💼 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers - Level 1 (Automated)	1	1	no data
💼 CIS Azure v2.0.0 → 💼 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers - Level 1 (Automated)	1	1	no data
💼 CIS Azure v2.1.0 → 💼 4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers - Level 1 (Automated)	1	1	no data
💼 CIS Azure v3.0.0 → 💼 5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers (Automated)		1	no data
💼 Cloudaware Framework → 💼 Secure Access		61	no data
💼 FedRAMP High Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)		32	no data
💼 FedRAMP High Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)	37	90	no data
💼 FedRAMP Low Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		90	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-2(1) Automated System Account Management (M)(H)		32	no data
💼 FedRAMP Moderate Security Controls → 💼 AC-3 Access Enforcement (L)(M)(H)		90	no data
💼 ISO/IEC 27001:2022 → 💼 5.15 Access control	15	32	no data
💼 NIST SP 800-53 Revision 5 → 💼 AC-2(1) Account Management _ Automated System Account Management	4	32	no data
💼 SOC 2 → 💼 CC7.1-1 Uses Defined Configuration Standards	4	5	no data
💼 UK Cyber Essentials → 💼 1.2 Prevent access to the administrative interface from the internet	42	44	no data
💼 UK Cyber Essentials → 💼 2.1.2 Change any default or guessable account passwords	2	3	no data
💼 UK Cyber Essentials → 💼 4.2.2 Use technical controls to manage the quality of passwords.	2	3	no data
💼 UK Cyber Essentials → 💼 4.2.4 The password element of the multi-factor authentication	2	3	no data

Stats​

Logic​

Similar Policies​

Similar Internal Rules​

Description​

Description​

Rationale​

Remediation​

Remediation​

From Azure Portal​

From Azure CLI​

From PowerShell​

policy.yaml​

Linked Framework Sections​

Stats

Logic

Similar Policies

Similar Internal Rules

Description

Description

Rationale

Remediation

Remediation

From Azure Portal

From Azure CLI

From PowerShell

policy.yaml

Linked Framework Sections