V-255301
Microsoft Azure SQL Database Security Technical Implementation Guide
Title
Azure SQL Databases must integrate with Azure Active Directory for providing account management and automation for all users, groups, roles, and any other principals.
Description
<VulnDiscussion>Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization. A comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attentio...
Fix Text (Documentation Requirement)
If mixed mode is required, document the need and justification; describe the measures taken to ensure the use of Azure SQL Database authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL Logins used; and obtain official approval. If mixed mode is not required: For each account being managed by SQL DB but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a User in the SSMS Object Explorer: Navigate to Databases, choose database, then select Security >> Users. Right-click on the User name and then click "Delete". To drop a User via a query: Change the context to the database_name to be evaluates; DROP USER <user_name>; To enable AzureADOnlyAuthentic...