Documentation - V-276225

Title

Azure SQL Managed Instances must integrate with Microsoft Entra ID for providing account management and automation for all users, groups, roles, and any other principals.

Description

<VulnDiscussion>Enterprise environments make account management for applications and databases challenging and complex. A manual process for account management functions adds the risk of a potential oversight or other error. Managing accounts for the same person in multiple places is inefficient and prone to problems with consistency and synchronization. A comprehensive application account management process that includes automation helps to ensure that accounts designated as requiring attentio...

Fix Text (Documentation Requirement)

If mixed mode is required, document the need and justification; describe the measures taken to ensure the use of Azure SQL Managed Instance authentication is kept to a minimum; describe the measures taken to safeguard passwords; list or describe the SQL logins used; and obtain official approval. If mixed mode is not required, for each account being managed by SQL MI but not requiring it, drop or disable the SQL Database user. Replace it with an appropriately configured account, as needed. To drop a user in the SSMS Object Explorer, navigate to Databases >> database >> Security >> Users. Right-click on the user name and then click "Delete". To drop a user via a query, change the context to the database_name to be evaluated: DROP USER. To enable Microsoft Entra-only Authenticati...