last sync: 2024-Oct-03 17:51:34 UTC

Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation
Id 78215662-041e-49ed-a9dd-5385911b3a1f
Version 1.2.0
Details on versioning
Versioning Versions supported for Versioning: 2
1.1.0
1.2.0
Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Sql/managedInstances/administrators.azureADOnlyAuthentication Microsoft.Sql managedInstances properties.administrators.azureADOnlyAuthentication True False
Rule resource types IF (1)
Microsoft.Sql/managedInstances
Compliance
The following 2 compliance controls are associated with this Policy definition 'Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation' (78215662-041e-49ed-a9dd-5385911b3a1f)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-1 Azure_Security_Benchmark_v3.0_IM-1 Microsoft cloud security benchmark IM-1 Identity Management Use centralized identity and authentication system Shared **Security Principle:** Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. **Azure Guidance:** Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in: - Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. - Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy. Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration. **Implementation and additional context:** Tenancy in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure a Microsoft Entra instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Microsoft Entra ID tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers n/a link 15
New_Zealand_ISM 16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 16. Access Control and Passwords Identification n/a Agencies MUST ensure that all system users are uniquely identifiable; and authenticated on each occasion that access is granted to a system. 18
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
[Preview]: Control the use of Microsoft SQL in a Virtual Enclave 0fbe78a5-1722-4f1b-83a5-89c14151fa60 VirtualEnclaves Preview BuiltIn
Azure SQL Managed Instance should have Microsoft Entra-only authentication 9b8d8228-e8cc-4c95-8d98-47f32df40b5e SQL GA BuiltIn
Enforce recommended guardrails for SQL and SQL Managed Instance Enforce-Guardrails-SQL SQL GA ALZ
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-01-24 19:15:51 change Minor (1.1.0 > 1.2.0)
2023-10-31 19:02:40 change Minor (1.0.0 > 1.1.0)
2021-08-13 17:07:49 add 78215662-041e-49ed-a9dd-5385911b3a1f
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC