last sync: 2025-Feb-18 18:37:08 UTC

Azure SQL Database should have Microsoft Entra-only authentication enabled during creation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Azure SQL Database should have Microsoft Entra-only authentication enabled during creation
Id abda6d70-9778-44e7-84a8-06713e6db027
Version 1.2.0
Details on versioning
Versioning Versions supported for Versioning: 2
1.1.0
1.2.0
Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
Audit
Allowed
Audit, Deny, Disabled
RBAC role(s) none
Rule aliases IF (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Sql/servers/administrators.azureADOnlyAuthentication Microsoft.Sql servers properties.administrators.azureADOnlyAuthentication True False
Rule resource types IF (1)
Microsoft.Sql/servers
Compliance
The following 30 compliance controls are associated with this Policy definition 'Azure SQL Database should have Microsoft Entra-only authentication enabled during creation' (abda6d70-9778-44e7-84a8-06713e6db027)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-1 Azure_Security_Benchmark_v3.0_IM-1 Microsoft cloud security benchmark IM-1 Identity Management Use centralized identity and authentication system Shared **Security Principle:** Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. **Azure Guidance:** Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in: - Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. - Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy. Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration. **Implementation and additional context:** Tenancy in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure a Microsoft Entra instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Microsoft Entra ID tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers n/a link 15
Canada_Federal_PBMM_3-1-2020 CM_8 Canada_Federal_PBMM_3-1-2020_CM_8 Canada Federal PBMM 3-1-2020 CM 8 Information System Component Inventory Information System Component Inventory Shared 1. The organization develops and documents an inventory of information system components that accurately reflects the current information system. 2. The organization develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system. 3. The organization develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting. 4. The organization develops and documents an inventory of information system components that includes unique asset identifier, NetBIOS name, baseline configuration name, OS Name, OS Version, system owner information. 5. The organization reviews and updates the information system component inventory at least monthly. To enable efficient decision-making and risk mitigation strategies. 12
Canada_Federal_PBMM_3-1-2020 CM_8(1) Canada_Federal_PBMM_3-1-2020_CM_8(1) Canada Federal PBMM 3-1-2020 CM 8(1) Information System Component Inventory Information System Component Inventory | Updates During Installations / Removals Shared The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. To facilitate accurate asset management and effective security control implementation. 9
Canada_Federal_PBMM_3-1-2020 CM_8(2) Canada_Federal_PBMM_3-1-2020_CM_8(2) Canada Federal PBMM 3-1-2020 CM 8(2) Information System Component Inventory Information System Component Inventory | Automated Maintenance Shared The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. To facilitate accurate asset management and effective security control implementation. 9
CMMC_L2_v1.9.0 IA.L1_3.5.1 CMMC_L2_v1.9.0_IA.L1_3.5.1 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 IA.L1 3.5.1 Identification and Authentication Identification Shared Identify information system users, processes acting on behalf of users, or devices. To enable effective monitoring, authentication, and access control measures to be implemented within the system. 23
CSA_v4.0.12 IAM_02 CSA_v4.0.12_IAM_02 CSA Cloud Controls Matrix v4.0.12 IAM 02 Identity & Access Management Strong Password Policy and Procedures Shared n/a Establish, document, approve, communicate, implement, apply, evaluate and maintain strong password policies and procedures. Review and update the policies and procedures at least annually. 52
CSA_v4.0.12 IAM_11 CSA_v4.0.12_IAM_11 CSA Cloud Controls Matrix v4.0.12 IAM 11 Identity & Access Management CSCs Approval for Agreed Privileged Access Roles Shared n/a Define, implement and evaluate processes and procedures for customers to participate, where applicable, in the granting of access for agreed, high risk (as defined by the organizational risk assessment) privileged access roles. 8
CSA_v4.0.12 IAM_13 CSA_v4.0.12_IAM_13 CSA Cloud Controls Matrix v4.0.12 IAM 13 Identity & Access Management Uniquely Identifiable Users Shared n/a Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable through unique IDs or which can associate individuals to the usage of user IDs. 49
CSA_v4.0.12 IAM_14 CSA_v4.0.12_IAM_14 CSA Cloud Controls Matrix v4.0.12 IAM 14 Identity & Access Management Strong Authentication Shared n/a Define, implement and evaluate processes, procedures and technical measures for authenticating access to systems, application and data assets, including multifactor authentication for at least privileged user and sensitive data access. Adopt digital certificates or alternatives which achieve an equivalent level of security for system identities. 32
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
EU_2555_(NIS2)_2022 EU_2555_(NIS2)_2022_21 EU_2555_(NIS2)_2022_21 EU 2022/2555 (NIS2) 2022 21 Cybersecurity risk-management measures Shared n/a Requires essential and important entities to take appropriate measures to manage cybersecurity risks. 194
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 311
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 311
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 311
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 311
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .6 FBI_Criminal_Justice_Information_Services_v5.9.5_5.6 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.6 Policy and Implementation - Identification And Authentication Identification And Authentication Shared Ensure and maintain the proper identification and authentications measures with appropriate security safeguards to avoid issues like identity theft. 1. Identification is a unique, auditable representation of an identity within an information system usually in the form of a simple character string for each individual user, machine, software component, or any other entity. 2. Authentication refers to mechanisms or processes to verify the identity of a user, process, or device, as a prerequisite to allowing access to a system's resources. 19
FFIEC_CAT_2017 3.1.2 FFIEC_CAT_2017_3.1.2 FFIEC CAT 2017 3.1.2 Cybersecurity Controls Access and Data Management Shared n/a Employee access is granted to systems and confidential data based on job responsibilities and the principles of least privilege.'FFIEC_Cybersecurity Control'!F8 - Employee access to systems and confidential data provides for separation of duties. - Elevated privileges (e.g., administrator privileges) are limited and tightly controlled (e.g., assigned to individuals, not shared, and require stronger 'FFIEC_Cybersecurity Control'!F7password controls). - User access reviews are performed periodically for all systems and applications based on the risk to the application or system. - Changes to physical and logical user access, including those that result from voluntary and involuntary terminations, are submitted to and approved by appropriate personnel. - Identification and authentication are required and managed for access to systems, applications, and hardware. - Access controls include password complexity and limits to password attempts and reuse. - All default passwords and unnecessary default accounts are changed before system implementation. - Customer access to Internet-based products or services requires authentication controls (e.g., layered controls, multifactor) that are commensurate with the risk. - Production and non-production environments are segregated to prevent unauthorized access or changes to information assets. (*N/A if no production environment exists at the institution or the institution’s third party.) - Physical security controls are used to prevent unauthorized access to information systems and telecommunication systems. - All passwords are encrypted in storage and in transit. - Confidential data are encrypted when transmitted across public or untrusted networks (e.g., Internet). - Mobile devices (e.g., laptops, tablets, and removable media) are encrypted if used to store confidential data. (*N/A if mobile devices are not used.) - Remote access to critical systems by employees, contractors, and third parties uses encrypted connections and multifactor authentication. - Administrative, physical, or technical controls are in place to prevent users without administrative responsibilities from installing unauthorized software. - Customer service (e.g., the call center) utilizes formal procedures to authenticate customers commensurate with the risk of the transaction or request. - Data is disposed of or destroyed according to documented requirements and within expected time frames. 59
HITRUST_CSF_v11.3 01.q HITRUST_CSF_v11.3_01.q HITRUST CSF v11.3 01.q Operating System Access Control To prevent unauthorized access to operating systems and implement authentication technique to verify user. Shared 1. Each user ID in the information system to be assigned to a specific named individual to ensure accountability. 2. Multi-factor authentication to be implemented for network and local access to privileged accounts. 3. Users to be uniquely identified and authenticated for local access and remote access. 4. Biometric-based electronic signatures and multifactor authentication to be implemented to ensure exclusive ownership validation and enhanced security for both remote and local network access to privileged and non-privileged accounts. All users shall have a unique identifier (user ID) for their personal use only, and an authentication technique shall be implemented to substantiate the claimed identity of a user. 30
New_Zealand_ISM 16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 New_Zealand_ISM_16.1.32.C.01 16. Access Control and Passwords 16.1.32.C.01 System user identification n/a Agencies MUST ensure that all system users are: uniquely identifiable; and authenticated on each occasion that access is granted to a system. 18
NIST_SP_800-171_R3_3 .1.5 NIST_SP_800-171_R3_3.1.5 NIST 800-171 R3 3.1.5 Access Control Least Privilege Shared Organizations employ the principle of least privilege for specific duties and authorized access for users and system processes. Least privilege is applied to the development, implementation, and operation of the system. Organizations consider creating additional processes, roles, and system accounts to achieve least privilege. Security functions include establishing system accounts and assigning privileges, installing software, configuring access authorizations, configuring settings for events to be audited, establishing vulnerability scanning parameters, and establishing intrusion detection parameters. Security-relevant information includes threat and vulnerability information, filtering rules for routers or firewalls, configuration parameters for security services, security architecture, cryptographic key management information, and access control lists. a. Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks. b. Authorize access to [Assignment: organization-defined security functions and security-relevant information]. c. Review the privileges assigned to roles or classes of users periodically to validate the need for such privileges. d. Reassign or remove privileges, as necessary. 24
NIST_SP_800-171_R3_3 .5.1 NIST_SP_800-171_R3_3.5.1 404 not found n/a n/a 10
NIST_SP_800-171_R3_3 .5.5 NIST_SP_800-171_R3_3.5.5 404 not found n/a n/a 43
NIST_SP_800-53_R5.1.1 IA.2 NIST_SP_800-53_R5.1.1_IA.2 NIST SP 800-53 R5.1.1 IA.2 Identification and Authentication Control Identification and Authentication (organizational Users) Shared Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. Organizations can satisfy the identification and authentication requirements by complying with the requirements in [HSPD 12]. Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks. The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8. 8
NL_BIO_Cloud_Theme U.10.3(2) NL_BIO_Cloud_Theme_U.10.3(2) NL_BIO_Cloud_Theme_U.10.3(2) U.10 Access to IT services and data Users n/a Only users with authenticated equipment can access IT services and data. 29
NZISM_v3.7 16.5.10.C.02. NZISM_v3.7_16.5.10.C.02. NZISM v3.7 16.5.10.C.02. Remote Access 16.5.10.C.02. - To enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD authenticate both the remote system user and device during the authentication process. 21
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication To facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 219
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities To maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 230
SOC_2023 CC7.4 SOC_2023_CC7.4 SOC 2023 CC7.4 Systems Operations To effectively manage security incidents, minimize their impact, and protect assets, operations, and reputation. Shared n/a The entity responds to identified security incidents by: a. Executing a defined incident-response program to understand, contain, remediate, and communicate security incidents by assigning roles and responsibilities; b. Establishing procedures to contain security incidents; c. Mitigating ongoing security incidents, End Threats Posed by Security Incidents; d. Restoring operations; e. Developing and Implementing Communication Protocols for Security Incidents; f. Obtains Understanding of Nature of Incident and Determines Containment Strategy; g. Remediation Identified Vulnerabilities; h. Communicating Remediation Activities; and, i. Evaluating the Effectiveness of Incident Response and periodic incident evaluations. 214
SWIFT_CSCF_2024 4.2 SWIFT_CSCF_2024_4.2 SWIFT Customer Security Controls Framework 2024 4.2 Access Control Multi-Factor Authentication Shared 1. Multi-factor authentication requires the presentation of two or more of the following common authentication factors: (A). Knowledge factor: something the operator knows (for example, a password) (B). Possession factor: something the operator has (for example, connected USB tokens or smart cards, or disconnected tokens such as a (time based) one-time password- (T)OTP- generator or application storing a cryptographic private key that runs on another device like operator’s mobile phone considered as a software token, RSA token, 3-Skey Digital and its mobile version considered as a software token, or Digipass) (C). Inherence factor: something the operator is (for example, biometrics such as fingerprints, retina scans, or voice recognition) Implementing multi-factor authentication provides an additional layer of protection against common authentication attacks (for example, shoulder surfing, password re-use, or weak passwords) and provides further protection from account compromises for malicious transaction processing. Attackers often use the privileges of a compromised account to move laterally within an environment and to progress an attack. To prevent that a compromise of a single authentication factor allows access into Swift-related systems or applications by implementing multi-factor authentication. 11
UK_NCSC_CAF_v3.2 B2.a UK_NCSC_CAF_v3.2_B2.a NCSC Cyber Assurance Framework (CAF) v3.2 B2.a Identity and Access Control Identity Verification, Authentication and Authorisation Shared 1. The process of initial identity verification is robust enough to provide a high level of confidence of a user’s identity profile before allowing an authorised user access to networks and information systems that support the essential function. 2. Only authorised and individually authenticated users can physically access and logically connect to the networks or information systems on which that essential function depends. 3. The number of authorised users and systems that have access to all the networks and information systems supporting the essential function is limited to the minimum necessary. 4. Use additional authentication mechanisms, such as multi-factor (MFA), for privileged access to all systems that operate or support the essential function. 5. Use additional authentication mechanisms, such as multi-factor (MFA), when there is individual authentication and authorisation of all remote user access to all the networks and information systems that support the essential function. 6. The list of users and systems with access to networks and systems supporting and delivering the essential functions reviewed on a regular basis, at least every six months. The organisation understands, documents and manages access to networks and information systems supporting the operation of essential functions. Users (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. Robustly verify, authenticate and authorise access to the networks and information systems supporting the essential function. 32
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: Control the use of Microsoft SQL in a Virtual Enclave 0fbe78a5-1722-4f1b-83a5-89c14151fa60 VirtualEnclaves Preview BuiltIn true
Azure SQL Database should have Microsoft Entra-only authentication a55e4a7e-1b9c-43ef-b4b3-642f303804d6 SQL GA BuiltIn unknown
Canada Federal PBMM 3-1-2020 f8f5293d-df94-484a-a3e7-6b422a999d91 Regulatory Compliance GA BuiltIn unknown
CSA CSA Cloud Controls Matrix v4.0.12 8791506a-dec4-497a-a83f-3abfde37c400 Regulatory Compliance GA BuiltIn unknown
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
Enforce recommended guardrails for SQL and SQL Managed Instance Enforce-Guardrails-SQL SQL GA ALZ
EU 2022/2555 (NIS2) 2022 42346945-b531-41d8-9e46-f95057672e88 Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
FFIEC CAT 2017 1d5dbdd5-6f93-43ce-a939-b19df3753cf7 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
NCSC Cyber Assurance Framework (CAF) v3.2 6d220abf-cf6f-4b17-8f7e-0644c4cc84b4 Regulatory Compliance GA BuiltIn unknown
New Zealand ISM 4f5b1359-4f8e-4d7c-9733-ea47fcde891e Regulatory Compliance GA BuiltIn unknown
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
SWIFT Customer Security Controls Framework 2024 7499005e-df5a-45d9-810f-041cf346678c Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-01-24 19:15:51 change Minor (1.1.0 > 1.2.0)
2023-10-31 19:02:40 change Minor (1.0.0 > 1.1.0)
2021-08-13 17:07:49 add abda6d70-9778-44e7-84a8-06713e6db027
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC