AzPolicyAdvertizer

last sync: 2025-Apr-29 17:16:02 UTC

[Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled

Azure BuiltIn Policy definition

Source Azure Portal
Display name [Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled
Id fa498b91-8a7e-4710-9578-da944c68d1fe
Version 1.0.0-preview
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0-preview
Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description Disabling local authentication methods and allowing only Microsoft Entra Authentication improves security by ensuring that Azure PostgreSQL flexible server can exclusively be accessed by Microsoft Entra identities.
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*-preview'
Assessment(s) Assessments count: 1
Assessment Id: 5d19e32c-489d-407c-9549-15d9ea36a8e0
DisplayName: Azure Database for PostgreSQL flexible server should have Microsoft Entra authentication only enabled
Description: Disabling local authentication methods and requiring Microsoft Entra authentication improves security by ensuring that Azure Database for PostgreSQL flexible server can be accessed by Microsoft Entra identities only.
Remediation description: To configure Microsoft Entra authentication for Azure Database for PostgreSQL flexible server: 1. In the Azure portal, open your Azure Database for PostgreSQL flexible server. 2. Select 'Authentication' on the left pane. 3. In 'Assign access to' under the 'Authentication' section select the 'Microsoft Entra authentication only' option and select 'Save'. 5. Assign an Entra admin under the 'Microsoft Entra Admins' section and select 'Save'. For more information see https://aka.ms/postgresqlflexibleserverentraauth
Categories: Data
Severity: Medium
Mode Indexed
Type BuiltIn
Preview True
Deprecated False
Effect Default
Audit
Allowed
Audit, Disabled
RBAC role(s) none
Rule aliases IF (2)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.DBForPostgreSql/flexibleServers/authConfig.activeDirectoryAuth Microsoft.DBforPostgreSQL flexibleServers properties.authConfig.activeDirectoryAuth True False
Microsoft.DBForPostgreSql/flexibleServers/authConfig.passwordAuth Microsoft.DBforPostgreSQL flexibleServers properties.authConfig.passwordAuth True False
Rule resource types IF (1)
Compliance
The following 39 compliance controls are associated with this Policy definition '[Preview]: Azure PostgreSQL flexible server should have Microsoft Entra Only Authentication enabled' (fa498b91-8a7e-4710-9578-da944c68d1fe)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-1 Azure_Security_Benchmark_v3.0_IM-1 Microsoft cloud security benchmark IM-1 Identity Management Use centralized identity and authentication system Shared **Security Principle:** Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. **Azure Guidance:** Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in: - Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. - Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy. Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration. **Implementation and additional context:** Tenancy in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure a Microsoft Entra instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Microsoft Entra ID tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers n/a link 15
CMMC_L2_v1.9.0 PE.L2_3.10.6 CMMC_L2_v1.9.0_PE.L2_3.10.6 Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 PE.L2 3.10.6 Physical Protection Alternative Work Sites Shared Enforce safeguarding measures for CUI at alternate work sites. To ensure that sensitive information is protected even when employees are working remotely or at off site locations. 11
Cyber_Essentials_v3.1 1 Cyber_Essentials_v3.1_1 Cyber Essentials v3.1 1 Cyber Essentials Firewalls Shared n/a Aim: to make sure that only secure and necessary network services can be accessed from the internet. 37
Cyber_Essentials_v3.1 4 Cyber_Essentials_v3.1_4 Cyber Essentials v3.1 4 Cyber Essentials User Access Control Shared n/a Aim: ensure that user accounts (1) are assigned to authorised individuals only, and (2) provide access to only those applications, computers and networks the user needs to carry out their role. 74
EU_GDPR_2016_679_Art. 24 EU_GDPR_2016_679_Art._24 EU General Data Protection Regulation (GDPR) 2016/679 Art. 24 Chapter 4 - Controller and processor Responsibility of the controller Shared n/a n/a 310
EU_GDPR_2016_679_Art. 25 EU_GDPR_2016_679_Art._25 EU General Data Protection Regulation (GDPR) 2016/679 Art. 25 Chapter 4 - Controller and processor Data protection by design and by default Shared n/a n/a 310
EU_GDPR_2016_679_Art. 28 EU_GDPR_2016_679_Art._28 EU General Data Protection Regulation (GDPR) 2016/679 Art. 28 Chapter 4 - Controller and processor Processor Shared n/a n/a 310
EU_GDPR_2016_679_Art. 32 EU_GDPR_2016_679_Art._32 EU General Data Protection Regulation (GDPR) 2016/679 Art. 32 Chapter 4 - Controller and processor Security of processing Shared n/a n/a 310
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .5 FBI_Criminal_Justice_Information_Services_v5.9.5_5.5 FBI Criminal Justice Information Services (CJIS) v5.9.5 5.5 Policy and Implementation - Access Control Access Control Shared Refer to Section 5.13.6 for additional access control requirements related to mobile devices used to access CJI. Access control provides the planning and implementation of mechanisms to restrict reading, writing, processing, and transmission of CJIS information and the modification of information systems, applications, services and communication configurations allowing access to CJIS information. 97
FBI_Criminal_Justice_Information_Services_v5.9.5_5 .7 FBI_Criminal_Justice_Information_Services_v5.9.5_5.7 404 not found n/a n/a 95
HITRUST_CSF_v11.3 01.i HITRUST_CSF_v11.3_01.i HITRUST CSF v11.3 01.i Network Access Control Implement role based access to internal and external network services. Shared 1. It is to be determined who is allowed access to which network and what networked services. 2. The networks and network services to which users have authorized access is to be specified. Users shall only be provided with access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied for users and equipment. 11
HITRUST_CSF_v11.3 01.j HITRUST_CSF_v11.3_01.j HITRUST CSF v11.3 01.j Network Access Control Prevent unauthorized access to networked services. Shared 1.External access to systems to be strictly regulated and tightly controlled. 2. External access to sensitive systems to be automatically deactivated immediately after use. 3. Authentication of remote users to be done by using cryptography, biometrics, hardware tokens, software token, a challenge/response protocol, or, certificate agents. 4. Dial-up connections to be encrypted. Appropriate authentication methods shall be used to control access by remote users. 16
ISO_IEC_27002_2022 6.7 ISO_IEC_27002_2022_6.7 ISO IEC 27002 2022 6.7 Protection, Preventive, Control Remote working Shared Security measures should be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises. To ensure the security of information when personnel are working remotely. 11
ISO_IEC_27002_2022 8.9 ISO_IEC_27002_2022_8.9 ISO IEC 27002 2022 8.9 Protection, Preventive Control Configuration management Shared Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed. To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes. 20
NIST_SP_800-171_R3_3 .1.12 NIST_SP_800-171_R3_3.1.12 NIST 800-171 R3 3.1.12 Access Control Remote Access Shared Remote access to the system represents a significant potential vulnerability that can be exploited by adversaries. Monitoring and controlling remote access methods allows organizations to detect attacks and ensure compliance with remote access policies. This occurs by auditing the connection activities of remote users on the systems. Routing remote access through manaccess control points enhances explicit control over such connections and reduces susceptibility to unauthorized access to the system, which could result in the unauthorized disclosure of CUI. Restricting the execution of privileged commands and access to security-relevant information via remote access reduces the exposure of the organization and its susceptibility to threats by adversaries. A privileged command is a human-initiated command executed on a system that involves the control, monitoring, or administration of the system, including security functions and security-relevant information. Security-relevant information is information that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce the system security policy or maintain isolation of code and data. Privileged commands give individuals the ability to execute sensitive, security-critical, or security-relevant system functions. Controlling access from remote locations helps to ensure that unauthorized individuals are unable to execute such commands with the potential to do serious or catastrophic damage to the system. a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access. b. Authorize each type of remote system access prior to establishing such connections. c. Route remote access to the system through authorized and managed access control points. d. Authorize remote execution of privileged commands and remote access to security-relevant information. 15
NIST_SP_800-53_R5.1.1 AC.17 NIST_SP_800-53_R5.1.1_AC.17 NIST SP 800-53 R5.1.1 AC.17 Access Control Remote Access Shared a. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and b. Authorize each type of remote access to the system prior to allowing such connections. Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3. 11
NZISM_v3.7 16.5.10.C.01. NZISM_v3.7_16.5.10.C.01. NZISM v3.7 16.5.10.C.01. Remote Access 16.5.10.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST authenticate each remote connection and user prior to permitting access to an agency system. 11
NZISM_v3.7 16.5.10.C.02. NZISM_v3.7_16.5.10.C.02. NZISM v3.7 16.5.10.C.02. Remote Access 16.5.10.C.02. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD authenticate both the remote system user and device during the authentication process. 21
NZISM_v3.7 16.5.11.C.01. NZISM_v3.7_16.5.11.C.01. NZISM v3.7 16.5.11.C.01. Remote Access 16.5.11.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies MUST NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. 11
NZISM_v3.7 16.5.11.C.02. NZISM_v3.7_16.5.11.C.02. NZISM v3.7 16.5.11.C.02. Remote Access 16.5.11.C.02. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD NOT allow the use of remote privileged access from an untrusted domain, including logging in as an unprivileged system user and then escalating privileges. 11
NZISM_v3.7 16.5.12.C.01. NZISM_v3.7_16.5.12.C.01. NZISM v3.7 16.5.12.C.01. Remote Access 16.5.12.C.01. - enhance security and reduce the risk of unauthorized access or misuse. Shared n/a Agencies SHOULD establish VPN connections for all remote access connections. 11
PCI_DSS_v4.0.1 1.2.1 PCI_DSS_v4.0.1_1.2.1 PCI DSS v4.0.1 1.2.1 Install and Maintain Network Security Controls Configuration standards for NSC rulesets are defined, implemented, and maintained Shared n/a Examine the configuration standards for NSC rulesets to verify the standards are in accordance with all elements specified in this requirement. Examine configuration settings for NSC rulesets to verify that rulesets are implemented according to the configuration standards 11
PCI_DSS_v4.0.1 1.2.7 PCI_DSS_v4.0.1_1.2.7 PCI DSS v4.0.1 1.2.7 Install and Maintain Network Security Controls Configurations of NSCs are reviewed at least once every six months to confirm they are relevant and effective Shared n/a Examine documentation to verify procedures are defined for reviewing configurations of NSCs at least once every six months. Examine documentation of reviews of configurations for NSCs and interview responsible personnel to verify that reviews occur at least once every six months. Examine configurations for NSCs to verify that configurations identified as no longer being supported by a business justification are removed or updated 11
Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes_Oxley_Act_(1)_2022_1 Sarbanes Oxley Act 2022 1 PUBLIC LAW Sarbanes Oxley Act 2022 (SOX) Shared n/a n/a 92
SOC_2023 C1.1 SOC_2023_C1.1 SOC 2023 C1.1 Additional Criteria for Confidentiality Preserve trust, compliance, and competitive advantage. Shared n/a The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality. 11
SOC_2023 CC1.3 SOC_2023_CC1.3 SOC 2023 CC1.3 Control Environment Enable effective execution of authorities, information flow, and setup of appropriate responsibilities to achieve organizational objectives. Shared n/a 1. Ensure the management establishes, with board oversight, structures including operating units, legal entities, geographic distribution and outsourced service providers. 2. Design and evaluate reporting lines for each entity to enable execution of authorities, execution and flow of information and setup appropriate authorities and responsibilities in the pursuit of objectives. 13
SOC_2023 CC2.2 SOC_2023_CC2.2 SOC 2023 CC2.2 Information and Communication Facilitate effective internal communication, including objectives and responsibilities for internal control. Shared n/a Entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control by setting up a process to communicate required information to enable personnel to understand and carry out responsibilities, ensure communication exists between management and board of directors, provides for separate communication channels which serve as fail-safe mechanism to enable anonymous or confidential communication and setting up relevant methods of communication by considering the timing, audience and nature information 28
SOC_2023 CC2.3 SOC_2023_CC2.3 SOC 2023 CC2.3 Information and Communication Facilitate effective internal communication. Shared n/a Entity to communicate with external parties regarding matters affecting the functioning of internal control. 218
SOC_2023 CC5.2 SOC_2023_CC5.2 SOC 2023 CC5.2 Control Activities Mitigate technology-related risks and ensure that technology effectively supports the organization in achieving its objectives, enhancing efficiency, reliability, and security in its operations. Shared n/a Entity also selects and develops general control activities over technology to support the achievement of objectives by determining Dependency Between the Use of Technology in Business Processes and Technology General Controls, establishing Relevant Technology Infrastructure Control Activities, establishing Relevant Security Management Process Controls Activities, establishing Relevant Technology Acquisition and Development, and Maintenance of Process Control Activities. 15
SOC_2023 CC5.3 SOC_2023_CC5.3 SOC 2023 CC5.3 Control Activities Maintain alignment with organizational objectives and regulatory requirements. Shared n/a Entity deploys control activities through policies that establish what is expected and in procedures that put policies into action by establishing Policies and Procedures to Support Deployment of Management’s Directives, Responsibility and Accountability for Executing Policies and Procedures, perform tasks in a timely manner, taking corrective actions, perform using competent personnel and reassess policies and procedures. 229
SOC_2023 CC6.1 SOC_2023_CC6.1 SOC 2023 CC6.1 Logical and Physical Access Controls Mitigate security events and ensuring the confidentiality, integrity, and availability of critical information assets. Shared n/a Entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity's objectives by identifying and managing the inventory of information assets, restricting logical access, identification and authentication of users, consider network segmentation, manage points of access, restricting access of information assets, managing identification and authentication, managing credentials for infrastructure and software, using encryption to protect data and protect using encryption keys. 128
SOC_2023 CC7.1 SOC_2023_CC7.1 SOC 2023 CC7.1 Systems Operations Maintain a proactive approach to cybersecurity and mitigate risks effectively. Shared n/a meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities. 11
SOC_2023 CC7.2 SOC_2023_CC7.2 SOC 2023 CC7.2 Systems Operations Maintain robust security measures and ensure operational resilience. Shared n/a The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives; anomalies are analysed to determine whether they represent security events. 167
SOC_2023 CC7.5 SOC_2023_CC7.5 SOC 2023 CC7.5 Systems Operations Ensure prompt restoration of normal operations, mitigation of residual risks, and enhancement of incident response capabilities to minimize the impact of future incidents. Shared n/a The entity identifies, develops, and implements activities to recover from identified security incidents. 12
SOC_2023 CC8.1 SOC_2023_CC8.1 SOC 2023 CC8.1 Change Management Minimise risks, ensure quality, optimise efficiency, and enhance resilience in the face of change. Shared n/a The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives by Managing Changes Throughout the System Life Cycle, authorizing changes, designing and developing changes, documenting all changes, tracking system changes, configuring software's, testing system changes, approving system changes, deploying system changes, identifying and evaluating system changes, creating baseline configurations for IT technologies and providing necessary changes in emergency situations. 147
SOC_2023 CC9.2 SOC_2023_CC9.2 SOC 2023 CC9.2 Risk Mitigation Ensure effective risk management throughout the supply chain and business ecosystem. Shared n/a Entity assesses and manages risks associated with vendors and business partners. 43
SOC_2023 PI1.3 SOC_2023_PI1.3 SOC 2023 PI1.3 Additional Criteria for Processing Integrity (Over the provision of services or the production, manufacturing, or distribution of goods) Enhance efficiency, accuracy, and compliance with organizational standards and regulatory requirements with regards to system processing to result in products, services, and reporting to meet the entity’s objectives. Shared n/a The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity’s objectives. 50
U.10.3 - Users U.10.3 - Users 404 not found n/a n/a 33
U.10.5 - Competent U.10.5 - Competent 404 not found n/a n/a 33
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Cyber Essentials v3.1 b2f588d7-1ed5-47c7-977d-b93dff520c4c Regulatory Compliance GA BuiltIn unknown
Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 a4087154-2edb-4329-b56a-1cc986807f3c Regulatory Compliance GA BuiltIn unknown
EU General Data Protection Regulation (GDPR) 2016/679 7326812a-86a4-40c8-af7c-8945de9c4913 Regulatory Compliance GA BuiltIn unknown
FBI Criminal Justice Information Services (CJIS) v5.9.5 4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721 Regulatory Compliance GA BuiltIn unknown
HITRUST CSF v11.3 e0d47b75-5d99-442a-9d60-07f2595ab095 Regulatory Compliance GA BuiltIn unknown
ISO/IEC 27002 2022 e3030e83-88d5-4f23-8734-6577a2c97a32 Regulatory Compliance GA BuiltIn unknown
Microsoft cloud security benchmark 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA BuiltIn true
NIST 800-171 R3 38916c43-6876-4971-a4b1-806aa7e55ccc Regulatory Compliance GA BuiltIn unknown
NIST SP 800-53 R5.1.1 60205a79-6280-4e20-a147-e2011e09dc78 Regulatory Compliance GA BuiltIn unknown
NL BIO Cloud Theme V2 d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee Regulatory Compliance GA BuiltIn unknown
NZISM v3.7 4476df0a-18ab-4bfe-b6ad-cccae1cf320f Regulatory Compliance GA BuiltIn unknown
PCI DSS v4.0.1 a06d5deb-24aa-4991-9d58-fa7563154e31 Regulatory Compliance GA BuiltIn unknown
Sarbanes Oxley Act 2022 5757cf73-35d1-46d4-8c78-17b7ddd6076a Regulatory Compliance GA BuiltIn unknown
SOC 2023 53ad89f5-8542-49e9-ba81-1cbd686e0d52 Regulatory Compliance GA BuiltIn unknown
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-06-03 17:39:43 add fa498b91-8a7e-4710-9578-da944c68d1fe
JSON compare n/a
JSON
api-version=2021-06-01
EPAC