Cyscale
Back to controls

Ensure Microsoft Entra authentication is Configured for SQL Servers

Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

Use Microsoft Entra authentication for authentication with SQL Database to manage credentials in a single place.

Rationale

Microsoft Entra authentication is a mechanism for connecting to Microsoft Azure SQL Database and SQL Data Warehouse using identities in the Microsoft Entra ID directory. With Entra ID authentication, the identities of database users and other Microsoft services can be managed in one central location. Central ID management provides a single place to manage database users and simplifies permission management.

  • It provides an alternative to SQL Server authentication.
  • Helps stop the proliferation of user identities across database servers.
  • Allows password rotation in a single place.
  • Customers can manage database permissions using external (Entra ID) groups.
  • It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Microsoft Entra.
  • Entra ID authentication uses contained database users to authenticate identities at the database level.
  • Entra ID supports token-based authentication for applications connecting to SQL Database.
  • Entra ID authentication supports ADFS (domain federation) or native user/password authentication for a local Active Directory without domain synchronization.
  • Entra ID supports connections from SQL Server Management Studio that use Active Directory Universal Authentication, which includes Multi-Factor Authentication (MFA). MFA includes strong authentication with a range of easy verification options — phone calls, text messages, smart cards with pins, or mobile app notifications.

Impact

This will create administrative overhead with the user account and permission management. For further security on these administrative accounts, you may want to consider licensing that supports features like Multi-Factor Authentication.

Default Value

Entra ID Authentication for SQL Database/Server is not enabled by default.

Additional Information

Assigning an Administrator in Entra ID is just the first step. When using Entra ID for central authentication, there are many other groups and roles that need to be configured based on the needs of your organization. The How-to Guides should be used to determine what roles should be assigned and what groups should be created to manage permissions and access to resources.

References

  1. https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure
  2. https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication
  3. https://learn.microsoft.com/en-us/powershell/module/azurerm.sql/get-azurermsqlserveractivedirectoryadministrator?view=azurermps-5.2.0
  4. https://learn.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-identity-management#im-1-use-centralized-identity-and-authentication-system
  5. https://learn.microsoft.com/en-us/cli/azure/sql/server/ad-admin?view=azure-cli-latest#az_sql_server_ad_admin_list

Remediation guidance

From Azure Console

  1. Open the SQL server using the Open in Azure button
  2. Under Settings, click Microsoft Entra ID
  3. Click Set admin
  4. Select an admin
  5. Click Select
  6. Click Save

Using Azure PowerShell

Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName <resourceGroupName> -ServerName <serverName> -DisplayName "<displayName>"

From Azure CLI

az sql server ad-admin create --resource-group <resourceGroupName> --server <serverName> --display-name <displayName> --object-id <userObjectID>

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Azure SQL Servers without Entra admin

Connectors

Microsoft Azure

Covered asset types

SQLServer

Expected check: eq []

{
  sqlServers(
    where: {
      NOT: { entraAdministrator: { administratorType: "ActiveDirectory" } }
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon