Control: An Azure Active Directory administrator should be provisioned for SQL servers

Description

Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services.

Usage

Run the control in your terminal:

powerpipe control run azure_compliance.control.sql_server_azure_ad_authentication_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run azure_compliance.control.sql_server_azure_ad_authentication_enabled --share

SQL

This control uses a named query:

with sever_with_ad_admin as (
  select
    distinct a.id
  from
    azure_sql_server as a,
    jsonb_array_elements(server_azure_ad_administrator) as ad_admin
  where
    ad_admin ->> 'type' = 'Microsoft.Sql/servers/administrators'
)
select
  a.id as resource,
  case
    when s.id is not null then 'ok'
    else 'alarm'
  end as status,
  case
    when s.id is not null then a.name || ' azure AD authentication enabled.'
    else a.name || ' azure AD authentication disabled.'
  end as reason
  
  , a.resource_group as resource_group
  , sub.display_name as subscription
from
  azure_sql_server as a
  left join sever_with_ad_admin as s on a.id = s.id
  left join azure_subscription sub on sub.subscription_id = a.subscription_id;

Control: An Azure Active Directory administrator should be provisioned for SQL servers

Description

Usage

SQL

Tags