Ensure Azure AD authentication is enabled for Azure SQL (MSSQL)

Bridgecrew Policy ID: BC_AZR_NETWORKING_63 Checkov Check ID: CKV_AZURE_222

Azure AD authentication is not enabled for Azure SQL


Azure AD authentication is a mechanism of connecting to Azure SQL Database by using identities in Azure AD. With Azure AD authentication, you can manage the identities of database users and other Microsoft services in one central location. It offers benefits like Multi-Factor Authentication, identity protection, and seamless domain join.

This policy ensures that Azure AD authentication is enabled for Azure SQL (MSSQL) by checking for the existence of the azuread_administrator attribute in the azurerm_mssql_server resource and verifying that the login_username attribute within azuread_administrator has a valid value (i.e., not only whitespaces).

Fix - Buildtime


resource "azurerm_mssql_server" "example" {
  name                         = "example-mssqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = azurerm_resource_group.example.location
  # ... other configurations ...
+ azuread_administrator {
+   login_username = "example_admin"
+   object_id      = "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+   tenant_id      = "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+ }