Skip to content

Administrator Username Types#

Security · Deployment · Rule · 2022_09

Use secure parameters for sensitive resource properties.

Description#

Resource properties can be configured using a hardcoded value or Azure Bicep/ template expressions. When specifying sensitive values use secure parameters such as secureString or secureObject.

Sensitive values that use deterministic expressions such as hardcodes string literals or variables are not secure.

Recommendation#

Sensitive properties should be passed as parameters. Avoid using deterministic values for sensitive properties.

Examples#

Configure with Azure template#

To deploy resources that pass this rule:

  • Use secure parameters to specify sensitive properties.

For example:

Azure Template snippet
{
  "type": "Microsoft.Compute/virtualMachines",
  "apiVersion": "2022-03-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "zones": [
    "1"
  ],
  "properties": {
    "hardwareProfile": {
      "vmSize": "Standard_D2s_v3"
    },
    "osProfile": {
      "computerName": "[parameters('name')]",
      "adminUsername": "[parameters('adminUsername')]",
      "adminPassword": "[parameters('adminPassword')]"
    },
    "storageProfile": {
      "imageReference": {
        "publisher": "MicrosoftWindowsServer",
        "offer": "WindowsServer",
        "sku": "[parameters('sku')]",
        "version": "latest"
      },
      "osDisk": {
        "name": "[format('{0}-disk0', parameters('name'))]",
        "caching": "ReadWrite",
        "createOption": "FromImage",
        "managedDisk": {
          "storageAccountType": "Premium_LRS"
        }
      }
    },
    "licenseType": "Windows_Server",
    "networkProfile": {
      "networkInterfaces": [
        {
          "id": "[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
        }
      ]
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/networkInterfaces', format('{0}-nic0', parameters('name')))]"
  ]
}

Configure with Bicep#

To deploy resources that pass this rule:

  • Use secure parameters to specify sensitive properties.

For example:

Azure Bicep snippet
@secure()
@description('The name of the local administrator account.')
param adminUsername string

@secure()
@description('A password for the local administrator account.')
param adminPassword string

resource vm1 'Microsoft.Compute/virtualMachines@2022-03-01' = {
  name: name
  location: location
  zones: [
    '1'
  ]
  properties: {
    hardwareProfile: {
      vmSize: 'Standard_D2s_v3'
    }
    osProfile: {
      computerName: name
      adminUsername: adminUsername
      adminPassword: adminPassword
    }
    storageProfile: {
      imageReference: {
        publisher: 'MicrosoftWindowsServer'
        offer: 'WindowsServer'
        sku: sku
        version: 'latest'
      }
      osDisk: {
        name: '${name}-disk0'
        caching: 'ReadWrite'
        createOption: 'FromImage'
        managedDisk: {
          storageAccountType: 'Premium_LRS'
        }
      }
    }
    licenseType: 'Windows_Server'
    networkProfile: {
      networkInterfaces: [
        {
          id: nic.id
        }
      ]
    }
  }
}

Notes#

Configure AZURE_DEPLOYMENT_SENSITIVE_PROPERTY_NAMES to specify sensitive property names. By default, the following values are used:

  • adminUsername
  • administratorLogin
  • administratorLoginPassword

Comments