Use AAD authentication with MySQL databases#
Security · Azure Database for MySQL · Rule · 2023_06 · Critical
Use Azure Active Directory (AAD) authentication with Azure Database for MySQL databases.
Description#
Azure Database for MySQL offer two authentication models, Azure Active Directory (AAD) and MySQL logins. AAD authentication supports centialized identity management in addition to modern password protections. Some of the benefits of AAD authentication over MySQL authentication including:
- Support for Azure Multi-Factor Authentication (MFA).
- Conditional-based access with Conditional Access.
It is also possible to disable MySQL authentication entirely for the flexible server deployment model.
Recommendation#
Consider using Azure Active Directory (AAD) authentication with Azure Database for MySQL databases. Additionally, consider disabling MySQL authentication.
Examples#
Configure with Azure template#
To deploy Azure Database for MySQL flexible servers that pass this rule:
- Configure the
Microsoft.DBforMySQL/flexibleServers/administratorssub-resource. - Set the
properties.administratorTypetoActiveDirectory. - Set the
properties.identityResourceIdto the resource ID of the user-assigned identity used for AAD authentication. - Set the
properties.loginto the AAD administrator login object name. - Set the
properties.sidto the object ID GUID of the AAD administrator user, group, or application. - Set the
properties.tenantIdto the tenant ID of the AAD administrator user, group, or application.
For example:
{
"type": "Microsoft.DBforMySQL/flexibleServers/administrators",
"apiVersion": "2022-12-01-preview",
"name": "[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]",
"properties": {
"administratorType": "ActiveDirectory",
"identityResourceId": "[parameters('identityResourceId')]",
"login": "[parameters('login')]",
"sid": "[parameters('sid')]",
"tenantId": "[parameters('tenantId')]"
},
"dependsOn": [
"mySqlFlexibleServer"
]
}
To deploy Azure Database for MySQL single servers that pass this rule:
- Configure the
Microsoft.DBforMySQL/servers/administratorssub-resource. - Set the
properties.administratorTypetoActiveDirectory. - Set the
properties.loginto the AAD administrator login object name. - Set the
properties.sidto the object ID GUID of the AAD administrator user, group, or application. - Set the
properties.tenantIdto the tenant ID of the AAD administrator user, group, or application.
For example:
{
"type": "Microsoft.DBforMySQL/servers/administrators",
"apiVersion": "2017-12-01",
"name": "[format('{0}/{1}', parameters('serverName'), 'activeDirectory')]",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('login')]",
"sid": "[parameters('sid')]",
"tenantId": "[parameters('tenantId')]"
},
"dependsOn": [
"mySqlSingleServer"
]
}
Configure with Bicep#
To deploy Azure Database for MySQL flexible servers that pass this rule:
- Configure the
Microsoft.DBforMySQL/flexibleServers/administratorssub-resource. - Set the
properties.administratorTypetoActiveDirectory. - Set the
properties.identityResourceIdto the resource ID of the user-assigned identity used for AAD authentication. - Set the
properties.loginto the AAD administrator login object name. - Set the
properties.sidto the object ID GUID of the AAD administrator user, group, or application. - Set the
properties.tenantIdto the tenant ID of the AAD administrator user, group, or application.
For example:
resource aadAdmin 'Microsoft.DBforMySQL/flexibleServers/administrators@2021-12-01-preview' = {
name: 'activeDirectory'
parent: mySqlFlexibleServer
properties: {
administratorType: 'ActiveDirectory'
identityResourceId: identityResourceId
login: login
sid: sid
tenantId: tenantId
}
}
To deploy Azure Database for MySQL single servers that pass this rule:
- Configure the
Microsoft.DBforMySQL/servers/administratorssub-resource. - Set the
properties.administratorTypetoActiveDirectory. - Set the
properties.loginto the AAD administrator login object name. - Set the
properties.sidto the object ID GUID of the AAD administrator user, group, or application. - Set the
properties.tenantIdto the tenant ID of the AAD administrator user, group, or application.
For example:
resource aadAdmin 'Microsoft.DBforMySQL/servers/administrators@2017-12-01' = {
name: 'activeDirectory'
parent: mySqlSingleServer
properties: {
administratorType: 'ActiveDirectory'
login: login
sid: sid
tenantId: tenantId
}
}
Notes#
For the flexible server deployment model a user-assigned identity is required in order to use AAD-authentication. The single server deployment model does not support enforcing AAD-authentication only.
Links#
- Use modern password protection
- Use Azure Active Directory for authenticating with MySQL - Flexible Server
- Use Azure Active Directory for authenticating with MySQL - Single Server
- Azure security baseline for Azure Database for MySQL - Flexible Server
- IM-1: Use centralized identity and authentication system
- Azure deployment reference Flexible Server
- Azure deployment reference Single Server