Entra ID only authentication

Security · Azure Database for MySQL · Rule · 2023_09 · Important

Ensure Entra ID only authentication is enabled with Azure Database for MySQL databases.

Description

Azure Database for MySQL supports authentication with MySQL logins and Entra ID (previously Azure AD) authentication.

By default, authentication with MySQL logins is enabled. MySQL logins are unable to provide sufficient protection for identities. Entra ID authentication provides:

• Strong protection controls including conditional access.
• Identity governance.
• Privileged identity management.

Once you decide to use Entra ID authentication, you can disable authentication with MySQL logins.

Entra ID only authentication is only supported for the flexible server deployment model with MySQL 5.7 and newer.

Recommendation

Consider using Entra ID only authentication. Also consider using Azure Policy for Entra ID only authentication with Azure Database for MySQL.

Examples

Configure with Azure template

To deploy Azure Database for MySQL flexible servers that pass this rule:

• Configure the Microsoft.DBforMySQL/flexibleServers/configurations sub-resource.
• Set the name to aad_auth_only.
• Set the properties.value to ON.
• Set the properties.source to user-override.

For example:

Azure Template snippet

{
  "type": "Microsoft.DBforMySQL/flexibleServers/configurations",
  "apiVersion": "2022-01-01",
  "name": "[format('{0}/{1}', parameters('serverName'), 'aad_auth_only')]",
  "properties": {
    "value": "ON",
    "source": "user-override"
  },
  "dependsOn": [
    "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('serverName'))]"
  ]
}

Configure with Bicep

To deploy Azure Database for MySQL flexible servers that pass this rule:

• Configure the Microsoft.DBforMySQL/flexibleServers/configurations sub-resource.
• Set the name to aad_auth_only.
• Set the properties.value to ON.
• Set the properties.source to user-override.

For example:

Azure Bicep snippet

resource aadOnly 'Microsoft.DBforMySQL/flexibleServers/configurations@2022-01-01' = {
  name: 'aad_auth_only'
  parent: mySqlFlexibleServer
  properties: {
    value: 'ON'
    source: 'user-override'
  }
}

Notes

The Entra ID admin must be set before enabling Entra ID only authentication. Entra ID only authentication is only supported for the flexible server deployment model.

Links

• SE:05 Identity and access management
• IM-1: Use centralized identity and authentication system
• Microsoft Entra authentication for Azure Database for MySQL - Flexible Server
• Azure security baseline for Azure Database for MySQL - Flexible Server
• Azure deployment reference

Comments