Azure AD-only authentication

Security · Azure Database for MySQL · Rule · 2023_09 · Important

Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.

Description

Azure Database for MySQL supports authentication with MySQL logins and Azure AD authentication.

By default, authentication with MySQL logins is enabled. MySQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

Once you decide to use Azure AD authentication, you can disable authentication with MySQL logins.

Azure AD-only authentication is only supported for the flexible server deployment model with MySQL 5.7 and newer.

Recommendation

Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.

Examples

Configure with Azure template

To deploy Azure Database for MySQL flexible servers that pass this rule:

• Configure the Microsoft.DBforMySQL/flexibleServers/configurations sub-resource.
• Set the name to aad_auth_only.
• Set the properties.value to ON.
• Set the properties.source to user-override.

For example:

Azure Template snippet

{
  "type": "Microsoft.DBforMySQL/flexibleServers/configurations",
  "apiVersion": "2022-01-01",
  "name": "[format('{0}/{1}', parameters('serverName'), 'aad_auth_only')]",
  "properties": {
    "value": "ON",
    "source": "user-override"
  },
  "dependsOn": [
     "[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('serverName'))]"
  ]
}

Configure with Bicep

To deploy Azure Database for MySQL flexible servers that pass this rule:

• Configure the Microsoft.DBforMySQL/flexibleServers/configurations sub-resource.
• Set the name to aad_auth_only.
• Set the properties.value to ON.
• Set the properties.source to user-override.

For example:

Azure Bicep snippet

resource aadOnly 'Microsoft.DBforMySQL/flexibleServers/configurations@2022-01-01' = {
  name: 'aad_auth_only'
  parent: mySqlFlexibleServer
  properties: {
    value: 'ON'
    source: 'user-override'
  }
}

Notes

The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.

Links

• Use modern password protection
• Active Directory authentication for Azure Database for MySQL - Flexible Server
• Azure security baseline for Azure Database for MySQL - Flexible Server
• IM-1: Use centralized identity and authentication system
• Azure deployment reference

Comments