Azure AD-only authentication#
Security · Azure Database for MySQL · Rule · 2023_09
Ensure Azure AD-only authentication is enabled with Azure Database for MySQL databases.
Description#
Azure Database for MySQL supports authentication with MySQL logins and Azure AD authentication.
By default, authentication with MySQL logins is enabled. MySQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.
Once you decide to use Azure AD authentication, you can disable authentication with MySQL logins.
Azure AD-only authentication is only supported for the flexible server deployment model with MySQL 5.7 and newer.
Recommendation#
Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for MySQL.
Examples#
Configure with Azure template#
To deploy Azure Database for MySQL flexible servers that pass this rule:
- Configure the
Microsoft.DBforMySQL/flexibleServers/configurations
sub-resource. - Set the
name
toaad_auth_only
. - Set the
properties.value
toON
. - Set the
properties.source
touser-override
.
For example:
{
"type": "Microsoft.DBforMySQL/flexibleServers/configurations",
"apiVersion": "2022-01-01",
"name": "[format('{0}/{1}', parameters('serverName'), 'aad_auth_only')]",
"properties": {
"value": "ON",
"source": "user-override"
},
"dependsOn": [
"[resourceId('Microsoft.DBforMySQL/flexibleServers', parameters('serverName'))]"
]
}
Configure with Bicep#
To deploy Azure Database for MySQL flexible servers that pass this rule:
- Configure the
Microsoft.DBforMySQL/flexibleServers/configurations
sub-resource. - Set the
name
toaad_auth_only
. - Set the
properties.value
toON
. - Set the
properties.source
touser-override
.
For example:
resource aadOnly 'Microsoft.DBforMySQL/flexibleServers/configurations@2022-01-01' = {
name: 'aad_auth_only'
parent: mySqlFlexibleServer
properties: {
value: 'ON'
source: 'user-override'
}
}
Notes#
The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.
Links#
- Use modern password protection
- Active Directory authentication for Azure Database for MySQL - Flexible Server
- Azure security baseline for Azure Database for MySQL - Flexible Server
- IM-1: Use centralized identity and authentication system
- Azure deployment reference