Azure AD-only authentication#
Security · Azure Database for PostgreSQL · 2023_06
Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.
Description#
Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.
By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.
Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.
Azure AD-only authentication is only supported for the flexible server deployment model.
Recommendation#
Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.
Examples#
Configure with Azure template#
To deploy Azure Database for PostgreSQL flexible servers that pass this rule:
- Set the
properties.authConfig.activeDirectoryAuthproperty totrue. - Set the
properties.authConfig.passwordAuthproperty tofalse.
For example:
{
"type": "Microsoft.DBforPostgreSQL/flexibleServers",
"apiVersion": "2022-12-01",
"name": "[parameters('serverName')]",
"location": "[parameters('location')]",
"properties": {
"authConfig": {
"activeDirectoryAuth": "Enabled",
"passwordAuth": "Disabled",
"tenantId": "[parameters('tenantId')]"
}
}
}
Configure with Bicep#
To deploy Azure Database for PostgreSQL flexible servers that pass this rule:
- Set the
properties.authConfig.activeDirectoryAuthproperty totrue. - Set the
properties.authConfig.passwordAuthproperty tofalse.
For example:
resource postgreSqlFlexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
name: serverName
location: location
properties: {
authConfig: {
activeDirectoryAuth: 'Enabled'
passwordAuth: 'Disabled'
tenantId: tenantId
}
}
}
Notes#
The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.
Links#
- Use modern password protection
- Use Azure AD for authentication with Azure Database for PostgreSQL - Flexible Server
- Azure Active Directory Authentication (Single Server VS Flexible Server)
- Azure security baseline for Azure Database for PostgreSQL - Flexible Server
- IM-1: Use centralized identity and authentication system
- Azure deployment reference