Entra ID only authentication with PostgreSQL databases#
Security · Azure Database for PostgreSQL · Rule · 2023_06 · Important
Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.
Description#
Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Entra ID authentication.
By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Entra ID authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.
Once you decide to use Entra ID authentication, you can disable authentication with PostgreSQL logins.
Entra ID only authentication is only supported for the flexible server deployment model.
Recommendation#
Consider using Entra ID only authentication. Also consider using Azure Policy for Entra ID only authentication with Azure Database for PostgreSQL.
Examples#
Configure with Azure template#
To deploy Azure Database for PostgreSQL flexible servers that pass this rule:
- Set the
properties.authConfig.activeDirectoryAuthproperty toEnabled. - Set the
properties.authConfig.passwordAuthproperty toDisabled.
For example:
{
"type": "Microsoft.DBforPostgreSQL/flexibleServers",
"apiVersion": "2022-12-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_D2ds_v4",
"tier": "GeneralPurpose"
},
"properties": {
"createMode": "Default",
"authConfig": {
"activeDirectoryAuth": "Enabled",
"passwordAuth": "Disabled",
"tenantId": "[tenant().tenantId]"
},
"version": "14",
"storage": {
"storageSizeGB": 32
},
"backup": {
"backupRetentionDays": 7,
"geoRedundantBackup": "Enabled"
},
"highAvailability": {
"mode": "ZoneRedundant"
}
}
}
Configure with Bicep#
To deploy Azure Database for PostgreSQL flexible servers that pass this rule:
- Set the
properties.authConfig.activeDirectoryAuthproperty toEnabled. - Set the
properties.authConfig.passwordAuthproperty toDisabled.
For example:
resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
name: name
location: location
sku: {
name: 'Standard_D2ds_v4'
tier: 'GeneralPurpose'
}
properties: {
createMode: 'Default'
authConfig: {
activeDirectoryAuth: 'Enabled'
passwordAuth: 'Disabled'
tenantId: tenant().tenantId
}
version: '14'
storage: {
storageSizeGB: 32
}
backup: {
backupRetentionDays: 7
geoRedundantBackup: 'Enabled'
}
highAvailability: {
mode: 'ZoneRedundant'
}
}
}
Notes#
The Entra ID admin must be set before enabling Entra ID only authentication. Entra ID only authentication is only supported for the flexible server deployment model.
Links#
- SE:05 Identity and access management
- How Microsoft Entra ID Works in Azure Database for PostgreSQL flexible server
- Use Microsoft Entra ID for authentication with Azure Database for PostgreSQL - Flexible Server
- Use Microsoft Entra ID for authentication with PostgreSQL
- Microsoft Entra authentication (Azure Database for PostgreSQL single Server vs Azure Database for PostgreSQL flexible server)
- IM-1: Use centralized identity and authentication system
- Azure deployment reference