Skip to content

Azure AD-only authentication#

Security · Azure Database for PostgreSQL · Rule · 2023_06

Ensure Azure AD-only authentication is enabled with Azure Database for PostgreSQL databases.

Description#

Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Azure AD authentication.

By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Azure AD authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

Once you decide to use Azure AD authentication, you can disable authentication with PostgreSQL logins.

Azure AD-only authentication is only supported for the flexible server deployment model.

Recommendation#

Consider using Azure AD-only authentication. Also consider using Azure Policy for Azure AD-only authentication with Azure Database for PostgreSQL.

Examples#

Configure with Azure template#

To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

  • Set the properties.authConfig.activeDirectoryAuth property to true.
  • Set the properties.authConfig.passwordAuth property to false.

For example:

Azure Template snippet
{
  "type": "Microsoft.DBforPostgreSQL/flexibleServers",
  "apiVersion": "2022-12-01",
  "name": "[parameters('serverName')]",
  "location": "[parameters('location')]",
  "properties": {
    "authConfig": {
      "activeDirectoryAuth": "Enabled",
      "passwordAuth": "Disabled",
      "tenantId": "[parameters('tenantId')]"
    }
  }
}

Configure with Bicep#

To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

  • Set the properties.authConfig.activeDirectoryAuth property to true.
  • Set the properties.authConfig.passwordAuth property to false.

For example:

Azure Bicep snippet
resource postgreSqlFlexibleServer 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
  name: serverName
  location: location
  properties: {
    authConfig: {
      activeDirectoryAuth: 'Enabled'
      passwordAuth: 'Disabled'
      tenantId: tenantId
    }
  }
}

Notes#

The Azure AD admin must be set before enabling Azure AD-only authentication. Azure AD-only authentication is only suppored for the flexible server deployment model.

Comments