Azure SQL Database – Security

Authentication & Authorization Key Feature

Azure SQL Database supports multiple authentication methods to ensure only legitimate users can access your data.

• Azure Active Directory (AAD) authentication – integrated with your organization’s identity provider.
• SQL authentication – username and password stored securely in Azure.
• Managed identities – for Azure services to connect without secrets.
• Multi-factor authentication (MFA) – enforced at the AAD level.

Example: Enabling AAD Authentication

az sql server ad-admin create \
    --resource-group MyResourceGroup \
    --server myserver \
    --display-name "Contoso Admin" \
    --object-id 11111111-2222-3333-4444-555555555555

Encryption

Data is protected at rest and in transit using industry‑standard encryption.

• Transparent Data Encryption (TDE) – encrypts database files automatically.
• Always Encrypted – protects sensitive data such as credit card numbers.
• SSL/TLS – secures connections between client and server.

Enabling Transparent Data Encryption

ALTER DATABASE MyDatabase SET ENCRYPTION ON;

Configuring Always Encrypted

Use the Azure portal or SqlPackage to define column encryption settings.

Network Security – Firewall

Control inbound traffic using server‑level and database‑level firewall rules.

• IP range rules – allow specific address blocks.
• Virtual network service endpoints – limit access to Azure VNets.
• Azure Private Link – expose your database via a private endpoint.

Adding a Server‑Level Firewall Rule

az sql server firewall-rule create \
    --resource-group MyResourceGroup \
    --server myserver \
    --name AllowOfficeIP \
    --start-ip-address 203.0.113.0 \
    --end-ip-address 203.0.113.255

Auditing & Threat Detection

Continuous monitoring helps detect suspicious activities.

• Auditing – logs all database events to Log Analytics or Storage.
• Advanced Threat Protection – real‑time alerts for anomalous behavior.
• Vulnerability Assessment – scans for security gaps.

Enable Auditing via Azure Portal

Navigate to SQL databases → Your DB → Auditing and select a storage destination.

Compliance & Certifications

Azure SQL Database complies with major standards:

• ISO/IEC 27001, 27018
• HIPAA/HITECH
• PCI DSS v3.2.1
• GDPR
• FedRAMP High

Best Practices

1. Use Azure AD authentication with MFA.
2. Enable Transparent Data Encryption and Always Encrypted for sensitive columns.
3. Restrict network access with Private Link and firewall rules.
4. Turn on Advanced Threat Protection and Auditing.
5. Regularly run Vulnerability Assessment scans.

Additional Resources

• Transparent Data Encryption
• Always Encrypted
• Private Link Overview
• Advanced Threat Protection
• Compliance Guide