Introduction
Azure SQL Database provides a comprehensive set of security features that help you protect data at rest, in motion, and during use. This tutorial walks you through the essential steps to secure your Azure SQL workloads.
Authentication & Authorization
Use Azure Active Directory (AAD) integration for identity‑based authentication instead of SQL authentication wherever possible.
-- Enable AAD authentication for the server
ALTER DATABASE SCOPED CONFIGURATION SET
IDENTITY_INSERT = ON;
Tip: Assign users to the
db_datareader and db_datawriter roles only when necessary.
Network Security
Restrict inbound traffic with Virtual Networks and Private Endpoints.
# Create a private endpoint
az network private-endpoint create \
--name mySqlPrivateEndpoint \
--resource-group RG \
--vnet-name MyVNet \
--subnet MySubnet \
--private-connection-resource-id $(az sql server show -g RG -n myServer --query id -o tsv) \
--group-id sqlServerData Encryption
Azure SQL encrypts data at rest with Transparent Data Encryption (TDE) by default. Enable Column-Level Encryption for highly sensitive fields.
-- Enable Column-Level Encryption
CREATE COLUMN MASTER KEY MyCMK
WITH (
KEY_STORE_PROVIDER_NAME = N'AZURE_KEY_VAULT',
KEY_PATH = N'https://myvault.vault.azure.net/keys/MyKey'
);
CREATE COLUMN ENCRYPTION KEY MyCEK
WITH VALUES (
COLUMN_MASTER_KEY = MyCMK,
ALGORITHM = N'AES_256_CBC_HMAC_SHA_256'
);
Auditing & Threat Detection
Turn on Auditing to a storage account or Log Analytics workspace and enable Advanced Threat Protection.
# Enable auditing to Log Analytics
az sql db audit-policy update \
--resource-group RG \
--server myServer \
--name myDatabase \
--state Enabled \
--action-group "Microsoft.Sql/auditing"
Best Practices
- Use Managed Identities for Azure resources that need to connect to Azure SQL.
- Rotate AAD passwords and certificates regularly.
- Apply the principle of least privilege to all database roles.
- Monitor login failures and set alerting thresholds.
- Backup encryption keys in a separate key vault.