Ensure that Azure Active Directory Admin is configured for Azure MySQL Single Server

HIGH

Description

Disabled Azure Active Directory Admin for Azure MySQL Single Server may lead to unauthorized access. Without a designated Azure Active Directory Admin, the MySQL server lacks a layer of authentication and authorization. This gap may allow malicious actors to exploit potential security gaps and gain unauthorized access to sensitive data stored within the database.

Remediation

In Azure Console -

Open the Azure Portal and go to MySQL servers.
Choose the SQL server you wish to edit.
Under Authentication, Set Azure AD Admin Name.
Select Save.

In Terraform -

In the azurerm_sql_active_directory_administrator resource, set server_name and login values.

References:
https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-azure-ad#configure-the-azure-ad-admin
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_active_directory_administrator

Policy Details

Rule Reference ID: AC_AZURE_0127

CSP: Azure

Remediation Available: Yes

Domain: Identity and Access Management

Resource: azurerm_mysql_server

Resource Category: Database

Resource Type: MySQL

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF