Database Security

• https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview
• https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview

• AAD is recommended over native SQL Server authentication for database authentication
• https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#using-an-azure-ad-identity-to-connect-using-ssms-or-ssdt

With this authentication method, the user submits a user account name and associated password to establish a connection. This password is stored in the master database for user accounts linked to a login or stored in the database containing the user accounts not linked to a login.

Logins and users: In Azure SQL, a user account in a database can be associated with a login that is stored in the master database or can be a user name that is stored in an individual database

• A login is an individual account in the master database, to which a user account in one or more databases can be linked. With a login, the credential information for the user account is stored with the login.
• A user account is an individual account in any database that may be but does not have to be linked to a login. With a user account that is not linked to a login, the credential information is stored with the user account.
• Recommendation: Use Azure Active Directory authentication to centrally manage identities of database users and as an alternative to SQL Server authentication.

• SSMS supports authentication with AAD using AAD Universal Authentication

• https://docs.microsoft.com/en-us/learn/modules/sql-database-security/3-firewalls
• Initially, all access to your Azure SQL Database is blocked by the SQL Database firewall.
• To help protect your data, firewalls prevent all access to your database server until you specify which computers have permission. The firewall grants access to databases based on the originating IP address of each request.
• There are server-level IP firewall rules and database-level IP firewall rules. Server-level apply to all databases on the server and since the scope is broader they are evaluated after database-level rules.
• Recommendation: Whenever possible, as a best practice, use database-level IP firewall rules to enhance security and to make your database more portable. Use server-level IP firewall rules for administrators and when you have several databases with the same access requirements, and you don't want to spend time configuring each database individually.

Auditing for Azure SQL Database and Azure Synapse Analytics tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace or Event Hubs.

• Auditing can be enabled at the server-level or database-level