[Security] Replace SQL Authentication with Azure AD Authentication #18
Description
Summary
Migrate Azure SQL Server from SQL authentication to Azure AD-only authentication to eliminate password-based access and reduce credential theft risk.
Threats Addressed
- T-004: SQL Admin Account Compromise (Critical Risk)
Current State
- SQL Server uses \�dministratorLogin: 'sqladmin'\ with SQL authentication
- Password management creates security and operational burden
Acceptance Criteria
- Azure AD admin group configured for SQL Server
- \�zureADOnlyAuthentication: true\ enforced
- SQL authentication disabled
- App Service configured to use managed identity for SQL access
- Connection strings updated to use Azure AD authentication
Implementation Reference
See security-plan-sample-web-app.md for Bicep code samples.
\\�icep
resource sqlServer 'Microsoft.Sql/servers@2023-08-01-preview' = {
name: sqlServerName
location: location
properties: {
administrators: {
administratorType: 'ActiveDirectory'
principalType: 'Group'
login: 'SQL-Admins-Group'
sid: ''
tenantId: subscription().tenantId
azureADOnlyAuthentication: true
}
minimalTlsVersion: '1.2'
publicNetworkAccess: 'Disabled'
}
}
\\
Priority
P1 - Critical - Implement immediately