Governance Policies Azure Data Azure SQL

Azure SQL

Governance policies for Azure Sql

Domain: azure-data

Patterns

Name	Description
SQL Server with AAD-only auth and private endpoint	Complete SQL Server deployment with Entra-only authentication, TDE, threat protection, private endpoint, and diagnostics

Anti-Patterns

Description	Instead
Do not use SQL authentication with username/password	Use Microsoft Entra (Azure AD) authentication with managed identity
Do not set firewall rule 0.0.0.0-255.255.255.255	Use private endpoints for all connectivity
Do not put administrators inline in the server body	Create Microsoft.Sql/servers/administrators and Microsoft.Sql/servers/azureADOnlyAuthentications as separate child resources
Do not use SQL DB Contributor role for application data access	Use T-SQL contained users: CREATE USER [app-identity] FROM EXTERNAL PROVIDER

References

• SQL Database security best practices
• Azure SQL private endpoints
• AAD-only authentication
• WAF: Azure SQL Database service guide
• SQL Database auditing
• SQL vulnerability assessment
• SQL Database failover groups

---

Checks (11)

Check	Severity	Description
AZ-SQL-001	Required	Create SQL Server with AAD-only authentication via separate child resources
AZ-SQL-002	Required	Create SQL Database with appropriate SKU and settings
AZ-SQL-003	Required	Enable Transparent Data Encryption (TDE) on every database
AZ-SQL-004	Required	Enable Advanced Threat Protection on the SQL Server
AZ-SQL-005	Required	Disable public network access and enforce TLS 1.2 minimum
AZ-SQL-006	Required	Enable diagnostic settings to Log Analytics workspace
AZ-SQL-007	Recommended	Use serverless tier (GP_S_Gen5) for POC and dev/test workloads
AZ-SQL-008	Required	Enable SQL Database auditing on the logical server
AZ-SQL-009	Recommended	Enable SQL Vulnerability Assessment on the SQL Server
AZ-SQL-010	Recommended	Configure zone redundancy for Business Critical or Premium tier databases
AZ-SQL-011	Recommended	Use failover groups for automatic geo-failover of critical databases

---

AZ-SQL-001

Create SQL Server with AAD-only authentication via separate child resources

Severity: Required
Rationale: Centralised identity management via Entra ID; SQL auth passwords are a security liability
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.Sql/servers

---

AZ-SQL-002

Create SQL Database with appropriate SKU and settings

Severity: Required
Rationale: Databases must be created as child resources of the server with explicit SKU configuration
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.Sql/servers/databases

---

AZ-SQL-003

Enable Transparent Data Encryption (TDE) on every database

Severity: Required
Rationale: Data-at-rest encryption is a baseline security requirement
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.Sql/servers/databases

---

AZ-SQL-004

Enable Advanced Threat Protection on the SQL Server

Severity: Required
Rationale: Detects anomalous database activities indicating potential security threats
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.Sql/servers

---

AZ-SQL-005

Disable public network access and enforce TLS 1.2 minimum

Severity: Required
Rationale: Prevents direct internet access; all connections must traverse private endpoints
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.Sql/servers

Companion Resources

Resource	Name	Purpose
Microsoft.Network/privateEndpoints	pe-sql	Private endpoint for SQL Server — required when publicNetworkAccess is Disabled
Microsoft.Network/privateDnsZones/virtualNetworkLinks	privatelink.database.windows.net	Private DNS zone for SQL Server private endpoint resolution

---

AZ-SQL-006

Enable diagnostic settings to Log Analytics workspace

Severity: Required
Rationale: Audit trail for access, query performance, and security events
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

• Microsoft.Sql/servers/databases

Companion Resources

Resource	Name	Purpose
Microsoft.Insights/diagnosticSettings	diag-sql	Diagnostic settings for SQL Database to Log Analytics

---

AZ-SQL-007

Use serverless tier (GP_S_Gen5) for POC and dev/test workloads

Severity: Recommended
Rationale: Auto-pause reduces costs for intermittent usage patterns
Agents: cloud-architect, cost-analyst, terraform-agent, bicep-agent

Targets

• Microsoft.Sql/servers/databases

---

AZ-SQL-008

Enable SQL Database auditing on the logical server

Severity: Required
Rationale: WAF Security: Auditing tracks database events and writes them to an audit log, maintaining regulatory compliance and providing insight into database activity
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

• Microsoft.Sql/servers

---

AZ-SQL-009

Enable SQL Vulnerability Assessment on the SQL Server

Severity: Recommended
Rationale: WAF Security: Built-in service that identifies, tracks, and helps remediate potential database vulnerabilities with actionable remediation scripts
Agents: terraform-agent, bicep-agent, cloud-architect, security-reviewer

Targets

• Microsoft.Sql/servers

---

AZ-SQL-010

Configure zone redundancy for Business Critical or Premium tier databases

Severity: Recommended
Rationale: WAF Reliability: Zone-redundant availability distributes compute and storage across availability zones, maintaining operations during zone failures
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

• Microsoft.Sql/servers/databases

---

AZ-SQL-011

Use failover groups for automatic geo-failover of critical databases

Severity: Recommended
Rationale: WAF Reliability: Failover groups automate failover from primary to secondary with read-write and read-only listener endpoints that remain unchanged during geo-failovers
Agents: cloud-architect, terraform-agent, bicep-agent

Targets

• Microsoft.Sql/servers

---