azure stepUpChallenge

The Innocent Killer on Azure

Ever thought that a small feature can hand access of your sql server databases to anyone with an Azure account? Yes, you read it right, “anyone with an Azure account”.

With this feature enabled, anyone on Azure network can access your SQL databases in Azure SQL Server from any of the Azure services. You might have applied so many access policies, firewalls, ip restrictions but if this feature was left enabled, anyone with an Azure account can access your databases.

I guess that now I have your attention!

Well, getting your attention was important on this because the feature I’m talking about is most overlooked, misinterpreted and is kept enabled by most of the people.

The feature I’m talking about is “Allow Azure services and resources to access this server” under Security settings in Firewalls and Virtual Networks tab in Azure Sql Server resource.

This innocent looking setting is interpreted to be giving access to all the Azure resources under your subscription or to the resources mapped to your current Azure Active Directory. But here’s what we all get mistaken. This feature not only provides access to you, your subscriptions, all resources in your AD, but to also everyone on the Azure network. Literally anyone with credentials to your SQL Server on Azure can access your SQL Server and it’s databases from any service on Azure. Don’t believe me? Keep “Allow Azure services and resources to access this server” setting enabled for your SQL Server and try access this SQL Server from a Virtual Machine created on your friend’s account though SSMS. Ideally, this should not work, but interestingly it will!

Here’s what Microsoft Azure team has to say on this.

I guess now you would have understood why I called this feature as innocent killer. I hope you now keep an eye on this feature and would enable it only if it is really required to be enabled.

Please feel free to reach me out in case of any queries or help. I’ll be happy to assist!

Akhil Sharma

Akhil Sharma
DevOps Engineer, Horizontal Digital India
Azure Content Hero
Microsoft Certified: Azure DevOps Engineer Expert
Microsoft Certified: Azure Administrator Associate
Google Cloud Certified: Associate Cloud Engineer
Oracle Cloud Infrastructure Architect Associate
Oracle Cloud Infrastructure Foundations Associate
Oracle Cloud Infrastructure Cloud Operations Associate
Oracle Cloud Infrastructure Developer Associate
Oracle Autonomous Database Cloud Specialist
Aviatrix Certified Engineer - Multi-Cloud Network Associate
Lean Six Sigma White Belt Certified - v4.0
5+ Years of experience in DevOps
For more info, please read "About Me!"

Please subscribe for updates using the bell icon on your screen!
Back To Top
error: Content is protected !!
%d bloggers like this: