Azure database security checklist

To help improve security, Azure SQL Database and Azure SQL Managed Instance include built-in security controls that you can use to limit and control access, protect data, and monitor threats.

Security controls include:

Firewall rules limiting connectivity by IP address and virtual network
Microsoft Entra authentication for centralized identity management
Secure connectivity using TLS encryption
Access management and authorization
Data encryption at rest and in transit
Database auditing and threat detection
Advanced data security features

Introduction

Cloud computing requires new security paradigms that may be unfamiliar to many application users, database administrators, and programmers. Organizations can leverage Azure SQL's comprehensive security features to protect sensitive data and meet regulatory compliance requirements.

Checklist

We recommend that you read the Azure SQL Database security best practices article before reviewing this checklist. Understanding the best practices will help you get the most value from this checklist. Use this checklist to verify that you've addressed the important security controls in Azure database security.

Checklist Category	Description
Protect Data
Encryption in transit	Transport Layer Security (TLS) encrypts data in motion between clients and databases. Azure SQL requires TLS 1.2 or higher for secure connections. Database requires secure communication from clients based on the TDS (Tabular Data Stream) protocol over TLS.
Encryption at rest	Transparent Data Encryption (TDE) encrypts data and log files at rest. TDE is enabled by default on all new Azure SQL databases. Bring Your Own Key (BYOK) allows you to manage TDE encryption keys in Azure Key Vault.
Encryption in use	Always Encrypted protects sensitive data by encrypting it within client applications. Encryption keys never reach the database engine, ensuring separation between data owners and data managers. Column-Level Encryption (CLE) encrypts specific columns using symmetric encryption for additional protection of sensitive data.
Control Access
Database access	Microsoft Entra authentication provides centralized identity management with single sign-on (SSO) capabilities. SQL authentication with strong passwords provides an alternative authentication method. Authorization grants users the minimum privileges necessary using role-based access control.
Network access control	Server-level IP firewall rules restrict access based on originating IP addresses. Database-level IP firewall rules provide granular access control per database. Virtual Network service endpoints allow connectivity from specific Azure virtual networks. Private Link provides private connectivity to Azure SQL Database using a private IP address within your virtual network.
Application access control	Row-Level Security (RLS) restricts row-level access based on a user's identity, role, or execution context. Dynamic Data Masking limits sensitive data exposure by masking it to non-privileged users without changing the underlying data. Data Discovery and Classification identifies, classifies, and labels sensitive data for improved protection and compliance.
Proactive Monitoring
Auditing and detection	Auditing tracks database events and writes them to an audit log in your Azure Storage account, Log Analytics workspace, or Event Hubs. Track Azure SQL Database health using Azure Monitor and diagnostic settings. Microsoft Defender for SQL detects anomalous database activities indicating potential security threats including SQL injection, brute-force attacks, and vulnerability exploits.
Vulnerability assessment	Vulnerability Assessment discovers, tracks, and helps remediate potential database vulnerabilities. Provides actionable security recommendations and risk reports for compliance.
Centralized security management	Microsoft Defender for Cloud provides centralized security monitoring and management for Azure SQL Database and other Azure services. Security recommendations based on the Microsoft cloud security benchmark.
Data Integrity
Ledger capability	Ledger provides tamper-evident capabilities by creating an immutable record of database transactions. Helps meet compliance requirements for data integrity verification.

Conclusion

Azure SQL Database and Azure SQL Managed Instance provide robust database platforms with comprehensive security features meeting organizational and regulatory compliance requirements. You can protect data throughout its lifecycle—at rest, in transit, and in use—using Transparent Data Encryption, Always Encrypted, and TLS. Fine-grained access controls including Row-Level Security, Dynamic Data Masking, and Microsoft Entra authentication ensure only authorized users access sensitive data. Continuous monitoring through auditing, Microsoft Defender for SQL, and Vulnerability Assessment helps identify and remediate security threats proactively.

Next steps

You can improve the protection of your database against malicious users or unauthorized access with a few simple steps:

Configure firewall rules for your server and databases
Protect your data with encryption
Enable SQL Database auditing
Enable Microsoft Defender for SQL for threat detection
Review security best practices

Feedback

Was this page helpful?

Last updated on 2025-11-07