Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Azure Active Directory Admin for PostgreSQL Authentication

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: PostgreSQL-008

Ensure that Azure Active Directory authentication is configured to allow you to centrally manage identity and access to your Microsoft Azure PostgreSQL database servers by using an Active Directory administrator.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Azure Active Directory (AAD) authentication represents a secure instrument that can be used to connect to your Azure PostgreSQL database servers using identities available within the Active Directory. With Azure AAD authentication, the identities of the PostgreSQL database users can be managed in one central location, simplifying access permission management. Other benefits provided by the AAD authentication feature include:

Providing authentication across Microsoft Azure services in a uniform way;

Supporting multiple forms of authentication in order to eliminate the need to store access passwords;

Using PostgreSQL database roles to authenticate identities at the database level;

Allowing customers to manage PostgreSQL database permissions using external (AAD) groups;

Providing tools for management of password policies and password rotation in one single place;

Supporting token-based authentication for applications connecting to your PostgreSQL database servers.


Audit

To determine if an Active Directory administrator is configured for PostgreSQL authentication within your Azure PostgreSQL database server settings, perform the following actions:

Note: Auditing Azure PostgreSQL database servers for AAD admin-based authentication using Azure CLI or Azure PowerShell is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list only the PostgreSQL database servers provisioned in your Azure account.

04 Click on the name of the PostgreSQL server that you want to examine.

05 In the navigation panel, under Settings, select Active Directory admin to access the Azure Active Directory (AAD) authentication settings for the selected PostgreSQL database server.

06 On the Active Directory admin configuration page, check the Active Directory admin feature status. If the status is currently set to No Active Directory admin, there is no Active Directory administrator configured to handle authentication for the selected Azure PostgreSQL database server.

07 Repeat steps no. 4 – 6 for each PostgreSQL database server available in the selected subscription.

08 Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To configure an Azure Active Directory (AAD) administrator for authentication and access to your Microsoft Azure PostgreSQL database servers, perform the following operations:

Note: Configuring a Microsoft Azure Active Directory (AAD) admin for PostgreSQL database server authentication using Azure CLI or Azure PowerShell is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access all your Microsoft Azure resources.

03 From the Type filter box, select Azure Database for PostgreSQL server to list only the PostgreSQL database servers available in your Azure account.

04 Click on the name of the PostgreSQL database server that you want to reconfigure.

05 In the navigation panel, under Settings, select Active Directory admin to access the Azure Active Directory (AAD) authentication settings for the selected database server.

06 On the Active Directory admin configuration page, click Set admin to initiate the setup process.

07 On the Active Directory admin panel, choose the Azure Active Directory (AAD) administrator (or search it by the name and/or email address) that you want to configure for authentication to your Microsoft Azure PostgreSQL database server, then click Select to select the chosen AD admin user and return to the configuration page.

08 Click Save to apply the configuration changes.

09 Repeat steps no. 4 – 8 for each PostgreSQL database server available within the selected subscription.

10 Repeat steps no. 3 – 9 for each subscription created within your Microsoft Azure cloud account.

References

Publication date Apr 14, 2020

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Use Azure Active Directory Admin for PostgreSQL Authentication

Risk Level: Medium