STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

V-276305

CAT I (High)

If passwords are used for authentication, Azure SQL Server Managed Instance must transmit only encrypted representations of passwords.

Rule ID

SV-276305r1150105_rule

STIG

Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000197

Discussion

The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate and requires AO approval. In such cases, passwords must be protected at all times, and encryption is the standard method for protecting passwords during transmission. Azure SQL Managed Instance passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. Azure SQL Managed Instance must use a FIPS-approved minimum TLS version, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 Rev. 2 specifies the preferred configurations for government systems.

Check Content

Verify the MinimalTLSversion using the following PowerShell script: 

$Subscription = 'SubscriptionValueHere'
$Environment = 'EnvironmentTypeHere'
Connect-AzAccount -Subscription $Subscription -Environment $Environment
 
$ResourceGroup = 'ResourceGroupHere'
$ManagedInstance = 'ManagedInstanceHere'
$TLSmax = (Get-Command -Name set-azsqlinstance -ParameterName 'minimaltlsversion').parameters['minimaltlsversion'].attributes.where({$_ -is [ValidateSet] }).ValidValues Select-Object -Last 1
$TLScur = (Get-AzSqlInstance -ResourceGroupName $ResourceGroup -Name $ManagedInstance).MinimalTlsVersion
Write-Host "Latest TLS Version  : [$TlSMax]"
Write-Host "Current TLS Version : [$TLScur]"
  
Verify that the minimum TLS version property is set to the latest available TLS version. If a less secure TLS version is set and not documented as required by the supported application, this is a finding.

Fix Text

Run the following PowerShell script to set the Azure SQL Managed Instance MinimalTLSversion to the latest available TLS version: 

##This is an example script## 
$ResourceGroup = '<resource group name here>' 
$ManagedInstance = '<Azure SQL Managed Instance name here>'  
$TLSmax = (Get-Command -Name set-azsqlinstance -ParameterName 'minimaltlsversion').parameters['minimaltlsversion'].attributes.where({$_ -is [ValidateSet] }).ValidValues | Select-Object -Last 1
Set-AzSqlInstance -ResourceGroupName $ResourceGroup -Name $ManagedInstance -MinimalTlsVersion $TLSmax
  
References: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/minimal-tls-version-configure?view=azuresql-mi