STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Microsoft Azure SQL Managed Instance Security Technical Implementation Guide

Version

V1R1

Benchmark ID

MS_Azure_SQL_Managed_Instance_STIG

Total Checks

84

Tags

cloud

CAT I: 8CAT II: 74CAT III: 2

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (84)

V-276225HIGHAzure SQL Managed Instances must integrate with Microsoft Entra ID for providing account management and automation for all users, groups, roles, and any other principals.V-276226HIGHAzure SQL Managed Instance must enforce approved authorizations for logical access to database information and system resources in accordance with applicable access control policies.V-276227MEDIUMDatabase objects must be owned by Azure SQL Managed Instance principals authorized for ownership.V-276228MEDIUMThe role(s)/group(s) used to modify database structure and logic modules inside Azure SQL Server Managed Instance must be restricted to authorized users.V-276229MEDIUMAzure SQL Managed Instance contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.V-276230MEDIUMAzure SQL Managed Instance and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.V-276231MEDIUMAzure SQL Managed Instance must associate organization-defined types of security labels having organization-defined security label values with information.V-276232MEDIUMAzure SQL Managed Instance must enforce discretionary access control policies, as defined by the data owner, over defined subjects and objects.V-276233MEDIUMAzure SQL Managed Instance must restrict execution of stored procedures and functions that utilize "execute as" to necessary cases only.V-276234MEDIUMAzure SQL Managed Instance must prohibit user installation of logic modules without explicit privileged status.V-276235MEDIUMAzure SQL Managed Instance must enforce access restrictions associated with changes to the configuration of the database(s).V-276236HIGHAzure SQL Managed Instance must use NSA-approved cryptography to protect classified information in accordance with the data owners' requirements.V-276237MEDIUMAzure SQL Managed Instance must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.V-276238MEDIUMAzure SQL Managed Instance must implement cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.V-276239MEDIUMWhen invalid inputs are received, the Azure SQL Managed Instance must behave in a predictable and documented manner that reflects organizational and system objectives.V-276240MEDIUMAzure SQL Managed Instance must protect against a user falsely repudiating by ensuring only clearly unique Active Directory user accounts can connect to the database.V-276241MEDIUMAzure SQL Managed Instance must protect against a user falsely repudiating by use of system-versioned tables (Temporal Tables).V-276242MEDIUMThe Azure SQL Managed Instance must be able to generate audit records when attempts to retrieve privileges/permissions occur.V-276243MEDIUMAzure SQL Managed Instance must initiate session auditing upon startup.V-276244MEDIUMAzure SQL Managed Instance default demonstration and sample databases, database objects, and applications must be removed.V-276245MEDIUMThe Azure SQL Managed Instance audit storage account must be configured to prohibit public access.V-276246MEDIUMThe Azure SQL Managed Instance must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Category Assurance List (PPSM CAL) and vulnerability assessments.V-276247MEDIUMAzure SQL Managed Instance must uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).V-276248MEDIUMAzure SQL Managed Instance must map the PKI-authenticated identity to an associated user account.V-276249MEDIUMAzure SQL Managed Instance must uniquely identify and authenticate nonorganizational users (or processes acting on behalf of nonorganizational users).V-276250MEDIUMAzure SQL Managed Instance must separate user functionality (including user interface services) from database management functionality.V-276251HIGHAzure SQL Managed Instance must protect the confidentiality and integrity of all information at rest.V-276252MEDIUMAzure SQL Managed Instance must be able to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.V-276253MEDIUMAzure SQL Managed Instance must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.V-276254MEDIUMAzure SQL Managed Instance must generate audit records when security objects are modified.V-276255MEDIUMAzure SQL Managed Instance must generate audit records when attempts to modify categorized information (e.g., classification levels/security levels) occur.V-276256MEDIUMAzure SQL Managed Instance must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.V-276257MEDIUMAzure SQL Managed Instance must generate audit records when attempts to delete security objects occur.V-276258MEDIUMAzure SQL Managed Instance must generate audit records when attempts to delete categories of information (e.g., classification levels/security levels) occur.V-276259MEDIUMAzure SQL Managed Instance must generate audit records when logon or connection attempts occur.V-276260MEDIUMAzure SQL Managed Instance must generate audit records for all privileged activities or other system-level access.V-276261MEDIUMAzure SQL Managed Instance must generate audit records showing starting and ending time for user access to the database(s).V-276262MEDIUMAzure SQL Managed Instance must generate audit records when concurrent logons/connections by the same user from different workstations occur.V-276263MEDIUMAzure SQL Managed Instance must be able to generate audit records when access to objects occur.V-276264MEDIUMAzure SQL Managed Instance must generate audit records for all direct access to the database(s).V-276265MEDIUMAzure SQL Managed Instance must store audit records in an immutable blob storage container for an organizationally defined period of time.V-276267MEDIUMAzure SQL Managed Instance must implement the capability to centrally review and analyze audit records from multiple components within the system using a service such as Azure Log Analytics.V-276268MEDIUMAzure SQL Server Managed Instance must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.V-276269MEDIUMAzure SQL Managed Instance must prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate recognized and approved by the organization.V-276276MEDIUMAzure SQL Server Managed Instance must, for password-based authentication, require immediate selection of a new password upon account recovery.V-276285MEDIUMAzure SQL Managed Instance must limit privileges to change software modules, to include stored procedures, functions, and triggers.V-276286MEDIUMAzure SQL Managed Instance must limit privileges to change software modules, to include schema ownership.V-276287MEDIUMThe database master key (DMK) encryption password for Azure SQL Server Managed Instance must meet DOD password complexity requirements.V-276288MEDIUMThe database master key (DMK) for Azure SQL Server Managed Instance must be encrypted by the service master key (SMK), where a DMK is required and another encryption method has not been specified.V-276289MEDIUMThe Certificate used for encryption for Azure SQL Managed Instance must be backed up, stored offline and off-site.V-276290LOWAzure SQL Managed Instance must isolate security functions from nonsecurity functions.V-276291MEDIUMAzure SQL Managed Instance must check the validity of all data inputs except those specifically identified by the organization.V-276293HIGHAzure SQL Managed Instance must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.V-276294MEDIUMAzure SQL Managed Instance must protect against a user falsely repudiating by ensuring databases are not in a trust relationship.V-276295MEDIUMAzure SQL Managed Instance must be configured to generate audit records for DOD-defined auditable events within all DBMS/database components.V-276296MEDIUMAzure SQL Managed Instance must allow only documented and approved individuals or roles to select which auditable events are to be audited.V-276297LOWAzure SQL Managed Instance must have an audit defined to track Microsoft Support Operations.V-276298MEDIUMThe audit information produced by Azure SQL Managed Instance must be protected from unauthorized access.V-276299MEDIUMAzure SQL Managed Instance must protect its audit configuration from unauthorized access, modification, and deletion.V-276300MEDIUMAccess to xp_cmdshell must be disabled for Azure SQL Server Managed Instance unless specifically required and approved.V-276301MEDIUMAccess to CLR code must be disabled for Azure SQL Server Managed Instance, unless specifically required and approved.V-276302MEDIUMAccess to linked servers must be disabled or restricted for Azure SQL Server Managed Instance, unless specifically required and approved.V-276303HIGHIf DBMS authentication using passwords is employed, Azure SQL Managed Instance must enforce the DOD standards for password complexity and lifetime.V-276304MEDIUMAzure SQL Server Managed Instance contained databases must use Microsoft Entra or native Windows principals.V-276305HIGHIf passwords are used for authentication, Azure SQL Server Managed Instance must transmit only encrypted representations of passwords.V-276306MEDIUMAzure SQL Managed Instance must reveal detailed error messages only to the information system security officer (ISSO), information system security manager (ISSM), system administrator (SA), and database administrator (DBA).V-276307MEDIUMAzure SQL Managed Instance must prevent nonprivileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.V-276308MEDIUMAzure SQL Managed Instance must enforce access restrictions associated with changes to the configuration of the instance.V-276309MEDIUMAzure Resource Manager must enforce access restrictions associated with changes to the configuration of Azure SQL Managed Instance.V-276310MEDIUMAzure SQL Managed Instance must produce audit records of its enforcement of access restrictions associated with changes to the configuration of Azure SQL Managed Instance or database(s).V-276311MEDIUMAzure SQL Managed Instance must maintain a separate execution domain for each executing process.V-276312MEDIUMAzure SQL Managed Instance must be able to generate audit records when attempts to access security objects occur.V-276313MEDIUMAzure SQL Managed Instance must generate audit records when attempts to access categorized information (e.g., classification levels/security levels) occur.V-276314MEDIUMAzure SQL Managed Instance must generate audit records when attempts to add privileges/permissions occur.V-276315MEDIUMAzure SQL Managed Instance must generate audit records when attempts to modify privileges/permissions occur.V-276316MEDIUMAzure SQL Managed Instance must generate audit records when attempts to delete privileges/permissions occur.V-276317MEDIUMThe Azure SQL Managed Instance default [sa] account must be disabled.V-276318MEDIUMAzure SQL Managed Instance default [sa] account must have its name changed.V-276319MEDIUMThe Allow Filesystem Enumeration feature must be disabled for Azure SQL Server Managed Instance, unless specifically required and approved.V-276320MEDIUMThe CLR Strict Security feature must be enabled for Azure SQL Server Managed Instance, unless specifically required and approved.V-276321MEDIUMThe Hadoop Connectivity feature must be disabled for Azure SQL Server Managed Instance, unless specifically required and approved.V-276322MEDIUMAzure SQL Server Managed Instance Replication Xps feature must be disabled, unless specifically required and approved.V-276323HIGHWhen using command-line tools with Azure SQL Server Managed Instance, such as SQLCMD, in a mixed-mode authentication environment, users must use a logon method that does not expose the password.V-276324MEDIUMApplications connecting to Azure SQL Server Managed Instance must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.