question

LeonLeung-0170 avatar image
0 Votes"
LeonLeung-0170 asked AnuragSharma-MSFT commented

How to lock a Azure SQL login after N unsuccessful login attempts?

Hi, Is there a way to lock a Azure SQL login after N unsuccessful login attempts for security purpose.

Thank you.

azure-sql-database
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LeonLeung-0170, just wanted to check if you need more details on this. You can mark the answer provided as 'Accepted Answer' if it helped your query.

0 Votes 0 ·

1 Answer

AlbertoMorillo avatar image
0 Votes"
AlbertoMorillo answered AlbertoMorillo edited

Azure SQL logins associated with Azure AD can be configured with smart lockout as explained here.

A possible solution for SQL logins (non-Azure AD logins) could be to configure Azure SQL auditing as explained here. You can read the Audit entries from Azure Storage Account as explained here and then issue ALTER LOGIN DISABLE for those logins exceeding X failed login attempts. You can automate the process using Azure Automation.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Alberto, Thank you for the workaround solution, but this does not really lock out the Azure SQL logins after a certain unsuccessful login. This is a security risk. Oracle database server has a settings that we can set to lockout account after N unsuccessful logins and then Database Administrators must unlock the login in order for the login to be able to log into the Oracle database again. Oracle database server also has a settings that we can set to ignore if we want to.

0 Votes 0 ·

We have that with SQL Server on-premises and IaaS as you can see here, but Azure SQL Database is different on that topic. If you want that level of security with Azure SQL (PaaS), then use SQL logins that are attached to Azure Active Directory that has all the security controls you are looking for and more (like MFA).



0 Votes 0 ·