question

MarrinerDev-4693 avatar image
0 Votes"
MarrinerDev-4693 asked AnshulKumarMINDTREELIMITED-5501 commented

Azure SQL security best practice - AAD alone vs Private Link (PowerApps)

I have a question about the relative security merits of using AAD authentication alone versus adding a Azure Private Link.

I have built a PowerApp to replace a clunky spreadsheet application for tracking certain client requests. It's a proof of concept to validate the PowerPlatform approach before using it more extensively in other areas. I normalised the data from the spreadsheet and built a fairly simple Azure database using the lowest Basic tier plan in an Azure instance I provisioned myself. All interaction from the App to the DB goes via the Microsoft PowerPlatform SQL Connector. Associated client documents are stored in SharePoint Online, so there isn't much personal information in the DB itself, just contact email and phone numbers.

During development, I used SQL authentication as it's simplest to get working and I had control over it. Now that the time to go live is approaching, I want to move to AAD authentication. This is where our IT department gets involved as I don't have the rights to create the AD group.

The problem is - they say "best practice" is to create a private link to the Azure resource group and at the moment, our organisation is concentrating on AWS and they are not inclined to invest time/people/money to setup an official Azure environment for one production app.

They've suggested I migrate to using an on-premises SQL instance and a data gateway (which will send performance down the toilet and also introduce problems as the on premises version of the connector has several limitations which will be difficult to workaround).

I have 20+ years development experience - mainly C++/COM but I don't pretend to be a DBA nor a security expert but I am sufficiently versed in both to understand the required architectures and ask the right questions when out of my depth.

My question basically boils down to this - is securing an Azure SQL instance with AAD authentication generally regarded as "sufficient" security for corporate databases which aren't mission critical? We're not talking about banking systems here.

At the moment, the "system" is a large spreadsheet of which there are multiple copies emailed back and forth, stored in SharePoint and on staff laptops. My instincts suggest it seems complete overkill to insist on an Azure Private Link when the current situation is a security joke.

Of course more security hardening is always "better", but you've got to balance that against the risks and cost of implementation. Nowhere in the PowerApps SQL connector documentation does it mention Azure Private Links nor in the numerous partner case studies. If it was thought to be a security must have, surely Microsoft would have mentioned it in their best practice guidance.

Any thoughts about how to push back on this demand or thoughts on alternative approaches would be greatly appreciated.

azure-sql-databaseazure-ad-authenticationazure-private-link
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @MarrinerDev-4693, just wanted to check if you need any other details.

0 Votes 0 ·

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

0 Votes 0 ·

1 Answer

AnuragSharma-MSFT avatar image
0 Votes"
AnuragSharma-MSFT answered

Hi @MarrinerDev-4693, welcome to Microsoft Q&A forum and apologies for delayed response.

To answer your query, yes AAD authentication is sufficient to connect to database but it is not fully safe as it is still having a public endpoint. Consider if someone gets to know the endpoints and try ddos (Distributed denial-of-service) attack on it. Even though they wont be able to access the database but this could overwhelm the traffic causing slowness or unavailability of resources, or overutilization of CPU. This is just one example.

I would suggest you to go through the below article which outlines many security guidelines and you can choose based on requirements:

Playbook for addressing common security requirements with Azure SQL Database and Azure SQL Managed Instance


If answer helps, you can mark it 'Accept Answer'




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.