I have a question about the relative security merits of using AAD authentication alone versus adding a Azure Private Link.
I have built a PowerApp to replace a clunky spreadsheet application for tracking certain client requests. It's a proof of concept to validate the PowerPlatform approach before using it more extensively in other areas. I normalised the data from the spreadsheet and built a fairly simple Azure database using the lowest Basic tier plan in an Azure instance I provisioned myself. All interaction from the App to the DB goes via the Microsoft PowerPlatform SQL Connector. Associated client documents are stored in SharePoint Online, so there isn't much personal information in the DB itself, just contact email and phone numbers.
During development, I used SQL authentication as it's simplest to get working and I had control over it. Now that the time to go live is approaching, I want to move to AAD authentication. This is where our IT department gets involved as I don't have the rights to create the AD group.
The problem is - they say "best practice" is to create a private link to the Azure resource group and at the moment, our organisation is concentrating on AWS and they are not inclined to invest time/people/money to setup an official Azure environment for one production app.
They've suggested I migrate to using an on-premises SQL instance and a data gateway (which will send performance down the toilet and also introduce problems as the on premises version of the connector has several limitations which will be difficult to workaround).
I have 20+ years development experience - mainly C++/COM but I don't pretend to be a DBA nor a security expert but I am sufficiently versed in both to understand the required architectures and ask the right questions when out of my depth.
My question basically boils down to this - is securing an Azure SQL instance with AAD authentication generally regarded as "sufficient" security for corporate databases which aren't mission critical? We're not talking about banking systems here.
At the moment, the "system" is a large spreadsheet of which there are multiple copies emailed back and forth, stored in SharePoint and on staff laptops. My instincts suggest it seems complete overkill to insist on an Azure Private Link when the current situation is a security joke.
Of course more security hardening is always "better", but you've got to balance that against the risks and cost of implementation. Nowhere in the PowerApps SQL connector documentation does it mention Azure Private Links nor in the numerous partner case studies. If it was thought to be a security must have, surely Microsoft would have mentioned it in their best practice guidance.
Any thoughts about how to push back on this demand or thoughts on alternative approaches would be greatly appreciated.