Merge pull request #54494 from MicrosoftDocs/NEW-configure-azure-sql-platform-security

Please push to main --> New configure azure sql platform security

Author: JamesJBarnett

learn-pr/wwl-sci/configure-azure-sql-platform-security/1-introduction.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-platform-security.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: "Introduction to configuring platform-level security for Azure SQL Database and SQL Managed Instance."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-sci/configure-azure-sql-platform-security/2-configure-authentication-managed-identity.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-platform-security.configure-authentication-managed-identity
+title: Configure authentication and managed identity access
+metadata:
+  title: Configure Authentication and Managed Identity Access
+  description: "Configure Microsoft Entra ID–only authentication for Azure SQL, disable SQL authentication, and grant managed identity access to AI workloads without credentials."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 4
+content: |
+  [!include[](includes/2-configure-authentication-managed-identity.md)]

learn-pr/wwl-sci/configure-azure-sql-platform-security/3-implement-network-isolation.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-platform-security.implement-network-isolation
+title: Implement network isolation
+metadata:
+  title: Implement Network Isolation
+  description: "Deploy private endpoints for Azure SQL Database and SQL Managed Instance, configure firewall rules, and evaluate when to disable public endpoint access."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 4
+content: |
+  [!include[](includes/3-implement-network-isolation.md)]

learn-pr/wwl-sci/configure-azure-sql-platform-security/4-encrypt-protect-data.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-platform-security.encrypt-protect-data
+title: Encrypt and protect data in transit and at rest
+metadata:
+  title: Encrypt and Protect Data in Transit and at Rest
+  description: "Enable transparent data encryption with service-managed and customer-managed keys in Azure Key Vault, enforce transport encryption, and evaluate Always Encrypted for column-level protection."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 4
+content: |
+  [!include[](includes/4-encrypt-protect-data.md)]

learn-pr/wwl-sci/configure-azure-sql-platform-security/5-apply-data-masking-row-level-security.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-platform-security.apply-data-masking-row-level-security
+title: Apply data masking and row-level security
+metadata:
+  title: Apply Data Masking and Row-Level Security
+  description: "Configure dynamic data masking functions and granular UNMASK permissions, and implement row-level security predicates to restrict financial data access by role and division."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 3
+content: |
+  [!include[](includes/5-apply-data-masking-row-level-security.md)]

learn-pr/wwl-sci/configure-azure-sql-platform-security/6-knowledge-check.yml

@@ -0,0 +1,60 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-platform-security.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge Check
+  description: "Check your knowledge of platform-level security configuration for Azure SQL Database and SQL Managed Instance."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  module_assessment: true
+  ai_generated_module_assessment: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/6-knowledge-check.md)]
+quiz:
+  title: Check your knowledge
+  questions:
+  - content: "Contoso's fraud detection AI service needs to query Azure SQL Database. Which authentication approach eliminates credential management while maintaining least-privilege access?"
+    choices:
+    - content: "SQL authentication with a dedicated service account and a strong password stored in Azure Key Vault"
+      isCorrect: false
+      explanation: "Incorrect. Although storing credentials in Key Vault reduces exposure, SQL authentication still uses passwords that must be rotated and managed. Managed identity authentication eliminates credentials entirely."
+    - content: "A system-assigned managed identity with a Microsoft Entra ID contained database user mapped to the identity"
+      isCorrect: true
+      explanation: "Correct. A system-assigned managed identity allows the AI service to authenticate to Azure SQL using its Microsoft Entra ID identity, with no passwords or connection string secrets to manage. A contained database user maps the identity to database permissions."
+    - content: "A shared access signature scoped to the Azure SQL resource"
+      isCorrect: false
+      explanation: "Incorrect. Shared access signatures are an Azure Storage concept and don't apply to Azure SQL Database authentication."
+    - content: "A SQL sign-in using a service principal client secret rotated every 90 days"
+      isCorrect: false
+      explanation: "Incorrect. Client secrets are credentials that require rotation and management. Managed identities are the preferred approach because they eliminate the need for any secret or password."
+  - content: "A cloud security engineer is configuring transparent data encryption with customer-managed keys for a regulated banking database. Which two Azure Key Vault settings are mandatory before the key can be attached to Azure SQL?"
+    choices:
+    - content: "Soft-delete and purge protection must both be enabled on the Key Vault"
+      isCorrect: true
+      explanation: "Correct. Azure SQL Database requires both soft-delete and purge protection to be enabled on the Key Vault before a customer-managed key can be used for Transparent Data Encryption (TDE). These settings prevent accidental or malicious key deletion that would render the database inaccessible."
+    - content: "The Key Vault must be in the same Azure region as the SQL server"
+      isCorrect: false
+      explanation: "Incorrect. Azure SQL Database can use a Key Vault in a different region. However, for geo-replicated databases, the failover region must also have access to the Key Vault."
+    - content: "The Key Vault must use RBAC authorization mode with the SQL Security Manager role assigned"
+      isCorrect: false
+      explanation: "Incorrect. Both RBAC and vault access policy modes are supported. The required permissions are `get`, `wrapKey`, and `unwrapKey` on the key, regardless of authorization mode."
+    - content: "The Key Vault must be dedicated to SQL encryption keys with no other secrets or certificates"
+      isCorrect: false
+      explanation: "Incorrect. Azure SQL Database has no requirement for a dedicated Key Vault. The same vault can store keys, secrets, and certificates for multiple services."
+  - content: "A database administrator needs to prevent customer service representatives from seeing full credit card numbers in query results, while allowing the finance team to view unmasked values. Which Azure SQL feature provides granular column-level unmask permissions?"
+    choices:
+    - content: "Row-level security with filter predicates scoped to the credit card column"
+      isCorrect: false
+      explanation: "Incorrect. Row-level security filters entire rows based on predicate logic. It controls which rows a user can see, not which columns are masked within a visible row."
+    - content: "Always Encrypted with role-based column encryption keys assigned per team"
+      isCorrect: false
+      explanation: "Incorrect. Always Encrypted encrypts column data at the application layer and is designed to prevent the database engine from seeing plaintext. It doesn't provide role-based unmask permissions within the database."
+    - content: "Dynamic data masking with GRANT UNMASK permissions scoped to the specific column"
+      isCorrect: true
+      explanation: "Correct. Dynamic data masking applies masking functions to columns and supports granular UNMASK permissions at the database, schema, table, and column level. Granting UNMASK on the credit card column to the finance team role allows those users to see unmasked values while customer service representatives see the masked output."
+    - content: "Transparent data encryption with a customer-managed key scoped per column"
+      isCorrect: false
+      explanation: "Incorrect. Transparent data encryption protects data at rest at the database file level. It doesn't provide column-level access control or masking functionality."

learn-pr/wwl-sci/configure-azure-sql-platform-security/7-summary.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-platform-security.summary
+title: Summary
+metadata:
+  title: Summary
+  description: "Summary of platform-level security configuration for Azure SQL Database and SQL Managed Instance."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 1
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-sci/configure-azure-sql-platform-security/includes/1-introduction.md

@@ -0,0 +1,14 @@
+Contoso Financial Services is deploying a cloud-native banking platform that uses Azure SQL Database for transaction processing and SQL Managed Instance for a credit risk assessment system. AI fraud detection service queries live transaction data using automated access. As the cloud security engineer, you need to secure both database services to meet financial regulatory requirements and protect sensitive customer data.
+
+The current configuration has four critical security gaps. Both databases allow SQL authentication with shared passwords, including credentials used by the AI service. The SQL servers have public endpoints accessible from the internet with only basic firewall protection. Transparent data encryption uses service-managed keys, but regulators require customer-managed keys for financial personal data. Query results expose full account numbers and credit card data to all database users regardless of their role.
+
+:::image type="content" source="../media/contoso-scenario-architecture.png" alt-text="Architecture diagram of Contoso Financial Services Azure SQL deployment with four security gaps: SQL passwords, public endpoints, service-managed Transparent Data Encryption (TDE) keys, and unmasked personal data." lightbox="../media/contoso-scenario-architecture.png":::
+
+In this module, you configure Microsoft Entra to provide authentication and replace SQL credentials with managed identities for AI workloads. You deploy private endpoints to eliminate public internet access and isolate databases within Azure virtual networks. You enable transparent data encryption with customer-managed keys stored in Azure Key Vault and evaluate Always Encrypted for more protection. You apply dynamic data masking and row-level security to restrict access to sensitive data based on user roles.
+
+By the end of this module, you can:
+
+- Configure Microsoft Entra ID authentication and disable SQL authentication on Azure SQL
+- Implement network isolation for Azure SQL using private endpoints and firewall rules
+- Enable transparent data encryption and configure customer-managed keys for regulated workloads
+- Apply dynamic data masking and row-level security to restrict access to sensitive data

learn-pr/wwl-sci/configure-azure-sql-platform-security/includes/2-configure-authentication-managed-identity.md

@@ -0,0 +1,79 @@
+Modern cloud applications require identity-based authentication that eliminates password sprawl and enforces multifactor authentication. Contoso Financial Services discovered that their AI fraud detection service uses SQL authentication with a shared password stored in a configuration file—a security risk identified during their security review.
+
+:::image type="content" source="../media/managed-identity-authentication-flow.png" alt-text="Before and after diagram comparing SQL password authentication to managed identity token flow via Microsoft Entra ID, with no stored credentials required." lightbox="../media/managed-identity-authentication-flow.png":::
+
+| Configuration step | Action |
+|-------------------|--------|
+| Set Microsoft Entra admin | Assign a user or group as the Microsoft Entra administrator |
+| Enable Entra-only auth | Disable SQL Server authentication at the server level |
+| Create contained users | Map Microsoft Entra identities or managed identities to database users |
+| Grant permissions | Assign roles using standard T-SQL GRANT statements |
+
+## Set up Microsoft Entra ID–only authentication
+
+Microsoft Entra ID–only authentication disables SQL logins and SQL Server authentication at the server level. When you enable this mode, traditional username-password authentication stops working, and all connections must authenticate using Microsoft Entra credentials.
+
+Before enabling Entra-only authentication, you must set a Microsoft Entra admin on the logical SQL server or SQL Managed Instance. This admin has full control over the database and can create more Microsoft Entra users. In the Azure portal, navigate to your SQL server. Select **Settings** > **Microsoft Entra ID**, then choose **Set admin** to assign a user or group. You can also use Azure CLI:
+
+```azurecli
+az sql server ad-admin create \
+  --resource-group ContosoFinancialRG \
+  --server-name contoso-sql-server \
+  --display-name "SQL Administrators" \
+  --object-id <group-object-id>
+```
+
+Using a Microsoft Entra group as the admin is the recommended approach. An admin group lets you manage membership in Microsoft Entra ID without reconfiguring the SQL server when personnel changes occur. After the Microsoft Entra admin is set, you can enable Entra-only authentication through the portal or via Azure CLI. Once enabled, SQL authentication is prevented from connecting at the server level—existing SQL authentication logins and users remain in the system but can't establish connections. New SQL authentication logins can be created by Microsoft Entra accounts with proper permissions, but those accounts also can't connect while Entra-only mode is active. All successful connections must authenticate through Microsoft Entra ID.
+
+This configuration brings three security benefits: it eliminates password sprawl by removing local SQL credentials, enables MFA enforcement through Microsoft Entra authentication policies, and allows Conditional Access policies to control access based on location, device compliance, or risk level.
+
+> [!IMPORTANT]
+> Enabling Entra-only authentication immediately disables all SQL authentication logins. Ensure you have a Microsoft Entra admin configured and tested before enabling this mode in production environments.
+
+## Create contained database users for managed identities
+
+Microsoft Entra users and managed identities are added to databases as contained database users, not server logins. A contained database user exists within the database itself and authenticates directly against Microsoft Entra ID. This approach simplifies permission management and aligns with modern cloud identity patterns.
+
+For Contoso's fraud detection AI service, you create a system-assigned managed identity on the Azure Function that runs the fraud detection logic. System-assigned managed identities are automatically created and lifecycle-tied to the resource—when you delete the Function, the identity is deleted. Alternatively, user-assigned managed identities are created independently and can be assigned to multiple resources, which is useful when multiple AI services access the same database.
+
+To grant the managed identity access, connect to the database as the Microsoft Entra admin and run T-SQL:
+
+```sql
+CREATE USER [FraudDetectionFunction] FROM EXTERNAL PROVIDER;
+ALTER ROLE db_datareader ADD MEMBER [FraudDetectionFunction];
+```
+
+The first statement creates a contained database user mapped to the managed identity. The name in brackets must match the name of the Azure resource with the managed identity. The second statement grants read-only access by adding the user to the `db_datareader` role. For write access, use `db_datawriter`, or grant specific permissions using standard `GRANT` statements.
+
+You can also create user for Microsoft Entra groups, which simplifies permission management when multiple users or services need the same access:
+
+```sql
+CREATE USER [SecurityEngineers] FROM EXTERNAL PROVIDER;
+GRANT VIEW DATABASE STATE TO [SecurityEngineers];
+```
+
+After you create the database user, the application connection string uses `Authentication=Active Directory Managed Identity`. No passwords or secrets are needed—the Azure platform handles token acquisition and rotation automatically.
+
+> [!TIP]
+> Test managed identity access from the application before disabling SQL authentication. Use Azure Monitor or query diagnostics to verify successful authentication events.
+
+## Assign Azure RBAC roles for SQL security management
+
+Azure RBAC roles control who can manage SQL resources, but they don't grant access to data inside databases. This separation ensures that management permissions don't automatically grant data access—a principle of least privilege. As a cloud security engineer configuring platform-level security, you work primarily with management roles.
+
+The **SQL Security Manager** role (ID: `056cd41c-7e88-42e1-933e-88ba6a50c9c3`) grants permissions to manage security policies including firewall rules, encryption settings, auditing configuration, dynamic data masking, and row-level security. This role is designed for security engineers who configure security controls but don't need to read or modify data. With this role, you configure authentication settings like the Microsoft Entra admin and enable Entra-only authentication.
+
+In contrast, the **SQL Server Contributor** role manages SQL servers and databases but doesn't grant security policy management. The **SQL DB Contributor** role manages individual databases but also lacks security policy permissions. For Contoso's security team, the SQL Security Manager role provides the appropriate scope: they configure authentication, set firewall rules, and enable auditing, but they don't access customer transaction data.
+
+| Role | Security policies | Database management | Data access |
+|------|------------------|---------------------|-------------|
+| SQL Security Manager | ✓ | – | – |
+| SQL Server Contributor | – | ✓ | – |
+| SQL DB Contributor | – | ✓ (database only) | – |
+
+One key distinction: authentication controls who can connect, while network controls (like firewall rules) control where connections come from. Both must be correctly configured. Passing authentication doesn't bypass network rules, and passing network rules doesn't bypass authentication. As a security engineer, you configure both layers to create defense in depth.
+
+For Contoso's deployment, the security team uses the SQL Security Manager role to enable Entra-only authentication across all SQL servers. This ensures consistent authentication policy enforcement without granting unnecessary data access to the security team. Application teams create contained database users and grant permissions based on least-privilege principles.
+
+With Microsoft Entra authentication and managed identity access configured, you're ready to restrict which networks can connect to your SQL resources.
+