Azure SQL Managed Instance must generate audit records when attempts to delete security objects occur.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-276257 | MSQL-00-014400 | SV-276257r1150023_rule | CCI-000172 | medium |
| Description | ||||
| The removal of security objects from the database/database management system (DBMS) would seriously degrade a system's information assurance posture. If such an action is attempted, it must be logged. To aid in diagnosis, it is necessary to keep track of failed attempts in addition to the successful ones. Satisfies: SRG-APP-000501-DB-000337, SRG-APP-000501-DB-000336 | ||||
| STIG | Date | |||
| Microsoft Azure SQL Managed Instance Security Technical Implementation Guide | 2025-10-07 | |||
Details
Check Text (C-276257r1150023_chk)
Review Azure SQL Managed Instance configuration to verify audit records are produced when unsuccessful attempts to delete security objects occur.
Run this TSQL command to determine if Azure SQL Managed Instance Auditing AuditActionGroups are configured:
SELECT a.name AS 'AuditName', s.name AS 'SpecName', d.audit_action_name AS 'ActionName', d.audited_result AS 'Result'
FROM sys.server_audit_specifications s
JOIN sys.server_audits a ON s.audit_guid = a.audit_guid
JOIN sys.server_audit_specification_details d ON s.server_specification_id = d.server_specification_id
WHERE a.is_state_enabled = 1
AND d.audit_action_name = 'SCHEMA_OBJECT_CHANGE_GROUP'
If the 'SCHEMA_OBJECT_ACCESS_GROUP' is not returned in an active audit, this is a finding.
Fix Text (F-80317r1149679_fix)
Deploy an Azure SQL Managed Instance audit.
Refer to the supplemental file "AzureSQLMIAudit.txt" script.
Reference: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/auditing-configure?view=azuresql-mi