---
title: SQL Server predictable Active Directory account name
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > SQL Server predictable Active Directory
  account name
---

# SQL Server predictable Active Directory account name

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-azure-sql-server-predictable-active-directory-admin-account-name` 

**Provider:** Azure

**Platform:** Ansible

**Severity:** Low

**Category:** Best Practices

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_adserviceprincipal_module.html)

### Description{% #description %}

Active Directory administrator accounts for Azure SQL Server must not use predictable or common names such as "admin" or "administrator." Predictable account names make privileged accounts easy to discover and enable targeted brute-force and credential-stuffing attacks.

In Ansible, verify the `azure.azcollection.azure_rm_adserviceprincipal` (or `azure_rm_adserviceprincipal`) task's `ad_user` property is defined, non-empty, and set to a non-predictable, unique name. This rule flags tasks where `ad_user` is missing or `null`, or where the value matches common predictable names (case-insensitive) such as `admin`, `administrator`, `sqladmin`, `root`, `user`, `azure_admin`, `azure_administrator`, or `guest`. Use a clear, non-guessable name for `ad_user`. For example:

```yaml
- name: Create AD service principal for Azure SQL admin
  azure.azcollection.azure_rm_adserviceprincipal:
    ad_user: "sqlsvc-prod-01"
    password: "{{ lookup('password', '/dev/null length=32') }}"
    state: present
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
#this code is a correct code for which the query should not find any result
- name: create ad sp
  azure_rm_adserviceprincipal:
    display_name: my-sp
    app_id: '{{ app_id }}'
    state: present
    tenant: '{{ tenant_id }}'
    ad_user: unpredictableName
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
#this is a problematic code where the query should report a result(s)
- name: create ad sp
  azure_rm_adserviceprincipal:
    display_name: my-sp
    app_id: "{{ app_id }}"
    state: present
    tenant: "{{ tenant_id }}"
    ad_user: admin
- name: create ad sp2
  azure_rm_adserviceprincipal:
    display_name: my-sp2
    app_id: "{{ app_id2 }}"
    state: present
    tenant: "{{ tenant_id2 }}"
    ad_user: ""
- name: create ad sp3
  azure_rm_adserviceprincipal:
    display_name: my-sp3
    app_id: "{{ app_id3 }}"
    state: present
    tenant: "{{ tenant_id3 }}"
    ad_user:
```