--- title: AD admin not configured for SQL server description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > AD admin not configured for SQL server --- # AD admin not configured for SQL server {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-azure-ad-admin-not-configured-for-sql-server` **Provider:** Azure **Platform:** Terraform **Severity:** Medium **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/azurerm/3.6.0/docs/resources/sql_active_directory_administrator) ### Description{% #description %} When a SQL server in Azure is not configured with an Active Directory (AD) administrator, access control is limited to SQL authentication accounts, which lack the centralized identity management and advanced security features provided by Azure AD. This can make the SQL server more difficult to manage securely and can increase the risk of unauthorized access if user accounts are not handled properly. Enabling AD authentication by specifying an `azurerm_sql_active_directory_administrator` resource ensures that access can be centrally managed and monitored, helping enforce organizational security policies. A secure Terraform configuration example should look like the following: ``` resource "azurerm_sql_active_directory_administrator" "example" { server_name = "mysqlserver" resource_group_name = "acceptanceTestResourceGroup1" login = "sqladmin" tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "azurerm_resource_group" "negative1" { name = "acceptanceTestResourceGroup1" location = "West US" } resource "azurerm_sql_server" "negative2" { name = "mysqlserver" resource_group_name = "acceptanceTestResourceGroup1" location = "West US" version = "12.0" administrator_login = "4dm1n157r470r" administrator_login_password = "4-v3ry-53cr37-p455w0rd" } resource "azurerm_sql_active_directory_administrator" "negative3" { server_name = "mysqlserver" resource_group_name = "acceptanceTestResourceGroup1" login = "sqladmin" tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "azurerm_resource_group" "positive1" { name = "acceptanceTestResourceGroup1" location = "West US" } resource "azurerm_sql_server" "positive2" { name = "mysqlserver1" resource_group_name = "acceptanceTestResourceGroup1" location = "West US" version = "12.0" administrator_login = "4dm1n157r470r" administrator_login_password = "4-v3ry-53cr37-p455w0rd" } resource "azurerm_sql_active_directory_administrator" "positive3" { server_name = "mysqlserver2" resource_group_name = "acceptanceTestResourceGroup1" login = "sqladmin" tenant_id = data.azurerm_client_config.current.tenant_id object_id = data.azurerm_client_config.current.object_id } ```