Governance Anti Patterns Authentication - Azure/az-prototype GitHub Wiki

Authentication

Authentication method detection — ensures managed identity and Entra ID are used

Domain: authentication

Checks (4)

Check Description
ANTI-AUTH-001 SQL authentication with username/password detected — use Microsoft Entra (Azure AD) authentication with managed identity.
ANTI-AUTH-002 Key Vault using access policies — switch to RBAC authorization model (enableRbacAuthorization = true).
ANTI-AUTH-003 SAS token detected — use managed identity with appropriate RBAC role instead.
ANTI-AUTH-004 Cosmos DB local authentication detected — disable local auth and use Entra RBAC with sqlRoleAssignments.

ANTI-AUTH-001

SQL authentication with username/password detected — use Microsoft Entra (Azure AD) authentication with managed identity.

Rationale: SQL authentication with passwords is vulnerable to brute force attacks and cannot be audited through Entra ID conditional access.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Sql/servers
  • 'sql authentication'
  • 'username/password'
  • 'sql_login'
  • 'administrator_login_password'
  • 'azureADOnlyAuthentication = true'
  • '# Use Microsoft Entra authentication with managed identity'

ANTI-AUTH-002

Key Vault using access policies — switch to RBAC authorization model (enableRbacAuthorization = true).

Rationale: Access policies provide coarse-grained control and cannot leverage Entra ID conditional access, PIM, or per-identity audit trails.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.KeyVault/vaults
  • 'access_policy {'
  • 'access_policy ='
  • 'access policies'
  • 'enableRbacAuthorization = true'
  • '# Use RBAC authorization model, not access policies'

ANTI-AUTH-003

SAS token detected — use managed identity with appropriate RBAC role instead.

Rationale: SAS tokens are time-limited shared secrets that cannot be revoked individually and bypass RBAC audit trails.
Agents: terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer

Targets

Services Triggers On Correct Patterns
  • Microsoft.Storage/storageAccounts
  • Microsoft.ServiceBus/namespaces
  • Microsoft.EventHub/namespaces
  • 'shared_access_policy'
  • 'sas_token'
  • 'sas_policy'
  • 'generate_sas'
  • 'listAccountSas'
  • 'listServiceSas'
  • 'SharedAccessSignature'
  • '# Use managed identity with RBAC role assignment'
  • 'DefaultAzureCredential()'

ANTI-AUTH-004

Cosmos DB local authentication detected — disable local auth and use Entra RBAC with sqlRoleAssignments.

Rationale: Cosmos DB key authentication uses shared master keys that grant full access — Entra RBAC provides per-identity scoping and audit.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.DocumentDB/databaseAccounts
  • 'primary_key'
  • 'primary_readonly_key'
  • 'listKeys('
  • 'AccountKey='
  • 'disableLocalAuth = true'
  • '# Use Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments for data-plane RBAC'
⚠️ **GitHub.com Fallback** ⚠️