UseCase13_AzureSQL - sandersdHES/PAMEmergingTech GitHub Wiki
This use case demonstrates how to secure and manage access to a Microsoft Azure SQL Database using PAM360. You'll learn how to:
- Create and configure a cloud-hosted SQL database
- Manage database credentials and access securely in PAM360
- Enable session recording and remote password reset
- Monitor database activity via PAM360 audit features
In today’s digital landscape, data is a core asset, and protecting access to it is critical. Cloud-hosted databases, such as Azure SQL, are convenient but introduce new challenges for access management and compliance. PAM360 provides fine-grained control, password management, and auditing features to ensure your data is safe—even in the cloud.
- An Azure account with permissions to create SQL databases
- Admin access to PAM360
- Basic knowledge of SQL authentication and user roles
-
In the Azure Portal, create a new resource
-
Choose “SQL Database” and select the option for a Single Database
-
Fill in required details and create a new Azure SQL Server if needed
-
Authentication: Use SQL authentication
-
Set an admin username and password
-
Select a public endpoint
-
Enable “Allow Azure services to access server” under firewall rules
-
Select “Default” under Connection policy
-
- Log in to PAM360 as an admin
- Navigate to Resources > Add Resource
- DNS/IP Address: Use your Azure SQL Server name
- Resource Type: Select MS SQL Server
- Leave other settings as default
- Add the admin account you created during Azure setup
- Set the default database for this user (e.g.,
protectdb) - Enable:
- ✅ Password Reset
- ✅ Session Recording SQL
- Enable and configure Remote Password Reset
- Fill in the following:
- Instance Name: Azure SQL Server name
- Port: 1433
-
MSSQL Admin Account: Select the previously added admin user
-
This user will be used to rotate and reset passwords remotely
-
- Use PAM360 to launch a session to your Azure SQL Database
- You'll be logged in as the admin user, and default database will auto-load
- Switch to the
masterdatabase and run the following SQL script to create a login:
CREATE LOGIN pamuser WITH PASSWORD = 'SecureP@ssword123!';- Switch to your target database (e.g.,
protectdb) and execute:
CREATE USER pamuser FOR LOGIN pamuser;
ALTER ROLE db_datareader ADD MEMBER pamuser;
ALTER ROLE db_datawriter ADD MEMBER pamuser;Sadly we cannot discover automatically accounts for this database. PAM360 tries to discover accounts from the master database, but Azure SQL does not allow querying server-level metadata (like sys.sql_logins) the same way on standard SQL Server.
Unlike on-premise SQL Server, Azure SQL restricts access to these views — especially from within user databases or without elevated privileges.
You’ll need to manually register each database user.
Use PAM360 to open a session and run the following query:
SELECT name FROM sys.databases;You should see both admin and pamuser active.
- Go to Audit > Resource Audit in PAM360
- Review session recordings for SQL activity
- Track executed queries and user behavior for compliance and accountability
This use case shows how PAM360 enables secure access control for cloud-hosted databases:
- Full integration with Azure SQL
- Session recording and audit trail for transparency
- Centralized password management and remote password reset
- Manual account registration due to Azure limitations
- Real-time monitoring of database user activity
By integrating PAM360 with Azure SQL, your organization achieves cloud-ready privileged access protection—without compromising visibility or control.
For further security, integration access policies specifically related to databases would be the next logical step.