Azure SQL Managed Instance must have an audit defined to track Microsoft Support Operations.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-276297	SRG-APP-000101-DB-000044	MSQL-D0-005500	SV-276297r1150073_rule	2025-10-07	1

Description
Azure SQL Managed Instance auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. To support analysis, some types of events require information to be logged that exceeds the basic requirements of event type, time stamps, location, source, outcome, and user identity. If additional information is not available, it could negatively impact forensic investigations into user actions or other malicious events. The organization must determine what additional information is required for complete analysis of the audited events. The additional information required is dependent on the type of information (e.g., sensitivity of the data and the environment within which it resides). At a minimum, the organization must employ either full-text recording of privileged commands or the individual identities of users of shared accounts, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Examples of detailed information the organization may require in audit records are full-text recording of privileged commands or the individual identities of shared account users. Auditing of Microsoft support operations against an Azure SQL Managed Instance allows for the actions and operations performed by Microsoft support engineers, when accessing a server during a support request, to be audited and stored for forensic purposes. Enabling this auditing capability will overwrite an existing audit's configuration and therefore, when required, must be defined within a dedicated audit configuration.

Description

Azure SQL Managed Instance auditing capability is critical for accurate forensic analysis. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. To support analysis, some types of events require information to be logged that exceeds the basic requirements of event type, time stamps, location, source, outcome, and user identity. If additional information is not available, it could negatively impact forensic investigations into user actions or other malicious events. The organization must determine what additional information is required for complete analysis of the audited events. The additional information required is dependent on the type of information (e.g., sensitivity of the data and the environment within which it resides). At a minimum, the organization must employ either full-text recording of privileged commands or the individual identities of users of shared accounts, or both. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Examples of detailed information the organization may require in audit records are full-text recording of privileged commands or the individual identities of shared account users. Auditing of Microsoft support operations against an Azure SQL Managed Instance allows for the actions and operations performed by Microsoft support engineers, when accessing a server during a support request, to be audited and stored for forensic purposes. Enabling this auditing capability will overwrite an existing audit's configuration and therefore, when required, must be defined within a dedicated audit configuration.

ℹ️ Check
Review the system documentation to determine if the auditing of Microsoft support operations is required. If is documented as not required, this is Not Applicable. If the system documentation requires the auditing of Microsoft Support operations, run the following query to determine whether an audit has been defined to capture Microsoft Support operations: SELECT audit_id, name, is_state_enabled FROM sys.server_audits WHERE is_operator_audit = 1 If no audit is returned, this is a finding.

ℹ️ Check

Review the system documentation to determine if the auditing of Microsoft support operations is required. If is documented as not required, this is Not Applicable. If the system documentation requires the auditing of Microsoft Support operations, run the following query to determine whether an audit has been defined to capture Microsoft Support operations: SELECT audit_id, name, is_state_enabled FROM sys.server_audits WHERE is_operator_audit = 1 If no audit is returned, this is a finding.

✔️ Fix
Create a new SQL Server Audit with the Microsoft support operations option enabled. Adjust the following T-SQL Query for the environment and execute: CREATE SERVER AUDIT [<Enter Name of Audit>] TO URL ( PATH = N'<URL for Blob Container>' ) WITH ( OPERATOR_AUDIT = ON ) GO ALTER SERVER AUDIT [<Enter Name of Audit>] WITH (STATE = ON) GO Alternatively, when using SQL Server Management Studio to create an audit, ensure the Microsoft support operations checkbox is flagged.

✔️ Fix

Create a new SQL Server Audit with the Microsoft support operations option enabled. Adjust the following T-SQL Query for the environment and execute: CREATE SERVER AUDIT [<Enter Name of Audit>] TO URL ( PATH = N'<URL for Blob Container>' ) WITH ( OPERATOR_AUDIT = ON ) GO ALTER SERVER AUDIT [<Enter Name of Audit>] WITH (STATE = ON) GO Alternatively, when using SQL Server Management Studio to create an audit, ensure the Microsoft support operations checkbox is flagged.