If passwords are used for authentication, Azure SQL Server Managed Instance must transmit only encrypted representations of passwords.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-276305	SRG-APP-000172-DB-000075	MSQL-D0-008300	SV-276305r1150105_rule	2025-10-07	1

Description
The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate and requires AO approval. In such cases, passwords must be protected at all times, and encryption is the standard method for protecting passwords during transmission. Azure SQL Managed Instance passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. Azure SQL Managed Instance must use a FIPS-approved minimum TLS version, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 Rev. 2 specifies the preferred configurations for government systems.

Description

The DOD standard for authentication is DOD-approved PKI certificates. Authentication based on User ID and Password may be used only when it is not possible to employ a PKI certificate and requires AO approval. In such cases, passwords must be protected at all times, and encryption is the standard method for protecting passwords during transmission. Azure SQL Managed Instance passwords sent in clear text format across the network are vulnerable to discovery by unauthorized users. Disclosure of passwords may easily lead to unauthorized access to the database. Transport Layer Security (TLS) encryption is a required security setting as a number of known vulnerabilities have been reported against Secure Sockets Layer (SSL) and earlier versions of TLS. Encryption of private information is essential to ensuring data confidentiality. If private information is not encrypted, it can be intercepted and easily read by an unauthorized party. Azure SQL Managed Instance must use a FIPS-approved minimum TLS version, and all non-FIPS-approved SSL and TLS versions must be disabled. NIST SP 800-52 Rev. 2 specifies the preferred configurations for government systems.

ℹ️ Check
Verify the MinimalTLSversion using the following PowerShell script: $Subscription = 'SubscriptionValueHere' $Environment = 'EnvironmentTypeHere' Connect-AzAccount -Subscription $Subscription -Environment $Environment $ResourceGroup = 'ResourceGroupHere' $ManagedInstance = 'ManagedInstanceHere' $TLSmax = (Get-Command -Name set-azsqlinstance -ParameterName 'minimaltlsversion').parameters['minimaltlsversion'].attributes.where({$_ -is [ValidateSet] }).ValidValues Select-Object -Last 1 $TLScur = (Get-AzSqlInstance -ResourceGroupName $ResourceGroup -Name $ManagedInstance).MinimalTlsVersion Write-Host "Latest TLS Version : [$TlSMax]" Write-Host "Current TLS Version : [$TLScur]" Verify that the minimum TLS version property is set to the latest available TLS version. If a less secure TLS version is set and not documented as required by the supported application, this is a finding.

ℹ️ Check

Verify the MinimalTLSversion using the following PowerShell script: $Subscription = 'SubscriptionValueHere' $Environment = 'EnvironmentTypeHere' Connect-AzAccount -Subscription $Subscription -Environment $Environment $ResourceGroup = 'ResourceGroupHere' $ManagedInstance = 'ManagedInstanceHere' $TLSmax = (Get-Command -Name set-azsqlinstance -ParameterName 'minimaltlsversion').parameters['minimaltlsversion'].attributes.where({$_ -is [ValidateSet] }).ValidValues Select-Object -Last 1 $TLScur = (Get-AzSqlInstance -ResourceGroupName $ResourceGroup -Name $ManagedInstance).MinimalTlsVersion Write-Host "Latest TLS Version : [$TlSMax]" Write-Host "Current TLS Version : [$TLScur]" Verify that the minimum TLS version property is set to the latest available TLS version. If a less secure TLS version is set and not documented as required by the supported application, this is a finding.

✔️ Fix
Run the following PowerShell script to set the Azure SQL Managed Instance MinimalTLSversion to the latest available TLS version: ##This is an example script## $ResourceGroup = '<resource group name here>' $ManagedInstance = '<Azure SQL Managed Instance name here>' $TLSmax = (Get-Command -Name set-azsqlinstance -ParameterName 'minimaltlsversion').parameters['minimaltlsversion'].attributes.where({$_ -is [ValidateSet] }).ValidValues \| Select-Object -Last 1 Set-AzSqlInstance -ResourceGroupName $ResourceGroup -Name $ManagedInstance -MinimalTlsVersion $TLSmax References: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/minimal-tls-version-configure?view=azuresql-mi

✔️ Fix

Run the following PowerShell script to set the Azure SQL Managed Instance MinimalTLSversion to the latest available TLS version: ##This is an example script## $ResourceGroup = '<resource group name here>' $ManagedInstance = '<Azure SQL Managed Instance name here>' $TLSmax = (Get-Command -Name set-azsqlinstance -ParameterName 'minimaltlsversion').parameters['minimaltlsversion'].attributes.where({$_ -is [ValidateSet] }).ValidValues | Select-Object -Last 1 Set-AzSqlInstance -ResourceGroupName $ResourceGroup -Name $ManagedInstance -MinimalTlsVersion $TLSmax References: https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/minimal-tls-version-configure?view=azuresql-mi