Azure SQL Managed Instance default [sa] account must have its name changed.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-276318	SRG-APP-000141-DB-000092	MSQL-D0-016300	SV-276318r1150020_rule	2025-10-07	1

Description
Azure SQL Managed Instance's [sa] account has special privileges required to administer the database. The [sa] account is a well-known account name that is likely to be targeted by attackers and is thus, more prone to providing unauthorized access to the database. Since [sa] is administrative in nature, the compromise of a default account can have catastrophic consequences, including the complete loss of control over Azure SQL Managed Instance. Since SQL Server needs this account to exist and it must not be removed, one way to mitigate this risk is to change the [sa] account name.

Description

Azure SQL Managed Instance's [sa] account has special privileges required to administer the database. The [sa] account is a well-known account name that is likely to be targeted by attackers and is thus, more prone to providing unauthorized access to the database. Since [sa] is administrative in nature, the compromise of a default account can have catastrophic consequences, including the complete loss of control over Azure SQL Managed Instance. Since SQL Server needs this account to exist and it must not be removed, one way to mitigate this risk is to change the [sa] account name.

ℹ️ Check
Verify the Azure SQL Managed Instance default [sa] account name has been changed by executing the following query: USE master; GO SELECT name FROM sys.sql_logins WHERE UPPER(name) = 'SA' OR principal_id = 1; If the name returned has the consecutive letters "sa" in the query output, this is a finding.

✔️ Fix
Modify the Azure SQL Managed Instance's [sa] account name by running the following example script: USE master; GO ALTER LOGIN [sa] WITH NAME = NewAccountName