SQL Azure Firewall setting

Question

Hi,

We received a brute force attack notification for our SQL Azure server. Upon investigation, we noticed that the attacker was using .Net SqlClient and returning error 18456.

If I check error 18456, it refers to failed authentication... but strange as we have server firewall settings and AAD only authentication... I would have expected that the error should be related to network instance not found... etc..

It looks like authentication happens first, then firewall validation... can anyone advise?

Answer 1

Hi @joelp,

When you have only AAD authentication enabled in your server, first it checks the user is used to authenticate is AAD user or not and Authentication types is AAD authentication or not. If it is not, then it will throw the 18456 (authentication failure error).

Authentication Flow in Azure SQL When Only AAD authentication is enabled

1. Authentication Attempt: When a client tries to connect, Azure SQL first checks authentication Type and User. The user is used to authenticate is AAD user or not and Authentication types is AAD authentication or not
2. Firewall Validation: If authentication fails, the process stops. However, if Everything is correct then only Azure SQL evaluate firewall rules and networking restrictions.

Why You See Error 18456 Instead of a Network Error?

• As per you have shared the logs image, The brute force attack is trying different Users which are not looking as AAD users for an existing database.
• Since the authentication process runs first, Azure SQL returns error 18456 (Login Failed) before it even checks firewall rules.
• If the authentication had passed, but the firewall blocked the connection, you would see a different error like:
  • A network-related or instance-specific error occurred.