Is it a security issue on SQL Azure firewall ?

Today I found a terrible fact: Anyone can use Azure PowerShell manipulation SQL Azure firewall without Azure login. Today, I wanted to create a firewall exception by PowerShell and I found this blog:

It works fine. But when PowerShell finished, I realized I never did Add-AzureAccount or Login-AzureAccount before. God, It means anyone who knows my SQL Azure Server name can freely CRUD my SQL Azure firewall rules. I can't belive my eyes.  And I signed off my Azure account and did it again. Then I reproduced it. You see I executed Get-AzureSqlDatabaseServerFirewallRule after PowerShell initialized. NO login required.


So I just wondering is it a security issue on SQL Azure firewall?

Comments (1)

  1. The command uses your default subscription, which you’ve already been authenticated against or using a certificate 🙂 See the following post:

Skip to main content