Today I found a terrible fact: Anyone can use Azure PowerShell manipulation SQL Azure firewall without Azure login. Today, I wanted to create a firewall exception by PowerShell and I found this blog: http://blogs.msdn.com/b/umits/archive/2012/11/20/windows-azure-sql-database-how-to-manage-your-firewall-rules-with-powershell.aspx
It works fine. But when PowerShell finished, I realized I never did Add-AzureAccount or Login-AzureAccount before. God, It means anyone who knows my SQL Azure Server name can freely CRUD my SQL Azure firewall rules. I can’t belive my eyes. And I signed off my Azure account and did it again. Then I reproduced it. You see I executed Get-AzureSqlDatabaseServerFirewallRule after PowerShell initialized. NO login required.
So I just wondering is it a security issue on SQL Azure firewall?