services / Azure / Azure SQL Managed Instance DNS alias

A friendly, CNAME-style DNS name that maps to an Azure SQL Managed Instance endpoint, allowing clients to connect using a stable alias rather than the instance's native hostname.

Controlling an alias controls where client connection traffic for a database endpoint resolves; aliases can be transferred (acquired) between instances.


Microsoft.​Sql/​managedInstances/​dnsAliases/​acquire/​action

Acquiring an alias from another managed instance repoints that DNS name to the attacker's instance, hijacking client traffic destined for the legitimate database to intercept or impersonate it.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Sql
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog