services / Azure / Azure SQL Database server DNS alias

A SQL server DNS alias is a stable CNAME-like DNS name that maps clients to an Azure SQL logical server, allowing the underlying server to change without updating connection strings.

Controlling an alias controls the connection endpoint clients resolve to reach production databases; it is effectively a routing/domain control for the database service.


Microsoft.​Sql/​servers/​dnsAliases/​acquire/​action

Acquiring an existing alias from its current server and repointing it to another server hijacks the stable connection endpoint, silently redirecting client traffic to an attacker-chosen SQL server (and denying the legitimate one).

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​Sql
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog