This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 5%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Hi Team,
I got below Vulnerabilities for the Azure SQL Managed Instance. Could you please provide the remediation for the VA ?
VA1143 - 'dbo' user should not be used for normal service operation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 77%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBJ%3C/text%3E%3C/svg%3E)
Unfortunately, the real answer here is, Microsoft assumes you are abusing the dbo user if you have not yet created any service principle or standard user without drop/create/alter privileges. So just go create a random user whether or not you need it yet and give that user db_datareader role only, or no role at all.
The VA rules suggests the following:
"Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions."
Make sure you use the "least privilege principal" approach. Give users permissions that are absolutely necessary. Make sure they do not have ALTER database permissions. Make use of Database Roles and assigned users to them. Make sure "dbo" is restricted to administrators only.
Hi Alberto,
I have database with db_ownerrole and also I have dbo user assigned to the database. So as a remediation whether we need to remove dbo user or db_owner ? could you please provide exact remediation for this ?
This is really poor. The dbo user is a the default user which owns all the objects created in the database. And have you ever wondered why 'dbo' is called 'dbo?' Could it be because dbo stands for Database Owner? So Microsoft is telling us that the design of their product is wrong, and therefore we need to remediate it somehow. And then their experts tell us that we need to create less privileged users. So the answer to Microsoft creating a default user with 'too many privileges' is to create more users even if we don't need them yet.
Unfortunately, the real answer here is, Microsoft assumes you are abusing the dbo user if you have not yet created any service principle or standard user without drop/create/alter privileges. So just go create a random user whether or not you need it yet and give that user db_datareader role only, or no role at all.
This will make your vulnerability go away. But it won't make things 'make sense.' It's just one of those things you have to do. Just created a database? Ok, now go create a dummy user so Defender stops complaining.