VA1143 - 'dbo' user should not be used for normal service operation

Praveenraj R K 61 Reputation points Microsoft Employee
2023-03-08T16:34:19.7933333+00:00

Hi Team,

I got below Vulnerabilities for the Azure SQL Managed Instance. Could you please provide the remediation for the VA ?

VA1143 - 'dbo' user should not be used for normal service operation

Azure SQL Database
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Brown, Jason 25 Reputation points
    2023-08-30T13:21:56.33+00:00

    Unfortunately, the real answer here is, Microsoft assumes you are abusing the dbo user if you have not yet created any service principle or standard user without drop/create/alter privileges. So just go create a random user whether or not you need it yet and give that user db_datareader role only, or no role at all.

    1 person found this answer helpful.
    0 comments No comments

  2. Alberto Morillo 32,791 Reputation points MVP
    2023-03-08T16:57:17.8366667+00:00

    The VA rules suggests the following:

    "Create users with low privileges to access the DB and any data stored in it with the appropriate set of permissions."

    Make sure you use the "least privilege principal" approach. Give users permissions that are absolutely necessary. Make sure they do not have ALTER database permissions. Make use of Database Roles and assigned users to them. Make sure "dbo" is restricted to administrators only.