Security limitations for SQL Server on Linux
Applies to: 
SQL Server - Linux
SQL Server on Linux currently has the following limitations:
- A standard password policy is provided.
MUST_CHANGEis the only option you might configure. TheCHECK_POLICYoption isn't supported. - Extensible Key Management isn't supported.
- SQL Server authentication mode can't be disabled.
- Password expiration is hard-coded to 90 days if you use SQL Server authentication.
- Using keys stored in the Azure Key Vault isn't supported.
- SQL Server generates its own self-signed certificate for encrypting connections. SQL Server can be configured to use a user provided certificate for TLS.
Note
If you don't plan to connect your SQL Server containers to Windows Active Directory, the password expiration is hard-coded to 90 days, if you use SQL Server authentication only. To work around this issue, consider changing the CHECK_EXPIRATION policy.
For more information about security features available in SQL Server, see the Security for SQL Server Database Engine and Azure SQL Database.
Disable the sa account as a best practice
When you connect to your SQL Server instance using the sa account for the first time after installation, it's important for you to follow these steps, and then immediately disable the sa login as a security best practice.
Create a new login, and make it a member of the sysadmin server role.
Depending on whether you have a container or non-container deployment, enable Windows authentication, and create a new Windows-based login and add it to the sysadmin server role.
Otherwise, create a login using SQL Server authentication, and add it to the sysadmin server role.
Connect to the SQL Server instance using the new login you created.
Disable the
saaccount, as recommended for security best practice.