Security limitations for SQL Server on Linux

Applies to: SQL Server - Linux

SQL Server on Linux currently has the following limitations:

  • A standard password policy is provided. MUST_CHANGE is the only option you might configure. The CHECK_POLICY option isn't supported.
  • Extensible Key Management isn't supported.
  • SQL Server authentication mode can't be disabled.
  • Password expiration is hard-coded to 90 days if you use SQL Server authentication.
  • Using keys stored in the Azure Key Vault isn't supported.
  • SQL Server generates its own self-signed certificate for encrypting connections. SQL Server can be configured to use a user provided certificate for TLS.


If you don't plan to connect your SQL Server containers to Windows Active Directory, the password expiration is hard-coded to 90 days, if you use SQL Server authentication only. To work around this issue, consider changing the CHECK_EXPIRATION policy.

For more information about security features available in SQL Server, see the Security for SQL Server Database Engine and Azure SQL Database.

Disable the sa account as a best practice

When you connect to your SQL Server instance using the sa account for the first time after installation, it's important for you to follow these steps, and then immediately disable the sa login as a security best practice.

  1. Create a new login, and make it a member of the sysadmin server role.

  2. Connect to the SQL Server instance using the new login you created.

  3. Disable the sa account, as recommended for security best practice.