2 votesJakub Szymaszek - Microsoft commented
Thank you for reporting this problem. Unfortunately, we could not reproduce it (we tried SSMS 18 Preview 4). Could you please provide the full repro, including:
- Steps (e.g. a PowerShell script) to provision/configure Azure Key Vault and a key in it.
- the schema of the database (if you can reproduce it with a database containing just one table) that would be best
- the name of the table/column that is encrypted.
58 votesJakub Szymaszek - Microsoft commented
While there is no general single solution, Azure/SQL offers at this point, you might consider a combination of the following:
- Using Always Encrypted (aka.ms/AlwaysEncrypted) to encrypt sensitive column in your database. Always Encrypted ensures only a key holder can access the data encrypted in the database (DBAs and other admins cannot).
- Assuming that by "login" above, you are referring to the SQL server administrator login, we recommend that you use this login only for the initial database setup. While there is no way to disable SQL server administrator login (that one that uses SQL authentication), we know some customers choose to "lock it down" by periodically setting its password to a random value and having audit policy that and alerts that detect any access through that login.
- In general, you may consider using Azure Active Directory authentication for database admin access (please see https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure) and have the Azure AD administrator login mapped to an Azure AD group. The group could have no standing members - admins could be added temporarily when needed.