Azure SQL Connection String

Detects Azure SQL Database connection string patterns specifically targeting the .database.windows.net domain. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.

Type

regex

Engine

universal

Confidence

high

Confidence justification

High confidence: .database.windows.net domain combined with credential parameters provides strong structural constraint unique to Azure SQL. Added context gating and exclusion rules improve precision and reduce incidental matches.

Detection quality

Verified

Jurisdictions

global

Regulations

Criminal Code Act 1995 (Cth)

Frameworks

CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2

Data categories

credentials, security

Scope

specific

Risk rating

10

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?i)(?:Server|Data Source)\s*=\s*[^;]*\.database\.windows\.net[^;]*;\s*(?:Database|Initial Catalog)\s*=\s*[^;]+;\s*(?:User Id|Uid)\s*=\s*[^;]+;\s*(?:Password|Pwd)\s*=\s*[^;]+

Corroborative evidence keywords

Azure SQL, SQL Database, database.windows.net, connection string, Server, Password, SQL Server, connectionString, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connectionstring, cookie, credential (+44 more)

Proximity: 300 characters

Should match

• Server=myserver.database.windows.net;Database=mydb;User Id=admin;Password=P@ssw0rd123 — Standard Azure SQL connection string
• Data Source=tcp:prod-sql.database.windows.net,1433;Initial Catalog=appdb;Uid=appuser;Pwd=TestS3cret — Azure SQL with TCP and port
• Server=test.database.windows.net;Database=testdb;User Id=sa;Password=0000000000 — Azure SQL with placeholder password

Should not match

• Server=myserver.database.windows.net;Database=mydb;Integrated Security=True — Azure SQL with integrated auth, no password
• Server=localserver;Database=mydb;User Id=sa;Password=secret — Local SQL Server, not Azure
• template example placeholder record identifier — Template/sample context should be excluded even when anchor words are present

Known false positives

• Azure SQL documentation and quickstart guides with example connection strings. Mitigation: Check for common placeholder passwords and documentation context.
• Connection strings with Key Vault references instead of actual passwords. Mitigation: Check if the password value is a Key Vault URI rather than an actual credential.

References

• Azure SQL connection string entity definition - Microsoft Learn