I need that when I use an azure ad member to login I will have the view of all of the databases without typing the specific database I would like to connect to just like when logging as admin.
enter image description here
I have read this article but I still have difficulties:
https://learn.microsoft.com/en-us/azure/azure-sql/database/logins-create-manage?view=azuresql
I created the login [SQL-READ] which is a group I created in Azure AD for the master db as requested and also created a user in db master itself named SQL-READ and associated it with the login using
USE master
CREATE USER [SQL-READ] FROM LOGIN [SQL-READ];
GO
Furthermore I have created the same user SQL-READ in two more databases.
Then when I try to login with one of the accounts which are members of this SQL-READ group I get the error:
Login failed for user "xxxxxxx" 18456.
I only manage to connect when I type the specific DB name here at the picture below.
enter image description here
You should use CREATE USER [] FROM EXTERNAL PROVIDER for Azure AD logins (users and groups)
Related
I have created 2 azure security groups (Read-SQL and the second is Write-SQL) in order for them to login into multiple Azure SQL servers via SSMS using their Azure AD identity based on their group membership in order to access multiple databases on those services.
First of all I have configured an admin group on the SQL Server in our Azure tenant.
I have connected to the SQL via SSMS using my credentials and so far so good.
After that I opened a query and typed in master database
CREATE USER [SQL-READ] FROM external provider
ALTER ROLE db_datareader ADD MEMBER [SQL-READ];
(Did the same thing for Write-SQL)
only the user is created and no permission given with an error saying the user does not exist or I don't have permission.
I have Azure global administrator permission in Azure and I don't know why I get this error.
In the bottom line I would like that Read-SQL and Write-SQL will be able to login in to the SQL Server and have access to all databases within it as well as giving Read-SQL reading permissions and to Write-SQL writing permission.
I read a few Microsoft articles but I got even more confused since I don't know if I need to create a login or create a user or a contained user.
Please help
Thank you
Here are few screenshots for better understanding
enter image description here
enter image description here
Read the following articles but only partial success.
https://www.mssqltips.com/sqlservertip/6751/azure-ad-authentication-azure-sql-databases/
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver16
Whether you should create a login, user or contained user will depend on your access and security requirements. However, in Azure SQL Database, users are created per database. So, you can create the login in the master database and then you need to create the associated user in each database on that SQL Server.
This documentation gives more information on creating logins, users and contained users for Azure SQL Database.
I have a SQL Server 2017 database instance that was created before I was given administration of the database and I have a Login at DB server level named "atSupervisor" which is a user in database "StaffMonitoring". I wish to clone the login and user "atSupervisor" as login and user "bcSupervisor" in database "StaffMonitoring" to have all permissions, table access, grants etc.
I have tried a few suggestions on google such as this example - https://www.mssqltips.com/sqlservertip/3589/how-to-clone-a-sql-server-login-part-1-of-3/
This seems to creates the login and user and I can then assign the database "StaffMonitoring" in User Mapping in the login's properties and login with the user. However, none of the tables are present.
Is there a way to do this please that clones everything to include grant access to tables that mirrors the original login\user?
I'm trying to create database users that are integrated with azure active directory. All of our users are guest users. I've been following multiple articles on how to create users in the SQL db but none have worked.
For example, this article: https://www.mssqltips.com/sqlservertip/5242/adding-users-to-azure-sql-databases/
Suggest to create users like so:
CREATE USER [name#domain.com]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
This yields the error:
Principal 'name#domain.comm' could not be found or this principal type is not supported.
Googling this error lands me on stackoverflow post (https://dba.stackexchange.com/questions/148325/add-active-directory-user-for-azure-sql-db):
which suggests:
CREATE USER [name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com] FROM EXTERNAL PROVIDER
and accesses:
EXEC sp_addrolemember 'db_datareader', 'name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com'
EXEC sp_addrolemember 'db_datawriter', 'name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com'
and this does not give an error, but it also does not provide access to the database. Since I get error NT AUTHORITY/ANONYMOUS LOGIN
I also tried to create an AAD group and provide that group access, also no error here but couldn't login either.
Couple of notes:
All IP addresses are allowed on the firewall
all users have been added in sql db IAM (not sure if this is even necessary)
I've enabled Active Directory Admin in the sql server, I put the subscription admin here
This is also the users with which I created users in the SQL DB
I'm able to create native sql users without a problem
Still I'm only able to login using the Active Directory Admin, and no other user is able to login.
Any advice on how I can login to my Azure sql database using windows credentials from Azure Active Directory?
When using external users, you need to use the "mangled user principal name" when adding them.
That's this one:
CREATE USER [name_domain.com#EXT##<your-azure-ad-default-domain>.onmicrosoft.com] FROM EXTERNAL PROVIDER
Secondly, the users will be created only in that database; they cannot connect to master.
So you need to choose the DB to connect to.
You may also need to specify the AAD tenant id in advanced connection settings.
The reason you might need to do this is because by default an external user will login to their home tenant. Which is not the one connected to your DB. So you may need to specify the tenant to have them explicitly login against your tenant.
I have a Admin user in our database. Admin user has access to all database object. I do not have credentials of Admin user.
My application also has Normal user which has access privileges (select/delete grants etc) on many objects of Admin user. So in SQL developer, when I create connection using Normal user, I can go to "Other Users -> Admin User" and I see many tables/views/triggers/procedures.
When I try to generate DB doc using SQL developer (Right click on connection name -> Generate DB Doc...), generated documentation contains only objects that are created by my Normal user. Report does not contain objects from Admin user, for whom my Normal user has SELECT grants. How can I include objects from Admin user into my generated DB documentation? I only want to include those objects from Admin user for whom my Normal user has SELECT grant.
Unfortunately, This only works for the connected user. That means you'll have to connect to Admin to run the dbdoc for Admin.
I've recently created a App Service + SQL in my Azure account and I want to give access to some external user, maybe using SQL authentication with username and password. I know I must allow this user IP, but I cannot find where I can create credentials or a new user for him.
I've tried creating a new login and user using SQL statements but I can't access master database.
Is what I'm trying to do possible?
Thanks
There's no need to grant users access to Master. Instead connect to the target database as an administrator and simply add the user using CREATE USER
CREATE USER SomeUserName WITH PASSWORD = 'somestrongpassword123'
See generally Controlling and granting database access