We are trying to connect to Synapse from Tableau via AAD authentication, but getting the following error (screenshot) despite I am the AAD owner and I have the owner permission in database. Is there any configuration we need to do in AAD etc?. any pointers would be really helpful.
Enter the correct details as below:
You can get server name from properties od synapse workspace as below just copy and paste them in a connection window:
make sure your AAD admin set on your workspace:
connected successfully
Related
I have an SQL Server database hosted on azure. It can access using the Azure Active Directory Service Principal. I'm trying to deploy keycloak (16.1.0) on AKS and configure the database mentioned earlier. I have an application that can connect to that SQL Server using the Azure Active Directory Service Principal. But using keycloak, it has no luck.
I have used JDBC_PARAMS="authentication=ActiveDirectoryServicePrincipal" to configure database properties in keycloak.
Thanks
Deploying keycloak on AKS
Please Follow this doc:
Connect to that SQL Server using the Azure Active Directory Service Principal
Active Directory Service Principal authentication mode, the client application can connect to Azure SQL data sources by providing the client ID and secret of a service principal identity. Service principal authentication involves:
Setting up an app registration with a secret.
Granting permissions to the app in the Azure SQL Database instance.
Connecting with the correct credential.
Grant access to Azure SQL Database
We need to give your application access to the Azure SQL Database service. This is done through the API Permissions.
Reference 1
Add client authentication
In order to authenticate Active Directory representation of it, switch over to Certificates and create a New client secret.
The following example shows how to use Active Directory Service Principal authentication
Reference 2
The following example shows how to use Active Directory Service Principal authentication.
// Use your own server, database, app ID, and secret.
string ConnectionString = #"Server=demo.database.windows.net; Authentication=Active Directory Service Principal; Database=testdb; User Id=App Id; Password=secret";
using (SqlConnection conn = new SqlConnection(ConnectionString)) {
conn.Open();
}
Refer this link .
I'm quite new to the Azure AD. So I will be grateful for any hint.
I need to enable members of a given domain (of a given Active Directory) to log in to Azure SQL Server using Azure Active Directory - Integrated Authentication.
So far I've logged into Windows and connected it to Azure Acticve Directory in Windows Setting.
Looking through the documentation, I understand that I need to select one of the authentication methods proposed by Microsoft within Azure Active Directory. The easiest seems to be Password hash synchronization. So I would like to pick this one (But if others are simpliest I am open to change that choice)
What is the easiest way to synchronise this? Can I avoid having to create a Windows Server VM and install Azure AD Connect there?
The current configuration of AD Connect on Azure Portal looks as follows:
To mention it again, the only service I care about is logging in via Azure Active Directory
I apologise if the whole question has been wrongly structured, but it is simply based on what I have found on the forums and in the documentation.
Thanks in advance for any tips
[for example: https://youtu.be/PyeAC85Gm7w?t=565, https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#using-an-azure-ad-identity-to-connect-using-ssms-or-ssdt, https://techcommunity.microsoft.com/t5/azure-sql-blog/azure-ad-pass-through-and-password-hash-authentication-support/ba-p/1269735]
You don't need Azure AD Connect or password hash sync unless you have an on-premise Windows Server AD that you want to sync to Azure AD. Should note that AD is not the same as Azure AD. You don't need Windows Server AD with Azure SQL, just Azure AD. To grant a certain security group access to the server, you can run CREATE USER [group-name-here] FROM EXTERNAL PROVIDER; in the Azure SQL DB. Then you can use standard SQL stuff to grant that "user" access to the DB/tables.
Users should then use Azure Active Directory - Universal with MFA as the authentication method in SQL Server Management Studio.
We're using MicroStrategy on-premises to access a warehouse in Snowflake. All the users connecting to Snowflake are authenticated through Azure AD. We want the same for MicroStrategy instead of using a local Snowflake account.
Is that possible?
Right now, when a user wants to connect through ODBC, we set up the Authenticator = ExternalBrowser. So when they use any software, the browser pops up for the authentication and then they continue to do their thing.
How can I set the ODBC of the MicroStrategy server to use the Azure AD authentication, without using the browser and by specifying the username we created for MicroStrategy in our AD.
Thanks,
JFS.
This likely requires you to configure MicroStrategy, Snowflake, and Azure AD to leverage OAuth2.
MicroStrategy has a how to guide here:
https://www2.microstrategy.com/producthelp/current/Gateway_Connections/WebHelp/Lang_1033/Content/integrate_sso_using_azure_for_snowflake.htm
I have a problem when connecting to an Azure SQL Database using SSMS under this scenario:
Have a work laptop connected to work domain via VPN
The database is in a different Azure tenant (tenant B) to my work Azure tenant
(tenant A).
My work account is set up via AAD in the work Azure tenant (A)
and is a guest account in other tenant (B)
Have the latest version of SSMS
Granted user access to the Azure SQL database
I connect via SSMS using the Azure Active Directory - Universal
with MFA option
Note all default options are set and have also tried setting the database
I know the database access has been correctly set up as I have successfully been able to connect in the above scenario when I use Azure Data Studio instead of SSMS, but only because I have the option to change "Azure AD tenant" property from "Tenant A" to "Default Directory".
I have been able to connect OK when using SSMS with my personal computer using the same account / method, except it is not using a work account and is not connected to the work domain.
Seems like my issue is that I cannot change the "Azure AD tenant" property in SSMS and it is using the tenant associated with my account. I have also tested with a number of different people and they have the same issue. I have also set the default Azure directory to tenant B in the Azure portal.
Does anyone have any suggestion how I can get this to work in SSMS?
Azure Data Studio connection
Thanks Tony
OK, I am answering my own question.
I have a work-around which involves:
Create a connection in Azure Data Studio and setting the Azure AD Tenant to "default directory"
In SSMS, connect to the Database using the Azure Data Studio connection in the Registered Servers pane
Not ideal, but it works.
I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.
Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.
When trying to access
https://login.microsoftonline.com/{mydomain}.net/oauth2/token
using the following (yes, I know that grant_type is not recommended, but that's not the point)
grant_type: password
username: {user}#{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}
I get:
AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password
If I use an administrator like admin#{mydomain}.onmicrosoft.com it works fine.
In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.
It says in the management portal:
"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."
Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?
In the azure portal I have tried changing the primary domain from
{mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a
difference.
I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.
Does that apply when using the graph api as well? Do I have to setup
federation on my local network or is there another way around?
Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.
You can also see more details about Azure AD Connect user sign-in options in this official document.
Hope it helps!