So first I wanted to import a table from Powerapps dataverse to use it on Azure ML, for this I created an Azure Synapse link for the table into the Azure Portal. Now from the Storage account which has my table I tried creating a datastore and then select the path. But I am facing an issue because whenever I click on select path it appears blank and shows error that-
Error when accessing datastore: Unable to access data because it does not exist, is behind a virtual network, or you do not have Storage Blob Data Reader role on this storage account.
Even I tried using the Import Data function to directly link the Synapse link which couldn't happen.
So can anyone help me out in this?
Related
I have created 2 azure security groups (Read-SQL and the second is Write-SQL) in order for them to login into multiple Azure SQL servers via SSMS using their Azure AD identity based on their group membership in order to access multiple databases on those services.
First of all I have configured an admin group on the SQL Server in our Azure tenant.
I have connected to the SQL via SSMS using my credentials and so far so good.
After that I opened a query and typed in master database
CREATE USER [SQL-READ] FROM external provider
ALTER ROLE db_datareader ADD MEMBER [SQL-READ];
(Did the same thing for Write-SQL)
only the user is created and no permission given with an error saying the user does not exist or I don't have permission.
I have Azure global administrator permission in Azure and I don't know why I get this error.
In the bottom line I would like that Read-SQL and Write-SQL will be able to login in to the SQL Server and have access to all databases within it as well as giving Read-SQL reading permissions and to Write-SQL writing permission.
I read a few Microsoft articles but I got even more confused since I don't know if I need to create a login or create a user or a contained user.
Please help
Thank you
Here are few screenshots for better understanding
enter image description here
enter image description here
Read the following articles but only partial success.
https://www.mssqltips.com/sqlservertip/6751/azure-ad-authentication-azure-sql-databases/
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver16
Whether you should create a login, user or contained user will depend on your access and security requirements. However, in Azure SQL Database, users are created per database. So, you can create the login in the master database and then you need to create the associated user in each database on that SQL Server.
This documentation gives more information on creating logins, users and contained users for Azure SQL Database.
I granted someone in my org a Storage Blob Data Contributor Role on an Azure Storage Account. The user is unable to add the Storage Account to Azure Storage Explorer (ASE).
Upon opening ASE (and being authenticated to the correct Azure Subscription), the Storage Account is not listed under Emulated & Attached.
Steps taken by user to attempt to connect:
Open ASE
Click Open Connect Dialog
Select ADLS Gen2 Container or Directory
Note: Account kind = StorageV2 (general purpose v2) which I think is considered ADLS Gen2
Select Sign-in with AAD, then Sign-in as needed
Name the connection and enter the Container URL
Issue:
For the user in question, at this point of the process, the Next button is grayed out.
(Its available to me in the screenshot as I have correct role).
As soon as I give the user Contribute access on the Account, they refresh and the Account shows up under the Emulated & Attached section of ASE. However, Contribute Role on the entire Account is too permissive in this case and was done only for troubleshooting.
Question:
How do users with Storage Blob Data Contributor Role interact with Storage Containers in ASE?
Note that, Storage Blob Data Contributor role is enough to interact with storage containers in ASE.
I tried to reproduce the same in my environment and got below results:
I created one general purpose v2 storage account and assigned "Storage Blob Data Contributor" role to one user like below:
Now I signed into Azure Storage Explorer with demo user account like below:
I followed same steps as you mentioned to connect storage container like below:
To connect, I selected Sign in using Azure AD account like below:
Make sure to select correct user and tenant like below:
When I entered connection name and container URL, the Next button is not grayed out for me like below:
After selecting Next, I got Summary screen to connect as below:
Now, I'm able to see the connection successfully under Emulated & Attached like below:
Reference:
Azure Storage Explorer troubleshooting guide | Microsoft
I have a specific problem to which I couldn't find any answer online.
The situation is the following:
We created a Canvas app that connects to the Azure SQL database. We set the connection type to be AAD integrated.
Users that are members of the AD can see the data in the app, but guest users, even though we gave them all the rights and PowerApps plan, cannot see the data. they recieve the same authorization window as members, but when they click on allow, the app starts but no data is being pulled from the SQL database.
When we try to connect directly to the Azure SQL database with the guest user email and credentials (via SQL server management studio), everything works as expected and the guest can see all the tables.
When we use implicitly shared connection (with SQL server authentification), guests can see the data, but we need to use AAD integrated due to its security.
So far we tried:
Changing PA environment from sandbox to production
Adding special permissions in SQL database like database owner etc
Trying out different AAD guest user settings, eq- setting that guest users have the same privileges as members (picture below).
Nothing seems to work. I would be more than happy if you could tell me how to make this work or even push me in the right direction.
I've reproduced your problem in my side. Here's my experience.
After assigning powerapp license(I use O365 E5 here) to guest account and share the app to this account, I can visit the app but can't see the data in the table. I assume that it resulted from the connector hasn't been shared, but it's true that this connector can't be shared because of no 'share button'.
Then I tried to add access policy to my guest account with these two sql:
CREATE USER [tiny-wa_outlook.com#EXT##xx.onmicrosoft.com] FROM EXTERNAL PROVIDER;
GRANT SELECT ON dbo.tinyTest TO [tiny-wa_outlook.com#EXT##xx.onmicrosoft.com];
Pls note here, I used the User Principal Name here(can find the principal name in azure ad->users), I also tested to use 'tiny-wa#outlook.com' in the sql but after executing successfully, it didn't work.
So I think you can try to use the sql above to add your guests accounts and make them can access the powerapp.
Here's some related docs:
create contained users mapped to azure ad identities
Share app resources
add table permission to user
==========================UPDATE==========================
Share my experience of this troubleshot.
First I need to create a power app but I found that after creating the connector with sql server azure ad authentication, it can't connect to the sql server, the error message is like 'Credentials are missing or not valid. inner exception: The credentials provided for the SQL source are invalid', solution is add my admin account as sql server instance Active Directory Admin.
Then I choose a table and successfully create a sample app. With the creating account, I can visit the app but other accounts can't. Here needs to share the app and it's related connectors to other users. But other accounts still can't reach the app because of no license. Because sql server connector is premium connector, so I assign O365 E3 license here. I met an error when assign license, the user's 'Usage location' can't be null or it can't assign license in M365 admin center.
Then I met similar error with Op, the difference is that both member account and guest account can't see the data in app. I try to find the way to share the connector to these uses but failed, I haven't made sure if those connectors without share button can be shared to others. So I have no options to study if this kind of connectors are authenticated in other ways so they don't need to be shared at all.
Next actions is using the account which used to create the sql server and database to sign in database and execute the sqls above.
Then the member account can see data in the power app while the guest account can't see. The reason is I used xx#outlook.com as the parameter in the sql, when I used xx_outlook.com#EXT##xx.onmicrosoft.com, it worked finally.
Hope this can also help you.
===================================================
For creating my demo app: First, I'm sure my environment isn't a sandbox(the environment in the screenshot below). And I think it's easy to create a demo app, and my app is simple, just choose to create an app from data and then select sql server as the connector, next I choose auzre ad auth and click the connector, enter server name and database name then choose a table, after that my app has created. That table has one row of data so when I signed in the app with the creating account, I see it in the screen while other accounts(member or guests) can't.
My sql server instance and database are created long time ago, but I'm sure I followed this tutorial to create them.
This appears to still be a limitation to access to Azure SQL via PA connector for guest users:
https://powerusers.microsoft.com/t5/Power-Apps-Ideas/Azure-SQL-to-PowerApps-Connector-AAD-doesn-t-work-for-guest/idi-p/1637817
If the "guest" does NOT have a PowerApps Per-App/Per-User plan, they cannot use your PowerApps with SQL data source (Note: SQL is a premium connector).
Determine exactly which type of license the guest has. Then, either your organization or the guest (or guest's org) must purchase one of these licenses. $5/$10/$20 per month depending on your use case.
REF
I would like to test my scim integration with Azure Active Directory.
I created provisioning in DataBricks, but the list of attributes is missing email.
How do I add it?
Update after the answer was accepted: I was trying to use DataBricks in order to test my SCIM implementation for Azure. The right way is to create an app, edit mappings according to the needs and submit the app to the Azure AD.
Your question is unclear. How are you trying to provision from Azure AD to Databricks? You should be adding the Databricks Enterprise App from the gallery (see documentation for exact steps). The gallery app has the mappings preconfigured in a way tailored to Databricks - specifically, it's set to not attempt updates on userName or email attributes as both are immutable in the Databricks system.
I'm trying to export a database from a CloudSQL SQL Server Express Database, that is currently attached on a user other than sqlserver, and import it on a new CloudSQL SQL Server Standard Database. While I can export/import normally with BAK files, I'm unable to create a new user on the destination database and grant it the db_owner on the imported schema, everything always goes only to the sqlserver user. Can someone help me out?
Best regards.
You haven't mentioned what have you tried, for creating users and what output you received when you tried that.
But have you tried creating the user using gcloud cli? gcloud sql users create
https://cloud.google.com/sdk/gcloud/reference/sql/users/create
You can assign the above user to access a specific database once it has been created using the command above.
If the new Standard Database is on a new Cloud SQL instance, you might be using the new default MASTER database. By design, the "db_owner" role cannot be attributed there, so you may create a new database and grant the role on that new one instead.