I've got an Azure App Service that needs access to a classic SQL Server (non-Azure SQL, not SQL Managed Instance) and I'd prefer to do this via System Managed Identity. This is enabled on the App Service and a corresponding Enterprise Application is created on Azure AD.
The SQL Server is also connected to this Azure AD and User accounts on the AD already have access to the database. However I can't find how to create a login for the Enterprise Application. If this was an Azure SQL database I could do it with CREATE LOGIN [AZUREAD\app] FROM EXTERNAL PROVIDER but this does not work on a classic SQL Server, only on Azure SQL/MI.
A solution would be to use SQL accounts and reference the login/password in the connection strings, but as mentioned I'd much rather use Azure AD for authentication.
To answer my own question: SQL Server 2022 includes Azure AD authentication Link
Using integrated security or an access token it will be possible to authenticate with an App Registration.
This is currently in preview with no RTM date specified.
Related
I have a local instance of SQL Server installed. I installed it as the machine's administrator.
Now I want to create a user for a database on that server, but the user is not a local windows user, but an Azure AD user.
I tried to execute the code mentioned in the Create SQL Login for Azure Active Directory User
CREATE USER [alice#fabrikam.onmicrosoft.com]
FROM EXTERNAL PROVIDER;
but I always get the error:
Incorrect syntax near 'PROVIDER'
Now to reiterate, it is not an Azure SQL database, it's a machine's local SQL Server hosting its own databases.
Unfortunately, you can't use Azure AD user for on-premises SQL Server user.
The link you have shared is only applicable for Azure PaaS services like Azure SQL Database, Azure Managed Instance, etc.
As per this official doc
Two questions I am not in a position to confirm via deploying to an Azure resource group (due to my account limitations). So far, I have not found resources that answers my questions.
1. AD Users and Groups
Can Active Directory (AD) Users and AD Groups SQL Server Logins or Database users be migrated from On premise SQL databases to Azure SQL?
The environment I will be working on has the on premise AD synced to Azure Active Directory (AAD).
So far, I have only seen that SQL Logins can be migrated.
2. Authentication
I know that SQL Login and Windows Authentication login are options to connect to the Source database. Are both of these option also available in the destination Azure SQL database?
So far I have only seen SQL Login as an option for connection to the destination database (see below screenshot). This might be because there are no AAD accounts associated with the blank Azure SQL target database I am trying to connect to. The Server Admin is set for the target database.
No, unfortunately you can't migrate the Active Directory (AD) Users and AD Groups to Azure SQL Database. Yes, you move SQL logins from the SQL Server source to Azure SQL Database by using Database Migration Service in offline mode.
You can also migrate Windows users and groups using T-SQL DDL syntax with the help of this tutorial.
You can use Azure AD authentication to connect with Azure SQL Database. It is an alternative to SQL Logins Authentication. Please refer Azure Active Directory authentication for more details.
You can simply use SQL Server Management Studio (SSMS) to connect with Azure SQL Database using Azure AD credentials. Install the SSMS on your local windows machine and login with AAD credentials as shown in image below.
We're using MicroStrategy on-premises to access a warehouse in Snowflake. All the users connecting to Snowflake are authenticated through Azure AD. We want the same for MicroStrategy instead of using a local Snowflake account.
Is that possible?
Right now, when a user wants to connect through ODBC, we set up the Authenticator = ExternalBrowser. So when they use any software, the browser pops up for the authentication and then they continue to do their thing.
How can I set the ODBC of the MicroStrategy server to use the Azure AD authentication, without using the browser and by specifying the username we created for MicroStrategy in our AD.
Thanks,
JFS.
This likely requires you to configure MicroStrategy, Snowflake, and Azure AD to leverage OAuth2.
MicroStrategy has a how to guide here:
https://www2.microstrategy.com/producthelp/current/Gateway_Connections/WebHelp/Lang_1033/Content/integrate_sso_using_azure_for_snowflake.htm
Currently I have everything on premise - .NET Core 3.0 API and SQL Server database.
Azure AD/Service account are configured in IIS and database has given access to the service account.
All requests use that Azure AD service account.
Now we are planning for an Azure migration. API is published in App Services.
Now I want to use the same Azure AD account to connect to an Azure SQL Server database.
How should I do that?
Don't send me Microsoft links, those are having toooo much info.
Tell what and how to do configuration in Azure SQL and App Services.
Any help is appreciated.
Now I want to use the same AD account to connect to an Azure SQL Server database.
AD accounts can't connect to Azure SQL Database. Only SQL and Azure Active Directory (AAD) Logins/Users.
There are some options, but there's a clear best-practice: Provision a Managed Service Identity (MSI) for your Azure App Service Application and use that to connect to SQL Server.
Here is a simple tutorial for how you should integrate App Service and Azure SQL Database:
Tutorial: Secure Azure SQL Database connection from App Service using a managed identity
I need to connect my web app on Azure to our on site SQL Server instance via Windows authentication (not via SQL Server account authentication). Active Directory is already integrated with the on-site AD and therefore all of the users are available there.
My question is, is it possible to hook up an azure web app to an on-site SQL Server via Windows authentication.
is it possible to hook up an azure web app to an on-site SQL Server via Windows authentication.
Base on my option, it maybe that we couldn’t do that. As we have been limited to do that operation for azure WebApp. There is also another SO thread mentioned that.
If we want to connect to on premise SQL Server, we can use hybrid connections to access on-premises SQL server database in Azure WebApp, more info please refer to the document.
If we want to authenticate the WebApp with local Active Directory, and we have an on-premises secure token service (STS) like Active Directory Federation Services (AD FS), we could use that to federate authentication for our Azure WebApp. More info please refer to the document.
Hybrid connections at this time does not support AD accounts due to
because you cannot domain join an App Service worker