I am unable to connect a my Azure SQL Database to Purview. I have already followed the steps described in all the documentation. I keep getting the following error code: Error: (5521) Permission is not sufficient to perform SQL action in database.enter image description here See also the pictures below.
Does anyone happen to have an answer to this, thanks in advance!
Error: (5521) Permission is not sufficient to perform SQL action in database
This error causes because of Azure Connections and Permission issue. Please follow the below steps:
Allow Azure Connection
Enabling Azure connections will allow Microsoft Purview to reach and connect the server without updating the firewall itself.
Go to Database account > select overview page >Select Security > Firewalls and virtual networks > Select Yes for Allow Azure services.
You can follow this link.
Assign Key Vault Access Policy
Create a Secret in the Azure Key vault > Assign Access using Key Vault Access Policy > Create Azure Key Vaults connections in your Azure Purview account > Register an Azure SQL Database data source> Create a scan rule by selecting the previously created credentials.
Follow below reference it has detail information:
Reference:
https://www.youtube.com/watch?v=Kteh9cXkHIE
https://www.youtube.com/watch?v=xgABjnuPMWM
https://learn.microsoft.com/en-us/azure/purview/register-scan-azure-sql-database?tabs=sql-authentication#lineagepreview
Troubleshoot your connections in Microsoft Purview - Microsoft Purview | Microsoft Docs
Related
I followed this tutorial from Azure team: Connect to and manage an `Azure SQL Managed Instance in Microsoft Purview. As shown in the image 1 below, the scan process successfully tested the connection. But later the scanning fails with the following error:
Error: (3860) Unable to access sql server with the specified connection parameters. Please ensure that the connection parameters can login to 'master' db to enumerate the other databases in the sql server.
Question: What I may be doing wrong, and can we resolve the issue?
Remarks: As shown in the image below, the database selected for scanning is AdventureWorksLT2019. In Purview, for Authentication, I am using System Assigned Managed Identity (SAMI) that is the name myPurview of my purview account. And myPurview is a member of db_datareader and db_datawriter in the database. Moreover, in the New Login window of SSMS (image 2 below), when I enter myPurview as as AAD account and click ok, the login window recognizes myPurview as a principal identity successfully add it as a login. I verified it by trying the same process by adding a fake name testPuview, and the same login dialog did not recognize it and threw the error Principal testPuview could not be found or this principal type is not supported. (Microsoft SQL Server, Error: 33130).
After myPurview was successfully added as a login, I then added it to database with the read/write permissions. I also followed the Configure public endpoint in Azure SQL Managed Instance article. So, I am not sure what may be causing the error
Image 1:
Image 2:
As per my understanding, Azure purview is failing to scan your Azure SQL managed Instance. A managed VNET IR needs to be created to have the managed private endpoints enabled. Please make sure to check if the option is grey out. Managed private endpoint requires you to set up managed vnet integration runtimes first and also requires data source admin roles. Please let me know if you need further assistance on this.
I'm trying to store connection string of SQL Server in Azure keyvault and use the same secret in linked service of Azure datafactory.
I'm trying to specify the name of the Azure Key Vault secret that stores the destined Azure SQL Database linked service's connection string
Server=tcp:<servername>.database.windows.net,3342;Database=<databasename>;User ID=<username>#<servername>;Password=<password>;Trusted_Connection=False;Encrypt=True;Connection Timeout=30
But I am facing the below error:
Cannot connect to SQL Database: 'tcp:xxxx.database.windows.net,3342', Database: 'databasename', User: 'username#servername'. Check the linked service configuration is correct, and make sure the SQL Database firewall allows the integration runtime to access. Login failed for user 'username#servername'., SqlErrorNumber=18456,Class=14,State=1, Activity ID: 20aa7503-3b71-4539-a658-a2b5be87278f.
How can I create and use a connection string in ADF linked service using AKV?
It seems to be an issue with SQL server firewall blocking Azure Integration Runtime IP address. Please go to the SQL server in Portal - > Firewalls and virtual networks option under Security and enable Allow Azure Services and resources to access this server.
To know the IP address that needs to be add in the Firewall Rules, just run any SQL query in the database and the error message will occur asking to whitelist the IP. Either click on that error message or add the IP manually in the Rule name under Firewall.
Apart from that you need to add the database connection string in the Key Vault Secret Value and then add the secret name in the ADF SQL database linked service and check the connection(add database password in the connection string before pasting in Secret's Value). Give the read rights (GET and List) to the secret in the access policies.
Create a ADF Linked Service of the Key Vault you have created previously and check the connection.
Using that Key Vault Linked Service, create the SQL Database linked service and check for connection.
Refer to the link for step-by-step implementation to connect the SQL Database in ADF using Azure Key Vault.
I am stuck with the same situation mentioned here in this URL.See SO question Here
. I am having a Azure VM and Sql Azure db. From Sql Azure Db i am using external table to query Azure VM Sql but with error:
The underlying error message received was: 'A connection was
successfully established with the server, but then an error occurred
during the login process. (provider: SSL Provider, error: 0 - The
certificate chain was issued by an authority that is not trusted.)'.
I knew its a CA certificate error. But I cant purchase certificate as of now. So I wanted to if i can use self signed certificate for the same.
I am having a certificate in my Azure VM. See below in screenshot. Will it work? Do I need to install that in my Sql Azure Db too?
If you are talking about Azure SQL Database elastic queries they can only be created between Azure SQL databases. You will find more information here.
Linked servers to SQL Azure databases are now supported as demonstrated here.
Hope this helps.
Regards,
Alberto Morillo
A user is trying to connect to an Azure SQL Database via SQL Server Management Studio (SSMS v16.5.1).
The user's current IP address is not listed in the Azure SQL Server's firewall rules.
Because of this the user is shown the New Firewall Rule dialog.
When the user signs in using their Azure Active Directory (Azure AD) credentials they get an error message saying:
Account has no subscriptions
Clicking "Details" shows:
We experienced issues in connecting to Azure
Additional information:
login account does not have Azure subscriptions.
(Microsoft.SqlServer.Management.ApplicationAuthenticationManagement)
Why is the user getting this error message and how can they add a new firewall rule for their IP address?
Azure support have shared the below with me, based on an Azure documentation article.
Given an Azure SQL Server, only the Active Directory admin or SQL Server admin have permissions to add firewall rules at the server level.
The above error message (somewhat obscurely) indicates that the user is neither.
My personal experience also suggests that Azure AD accounts that are assigned as Subscription Co-administrators can also set firewall rules.
If, and only if, giving the user permissions is appropriate, this can be done by one of three ways:
Specifying the user as the SQL Server admin.
Setting the server's Active Directory admin to be an Azure Active Directory Group and making the user's AD account a member of this group.
Making the user a Co-administrator for the Subscription via https://manage.windowsazure.com/
Be sure to understand the security implications of each option before taking action.
Look at these two tutorials that will be live shortly (later on 1/13/2017):
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-sql-authentication-get-started
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-aad-authentication-get-started
These tutorials discuss using server and database level firewall rules with SQL Server authentication and Azure Active Directory authentication.
I hope these help,
Carl
In Azure Portal (https://portal.azure.com/#resource/subscriptions/{Your-GUID}/resourceGroups/AdminPortalDev/providers/Microsoft.Sql/servers/wjidentityserver/databases/{Your-DATABASE_SERVER}/overview )
Select your database
Select "Overview"
"Set server firewall" on the toolbar
Add client IP on the toolbar
Then you will be able to connect from the new IP address.
I was able to add the IP address without being administrator.
The steps in more details are described in https://learn.microsoft.com/en-us/azure/sql-database/sql-database-security-tutorial#create-a-server-level-firewall-rule-in-the-azure-portal.
Other question Client with IP addres is not allowed to access the server Azuredb describes more meaningful message and the same resolution.
I have created an Access 2013 web app which creates an Azure SQL database behind the scenes on our O365 SharePoint web site. I can access this database using SSMS studio (I have the professional version not the express version).
I would like to link to the Azure database tables or be able to copy the database. The reason for this is that I cannot create views in the Azure database and the Access web app is too limited for our external reporting needs. We don't need to create views or tables in the Azure database we only need to access the information stored in its tables.
Whenever I try to right click on the Azure database to perform a task I receive the following error.
Cannot open server 'xxxxxxx' requested by the login. Client with IP address 'xxx.xxx.xxx.xxx' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range.
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=40615&LinkId=20476
The provided link is useless, it contains no information (There is no additional information about this issue in the Error and Event Log Messages or Knowledge Base databases at this time).
How do I take care of this error or how can I link to the Azure SQL database.
When viewing your database in the Azure management portal, there is an option on the right hand side that says Manage allowed IP addresses. That link will take you to a page where you can enter IP addresses that will be allowed through the firewall.
Here's a link to the MSDN article: How to: Configure Firewall Settings (Azure SQL Database)
Manage Server-Level Firewall Rules through Transact-SQL
Launch a query window through the Management Portal or through SQL
Server Management Studio.
Verify you are connected to the master database
Server-level firewall rules can be created, updated, or deleted from within the query window
To create or update server-level firewall rules, execute the sp_set_firewall rule stored procedure. The following example enables a range of IP addresses on the server Contoso.
EXEC sp_set_firewall_rule #name = N'ContosoFirewallRule', #start_ip_address = '192.168.1.1', #end_ip_address = '192.168.1.10'