Azure Database Migration Service security questions - sql-server

Two questions I am not in a position to confirm via deploying to an Azure resource group (due to my account limitations). So far, I have not found resources that answers my questions.
1. AD Users and Groups
Can Active Directory (AD) Users and AD Groups SQL Server Logins or Database users be migrated from On premise SQL databases to Azure SQL?
The environment I will be working on has the on premise AD synced to Azure Active Directory (AAD).
So far, I have only seen that SQL Logins can be migrated.
2. Authentication
I know that SQL Login and Windows Authentication login are options to connect to the Source database. Are both of these option also available in the destination Azure SQL database?
So far I have only seen SQL Login as an option for connection to the destination database (see below screenshot). This might be because there are no AAD accounts associated with the blank Azure SQL target database I am trying to connect to. The Server Admin is set for the target database.

No, unfortunately you can't migrate the Active Directory (AD) Users and AD Groups to Azure SQL Database. Yes, you move SQL logins from the SQL Server source to Azure SQL Database by using Database Migration Service in offline mode.
You can also migrate Windows users and groups using T-SQL DDL syntax with the help of this tutorial.
You can use Azure AD authentication to connect with Azure SQL Database. It is an alternative to SQL Logins Authentication. Please refer Azure Active Directory authentication for more details.
You can simply use SQL Server Management Studio (SSMS) to connect with Azure SQL Database using Azure AD credentials. Install the SSMS on your local windows machine and login with AAD credentials as shown in image below.

Related

Give System Managed Identity access to classic SQL Server

I've got an Azure App Service that needs access to a classic SQL Server (non-Azure SQL, not SQL Managed Instance) and I'd prefer to do this via System Managed Identity. This is enabled on the App Service and a corresponding Enterprise Application is created on Azure AD.
The SQL Server is also connected to this Azure AD and User accounts on the AD already have access to the database. However I can't find how to create a login for the Enterprise Application. If this was an Azure SQL database I could do it with CREATE LOGIN [AZUREAD\app] FROM EXTERNAL PROVIDER but this does not work on a classic SQL Server, only on Azure SQL/MI.
A solution would be to use SQL accounts and reference the login/password in the connection strings, but as mentioned I'd much rather use Azure AD for authentication.
To answer my own question: SQL Server 2022 includes Azure AD authentication Link
Using integrated security or an access token it will be possible to authenticate with an App Registration.
This is currently in preview with no RTM date specified.

Create user login on a local instance of SQL Server - for an Azure AD user

I have a local instance of SQL Server installed. I installed it as the machine's administrator.
Now I want to create a user for a database on that server, but the user is not a local windows user, but an Azure AD user.
I tried to execute the code mentioned in the Create SQL Login for Azure Active Directory User
CREATE USER [alice#fabrikam.onmicrosoft.com]
FROM EXTERNAL PROVIDER;
but I always get the error:
Incorrect syntax near 'PROVIDER'
Now to reiterate, it is not an Azure SQL database, it's a machine's local SQL Server hosting its own databases.
Unfortunately, you can't use Azure AD user for on-premises SQL Server user.
The link you have shared is only applicable for Azure PaaS services like Azure SQL Database, Azure Managed Instance, etc.
As per this official doc

Migrate SQL server to SQL Managed Instance

If I use one of the methods to migrate a SQL server instance with several databases into a Azure Managed Instance, would the procedure also replicate any login accounts with access rights?
Particular interested in knowing how this handles Active Directory accounts
From what I know, it doesn't and you cannot use Windows Authentication but only SQL Server Authentication or Azure AD. I've migrated several times a local database of my local SQL Server instance to Azure and I've done it using Export Data-Tier to .bacpac (this is the extension of the DB in Azure) and then deploying it (both actions from SSMS):
However, please be aware that you have to drop any users that use for authentication Windows Authentication because you'll get an error at the moment of deploying it since it cannot inherit your server's active directory settings. Then, you can define your own AD in Azure and use it.
Managed instance is a new deployment option of Azure SQL Database, providing near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine.
The migration only support replicate the login.
You could get this from this document: Tutorial: Migrate SQL Server to an Azure SQL Database managed instance offline using DMS:
By default, Azure Database Migration Service only supports migrating SQL logins. To enable support for migrating Windows logins, see the Prerequisites section of this tutorial.
That means you must re-create all the users and grant it access right(database roles) manually.
Hope this helps.

SQL Server on Azure VM: How can my application connect?

I have an application written in VB, which used to connect with a Microsoft SQL Server, which is placed on a VM in the domain, using Windows Authentication(Local Domain).
But, I have moved my DB to a SQL Server which is placed on an Azure VM.
My problem is that i don't know how i can use Windows Authentication(or somehow to "ask" the Active Directory about the user who tries to connect).
I have seen the modes of SQL Server:
Active Directory - Password
Active Directory - Integrated
but i can't understand how i can use them. Should i have to do trust relation between 2 domain(Local, Azure)?
Can someone help?
I have moved my DB to a SQL Server which is placed on an Azure VM.
SQL on an Azure VM is the same product you might run on-premises, and supports SQL Auth and Windows Integrated Auth. The Azure Active Directory authentication methods supported by Azure SQL Database and Azure SQL Data Warehouse are not applicable to SQL Server running in an Azure VM. See:
Azure Active Directory authentication is a mechanism of connecting to
Azure SQL Database and SQL Data Warehouse by using identities in Azure
Active Directory (Azure AD).
See Use Azure Active Directory Authentication for authentication with SQL Database, Managed Instance, or SQL Data Warehouse
For SQL Server running in an Azure VM you use either SQL Authentication or Windows Authenticationl, as outlined here Authentication in SQL Server
You can use Windows Auth in your VM with either local accounts (created on the VM), or you can deploy a Domain Controller on a separate VM into your VMs VNET and use identities from the Domain. The Domain Controller you deploy into your Azure VNET can be an isolated Domain, or it can be a replica for your on-premises domain. If you want to deploy a replica of your on-premises domain into an Azure VNET you also will need to use a site-to-site VPN or ExpressRoute, as explained here Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines

Does adding an Active Directory admin to an Azure SQL server affect admin account

We currently have around 400 client databases hosted on a SQL Server in Azure. When initially setup, no Active Directory admin user was set, only a server admin and this server admin is used at the moment for all connection strings. If I were to add an Active Directory admin to the server, would this have any effect on the connection of any of the databases using the server admin? In other words, would the server admin still work fine and adding Active Directory admin not disconnect any users currently connected to the SQL server?
No, adding an Azure AD Admin won’t affect any connections using the Server Admin or any other login.
However, the recommended way applications should connect to SQL Azure databases is via contained users. Contained users do not get disconnected during failovers (geo-replication) and they travel with the databases (backups, readable copies).
Agree with Alberto Morillo, we should connect to SQL Azure databases via contained users.
More information about contained users, please refer to this link.
By the way, when we setting up the Azure AD admin, the new admin name
(user or group) cannot already be present in the virtual master
database as a SQL Server authentication user. If present, the Azure AD
admin setup will fail; rolling back its creation and indicating that
such an admin (name) already exists. Since such a SQL Server
authentication user is not part of the Azure AD, any effort to connect
to the server using Azure AD authentication fails.
More information about provision an Azure Active Directory adminstrator for your Azure SQL server, please refer to this article.

Resources