We are looking at moving a number of applications from on prem SQL Servers upto Azure as a Paas offering, what would be the best way to grant the Database team access to these databases? They'll be under one tenant but spread across a couple of subscriptions and multiple resource groups.
Moving forward i'd also like for them to have permissions automatically for any new SQL database added to any resource group within our tenant.
Little bit confused on the best approach?
Thanks in advance
Dave
You need to perform below mentioned tasks to achieve your requirement.
create an Azure Active Directory user
create an Azure Active Directory group and assign the user group
add an Azure Active Directory user/group as an Azure SQL
Administrator
add Azure Active Directory users to Azure SQL Database
Follow this third-party tutorial to implement the same.
Additionally, you can have Database-level role for each user for more safety of the data. Please check this official document from Microsoft.
Related
I am developing a background worker that moves database between pools, create a pool, delete a pool, etc. I couldn't find in Microsoft document what the minimum required access to do such tasks? Admin to Azure SQL Server, Contributor or anything? I also read both server and database statistics from sys.* databases.
You need atleat Contributor role to perform create, delete, move, etc. related task.
A Contributor role allow to Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Please refer https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor for more details.
To read data from system tables make sure you have required role assigned on database level, e.g., db_datareader role.
We currently have an Azure Active Directory tenant, which replicates via AD Connect our on-premises Windows users. We have an on-premises Exchange Server where accounts are my-company.com.
We have another email domain my-company.io for which there are no users yet.
In the immediate future, we want to create a few mailboxes for my-company.io directly in Exchange Online (not on our Exchange Server). These mailboxes will not be attached to Windows domain users.
Later this year, we want to start migrating our my-company.com Exchange mailboxes to Exchange Online, gradually with a hybrid setup.
In this scenario, what does make more sense?
a) Create second tenant in our Azure account, create there any my-company.io AAD users, then add these users to Exchange Online.
b) Add another domain to our existing tenant, create there any my-company.io AAD users, then add these users to Exchange Online.
Our concern is if activating Exchange Online for my-company.io users in the existing tenant, will interfere in any way our future plan to migrate to Exchange Online for my-company.com users.
Both methods should be feasible. The difference is whether the two accounts exist under the same tenant. If you have a reason to let them exist under the same tenant, you should choose the second option. But if you do not require them to exist under the same tenant, creating a new tenant for my-company.io is recommended, because this will reduce the configuration when migrating to Exchange Online for my-company.com users.
Your concern is not superfluous, but they are not unsolvable. If you choose the second option, then you need to carefully design what your hybrid deployment environment is like. For example, there are two types of users, one is a hybrid deployment user, and the other is a cloud-only user. You can refer to this document to choose the configuration you need.
In short, from the perspective of easy configuration and management of different types of users, the first solution is better, while the second solution does not require you to create new tenants and requires you to pay more attention to configuring hybrid deployments.
I want to execute elastic queries on azure sql databases running on free subscription. So I need to create a user and login credential to do that.
Can I create user in this subscription? Can I access master database from here using same subscription?
Can I create user in this subscription? Can I access master database from here using same subscription?
Yes, you can create the a user and login on the Azure SQL database. And about these two questions, you can reference this document: Controlling and granting database access to SQL Database and SQL Data Warehouse. This Azure document will give you more details.
But if you want to use Elastic Query, you must give the user sufficient permissions.
For more details, please see Getting started with cross-database query (vertical partitioning).
Hope this helps.
My company is currently planning to reconfigure security and we are currently arguing over which way to go, storing everything in Active Directory or in SQL Server?
So setting up Active Directory groups and use it to create a read and a read/write group and just move users in and out of these security groups and manage security for SQL Server from Active Directory or use SQL Server and move all users into security and create groups in SQL Server and manage the
security from there?
AD is the way to go in my opinion, for a number of reasons.
Security doesn't just cover access to databases. It covers access to files, folders etc. Anything in SQL is irrelevant to the question 'Should they have access to this spreadsheet?'. AD is the way to go there. Why not integrate everything into the same mechanism?
AD is more flexible than SQL. An AD Group can contain other AD groups. If you have an AD group called e.g. 'Power Traders' then the Power Traders are added to that group. There would also be groups which give access to individual securables (files, folders, databases, apps etc); 'Power Traders' would be added to those groups and inherit the access to the individual things. If another job also needs access to one of these, that job group can be added to the necessary individual group.
If an individual needs access to something outside his normal job, just add them to the individual groups necessary.
A full solution would actually have multiple levels of groups. How many would be down to the company and how it wishes to organise itself.
I'm evaluating Dynamics CRM 2011.
I would like to point the CRM instance to a different active directory server. Is this possible without a complete re-install?
This is a test CRM instance and only has a couple of active accounts in there right now but it was setup pointing to our corporate AD server and this is proving to be a barrier to testing with multiple different accounts.
Setting up trust from live corporate AD to the test AD is not really an option either.
Create a case to support.
We did a similar change, and they provided us with tools to mass update the SQL table.
I don't think it's possible out of the box. It has some strict requirements with once it's setup. Things like the org names are pretty much locked in.
If you install CRM on a server in a different AD you should be able to import the database and during the process it will ask you to map existing users in CRM to AD accounts.