I have configured my sql server with an Azure Active Directory admin that is a service principal (app registration). Is it possible to use clientid/secret to connect from Sql Management Studio?
I have tried Azure Active Directory - password authentication but client id and secret did not work.
It works just fine from my C# code with the same id and secret.
As suggested by #junnas in the comment section we cannot connect to Azure SQL database with Service Principal in SSMS.
Please check this blog
Related
I've got an Azure App Service that needs access to a classic SQL Server (non-Azure SQL, not SQL Managed Instance) and I'd prefer to do this via System Managed Identity. This is enabled on the App Service and a corresponding Enterprise Application is created on Azure AD.
The SQL Server is also connected to this Azure AD and User accounts on the AD already have access to the database. However I can't find how to create a login for the Enterprise Application. If this was an Azure SQL database I could do it with CREATE LOGIN [AZUREAD\app] FROM EXTERNAL PROVIDER but this does not work on a classic SQL Server, only on Azure SQL/MI.
A solution would be to use SQL accounts and reference the login/password in the connection strings, but as mentioned I'd much rather use Azure AD for authentication.
To answer my own question: SQL Server 2022 includes Azure AD authentication Link
Using integrated security or an access token it will be possible to authenticate with an App Registration.
This is currently in preview with no RTM date specified.
I have a local instance of SQL Server installed. I installed it as the machine's administrator.
Now I want to create a user for a database on that server, but the user is not a local windows user, but an Azure AD user.
I tried to execute the code mentioned in the Create SQL Login for Azure Active Directory User
CREATE USER [alice#fabrikam.onmicrosoft.com]
FROM EXTERNAL PROVIDER;
but I always get the error:
Incorrect syntax near 'PROVIDER'
Now to reiterate, it is not an Azure SQL database, it's a machine's local SQL Server hosting its own databases.
Unfortunately, you can't use Azure AD user for on-premises SQL Server user.
The link you have shared is only applicable for Azure PaaS services like Azure SQL Database, Azure Managed Instance, etc.
As per this official doc
Two questions I am not in a position to confirm via deploying to an Azure resource group (due to my account limitations). So far, I have not found resources that answers my questions.
1. AD Users and Groups
Can Active Directory (AD) Users and AD Groups SQL Server Logins or Database users be migrated from On premise SQL databases to Azure SQL?
The environment I will be working on has the on premise AD synced to Azure Active Directory (AAD).
So far, I have only seen that SQL Logins can be migrated.
2. Authentication
I know that SQL Login and Windows Authentication login are options to connect to the Source database. Are both of these option also available in the destination Azure SQL database?
So far I have only seen SQL Login as an option for connection to the destination database (see below screenshot). This might be because there are no AAD accounts associated with the blank Azure SQL target database I am trying to connect to. The Server Admin is set for the target database.
No, unfortunately you can't migrate the Active Directory (AD) Users and AD Groups to Azure SQL Database. Yes, you move SQL logins from the SQL Server source to Azure SQL Database by using Database Migration Service in offline mode.
You can also migrate Windows users and groups using T-SQL DDL syntax with the help of this tutorial.
You can use Azure AD authentication to connect with Azure SQL Database. It is an alternative to SQL Logins Authentication. Please refer Azure Active Directory authentication for more details.
You can simply use SQL Server Management Studio (SSMS) to connect with Azure SQL Database using Azure AD credentials. Install the SSMS on your local windows machine and login with AAD credentials as shown in image below.
I am trying to publish Azure SQL database using Azure SQL Dacpack task in Azure pipelines within an agent job. The authentication type I am using to publish is Service Principal.
I have added service principal as a contained DB user in the Azure SQL database and have given db owner permissions to service principal. When Service principal is a member of Active Directory Admin of Azure SQL Server, the deployment works fine. But , when Service principal is not a member of Active Directory Admin of Azure SQL Server , the deployment fails.
The error that I get is:
Unable to connect to target server . Please verify the connection information such as the server name, login credentials, and firewall rules for the target server. + Login failed for user '< token-identified principal>'. The Azure SQL DACPAC task failed. SqlPackage.exe exited with code 1.
Security team in my organization is not allowing me to have SP as Active Directory Admin of Azure SQL Server.
Azure SQL database only allow server admin/AD admin account to restore/backup the database. That's the permission limit and we can't change it.
Like you said, only if the service principal is a member of Active Directory Admin of Azure SQL Server, the account has the permission restore the database from .BACPAC file.
HTH.
Currently I have everything on premise - .NET Core 3.0 API and SQL Server database.
Azure AD/Service account are configured in IIS and database has given access to the service account.
All requests use that Azure AD service account.
Now we are planning for an Azure migration. API is published in App Services.
Now I want to use the same Azure AD account to connect to an Azure SQL Server database.
How should I do that?
Don't send me Microsoft links, those are having toooo much info.
Tell what and how to do configuration in Azure SQL and App Services.
Any help is appreciated.
Now I want to use the same AD account to connect to an Azure SQL Server database.
AD accounts can't connect to Azure SQL Database. Only SQL and Azure Active Directory (AAD) Logins/Users.
There are some options, but there's a clear best-practice: Provision a Managed Service Identity (MSI) for your Azure App Service Application and use that to connect to SQL Server.
Here is a simple tutorial for how you should integrate App Service and Azure SQL Database:
Tutorial: Secure Azure SQL Database connection from App Service using a managed identity