azure hybrid connection to windows server with AD (ldap) - active-directory

We have got Windows Server with AD on premis, and we would like to have access to this AD (by ldap) from App Service hosted in Azure.
It is possible by using Hybrid Connection?
I've read somewhere that Hybrid Connections are based only on TCP, and the LDAP uses UDP (sometimes?).
The App service has code that connect on LDAP and query AD by LDAP.
It is possible there are some workarounds?

Hybrid connection isn't used in this manner. It utilizes an agent that's installed on an on-prem server that establishes a relay connection. This connection allows the app service to connect to your SQL server as if it were hosted in the cloud.
I think what you may want to look at is something like AD Connect which allows you to do hybrid identity and sync your on-prem AD with Azure AD. You can learn more about AD Connect architecture here but I don't know if what sort of protocol/connection it uses to do the sync. That may be dependent on the method of sync you choose.
After you've synced, the users should be in your AAD tenant in which you can leverage the Microsoft Graph API to read group permissions.

Related

Give System Managed Identity access to classic SQL Server

I've got an Azure App Service that needs access to a classic SQL Server (non-Azure SQL, not SQL Managed Instance) and I'd prefer to do this via System Managed Identity. This is enabled on the App Service and a corresponding Enterprise Application is created on Azure AD.
The SQL Server is also connected to this Azure AD and User accounts on the AD already have access to the database. However I can't find how to create a login for the Enterprise Application. If this was an Azure SQL database I could do it with CREATE LOGIN [AZUREAD\app] FROM EXTERNAL PROVIDER but this does not work on a classic SQL Server, only on Azure SQL/MI.
A solution would be to use SQL accounts and reference the login/password in the connection strings, but as mentioned I'd much rather use Azure AD for authentication.
To answer my own question: SQL Server 2022 includes Azure AD authentication Link
Using integrated security or an access token it will be possible to authenticate with an App Registration.
This is currently in preview with no RTM date specified.

Migrating to Azure SQL - how integrate domain service accounts?

I am required to migrate an on-prem ASP.Net web application with its SQL Server 2019 backend to Azure.
The Web application initial migration must be IaaS (Windows VMs running IIS).
The SQL 2019 has to be Azure SQL PaaS (Not Azure SQL Managed instance).
The existing on-prem Web application has several virtual directories, and each application in a virtual directory, is in a separate IIS app pool.
Each app pool is run under the context of a different domain service account.
Connection to the SQL databases is via integrated security.
In the current on-prem solution, the domain service accounts are added as logins to the SQL Server and each has permissions to one or more of the databases (Execute / Connect permissions; addition to datareader role etc).
I believe there will have a domain join to Azure AD, so the on-prem AD service accounts will be accessible in azure (as far as I can understand).
SQL Azure does not support CREATE LOGIN [MYDOMAIN\MYSVCACCOUNT] FROM WINDOWS;
Is there a way I can setup the existing on-prem domain accounts with the access, permissions and roles in the SQL PaaS solution, to mirror the current on-prem setup?
Alternatively, could someone could help me identify resources for best practice for the architecture described.
Thank you
I found a a few good posts that assisted me to understand all available options:
https://www.mssqltips.com/sqlservertip/5242/adding-users-to-azure-sql-databases/
https://learn.microsoft.com/en-gb/azure/azure-sql/database/logins-create-manage

Azure VM SQL Server Integrated Security from an Azure Web Site

I would like to know if it's possible to use Active Directory integrated security within Azure Webapp Standard version to access Azure VM SQL Server.
We have an Azure VM with SQL Server installed and joined into an Azure Directory Domain Services. The VM/SQLServer is being restricted to be accessed only within the VNet, so this VM has no Public IP.
The Webapp is connected via VNet Integration to the VNet of the AD DS and VM's.
if someone could explain me if that possible/not possible to implement such a solution and what are the options that I havein AZure to use the integrated security.
Edit: Regarding managed identity in AZure Web App, only certain Azure Resources that can have a Managed Identity assigned, which here the Web App is one of them.
And to be able to access a resource using MI that resource needs to support Azure AD Authentication, this is limited to specific resources:
Source: Services that support managed identities for Azure resources
- Azure Resource Manager
- Azure Key Vault
- Azure Data Lake
- Azure SQL
- Azure Event Hubs and Service Bus
- Azure Storage
The Azure vm SQL Server is not listed as one of the resources that can be accessed through AD managed identity.
if someone could explain me if that possible/not possible to implement such a solution and what are the options that I havein AZure to use the integrated security.
Yes, it's possible. You could configure your App Service app to use Azure Active Directory to access Azure VM sql server.
Work Flow:
The VNet Integration feature is built on top of point-to-site VPN technology. Apps in Azure App Service are hosted in a multi-tenant system, which precludes provisioning an app directly in a VNet. The point-to-site technology limits network access to just the virtual machine hosting the app. Apps are restricted to only send traffic out to the internet, through Hybrid Connections or through VNet Integration.
For more details, you could refer to this article.

Is it possible to use yubikey with server AD which is already in sync with Azure AD

I am planning to use Yubikey with my systems. Currently I have my windows server Active directory is configured to synchronize with Microsoft AD services. So if I use Yubikey in my server for 2FA, will it cause any problem with synchronizing of server AD with Azure AD?.
If no issues how can i configure yubikey?

Azure web app with on site SQL Server and Windows authentication

I need to connect my web app on Azure to our on site SQL Server instance via Windows authentication (not via SQL Server account authentication). Active Directory is already integrated with the on-site AD and therefore all of the users are available there.
My question is, is it possible to hook up an azure web app to an on-site SQL Server via Windows authentication.
is it possible to hook up an azure web app to an on-site SQL Server via Windows authentication.
Base on my option, it maybe that we couldn’t do that. As we have been limited to do that operation for azure WebApp. There is also another SO thread mentioned that.
If we want to connect to on premise SQL Server, we can use hybrid connections to access on-premises SQL server database in Azure WebApp, more info please refer to the document.
If we want to authenticate the WebApp with local Active Directory, and we have an on-premises secure token service (STS) like Active Directory Federation Services (AD FS), we could use that to federate authentication for our Azure WebApp. More info please refer to the document.
Hybrid connections at this time does not support AD accounts due to
because you cannot domain join an App Service worker

Resources