I am trying to test MFA on a new user. For that I followed below steps:
I have logged in the Snowflake as Account admin.
Created a user as below
create user <USER> password='XYZ'
alter user <USER> SET DISABLE_MFA = FALSE
When tried to login I was not prompted for Authentication code. Did I miss any steps?
Snowflake users can self-enroll in MFA through the web interface
Follow the steps in this post
To add to #mdem7 point, Presently Snowflake only allows users to enroll into MFA, so you cannot force it on from the start. But you can use the MINS_TO_BYPASS_MFA = <integer> option to give the use N minutes to login and setup MFA before they have to MFA turned on.
Which means you can create an account send the details to a user and tell them "setup MFA within N minutes or you will be locked out" and know they ether setup it, or where locked out.
The Snowflake MFA setup process requires that the user have DUO configured on their phone and that number has to be associated with the Snowflake login account. This can only be done by the user after logging into the account.
DISABLE_MFA = FALSE
"This property has no effect if the user is not currently enrolled in MFA (i.e. EXT_AUTHN_DUO = FALSE). As such, it is typically only set when using ALTER USER to disable MFA for a user."
The https://docs.snowflake.net/manuals/sql-reference/sql/create-user.html
Related
I have created guest users in my Azure AD tenant by sending invitations via email following this link https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal.
The guest users are added to my tenant once they accept the invitation.
Now I have assigned some applications to the guest users that they can access.
To enhance the security, I want to enable two-factor authentication for the guest users when they are accessing the application.
Is it possible to enable MFA for the guest users? If yes, can anyone guide me with the steps
Yes, it is possible to enable MFA for guest users.
To achieve your requirement, please follow the below steps:
Make sure whether you have Azure AD premium P1 or P2 license which is necessary to create conditional access policy.
To create conditional access policy,
Go to Azure portal -> Azure Active directory -> Security -> Conditional access -> Policies -> New policy.
In Grant tab, Select "Grant access" and Check mark "Required Multi factor authentication". Enable policy by selecting it On and Create.
I have tried in my environment, after creating policy I signed in as a guest user from Incognito window and it prompted for two factor authentication like below:
I just set up my snowflake instance to use google auth. I can log in with my google account, query tables, create roles, etc... Today I ran into an issue (two of them actually).
I run this script
SET ROLE ACCOUNTADMIN;
CREATE WAREHOUSE IF NOT EXISTS joe;
When I am logged in with my Google Account, I get the error message:
SQL access control error: Insufficient privileges to operate on account 'XXX99999'
When I am logging in with my Snowflake native account, it works. Both accounts have the ACCOUNTADMIN role and are using it.
This is all in the classic interface. When trying to switch over to Snowsight, my google account cannot login in. I click the [Authenticate with Google] and the screen refreshes, no error, but not now the button is disabled.
For the first error, the reason is that the user does not have any roles that has the privileges on the account where the operation is being done. To overcome that you need to assign the right set of roles to the user coming from Google IDP.
Please check the following documentation which details the levels for each of the database objects that requires privileges: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html#syntax
For the second issue, which button is disabled "Snowsight" which is listed from Classic UI?
Please use the below scripts to create warehouse. You need to use role instead of set role.
use ROLE ACCOUNTADMIN; //To use accountadmin role
CREATE WAREHOUSE IF NOT EXISTS joe_wh; //to creare warehouse
To use SSO based login with Snowsight, Please migrate to advanced SAML as per
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-advanced.html#migrating-to-a-saml2-security-integration
On guest user login on redirect URI I got an error:
AADSTS1000031: Application {App name} cannot be accessed at this time. Contact your administrator.
I'm using multi-tenant approach. The authorization URL looks good and it redirects me with such an error.
But I can't find any description of the error or configuration in the azure related to this error.
Also, "normal" users can log in without any issues.
I have such configuration in my Azure App:
Could you please advise how can I enable guest accounts support here?
This error can occur if you have not granted admin consent.
Go to Azure Active Directory within the Azure portal.
Go to Application registrations.
Select the Application based on the App-Id.
Go to API Permissions.
Click Grant Admin consent.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Has this SSO been setup as an Enterprise application?
Or are you just trying to get a guest user logged in to your tenancy as a guest?
If it is the later just create a new Guest user within your tenancy, make sure you have the rights to to do this first.
Then have the guest user accept the email invitation they receive.
Confirm within Azure they have accepted the invite.
Also make sure they are using the same email address as the invite was sent to and not an alias, which can cause confusion.
At first there is no authentication in mongodb, so I created one for one database with readWrite role.
Now I want to create more users for other databases but as this user doesn't have the privileges to create other users I'm stuck.
The documentation clearly says:
With access control enabled, ensure you have a user with userAdmin or userAdminAnyDatabase role in the admin database. This user can administrate user and roles such as: create users, grant or revoke roles from users, and create or modify customs roles.
If you haven't created such user, you cannot create it now with authentication and access rights enabled. I gues you need to restart the MongoDB server without authentication enabled, create that admin user, and restart the MongoDB server again with authentication enabled.
I highly recommend you read to complete documentation how to enable authentication first to understand the complete concept, before you follow it step by step. Otherwise it might be confusing and creating such state you are currently locked in and cannot continue with all actions.
I'm working on improving the user experience for our org when logging into snowflake. We have adfs sso enabled and are provisioning mapping users to roles using azure ad. I had a colleague attempt to sign in with SSO who didn't have a user account created in snowflake and they were greeted with
"The signed in user <user#email.com> is not assigned to a role for the application (Snowflake)".
My question is, is it possible to have users sign into snowflake without being mapped to a default role, perhaps only have the public role assigned, and without being synced with azure ad.
If it is, i'd appreciate any pointers to documentation i can reference. The goal is to get all users that can SSO, to by default be able to login
AD group syncing occurs every 40 minutes in Microsoft, and I don't believe it's possible to force a sync or change this time frame. In addition, like the OP mentioned Snowflake cannot connect to an on-prem ADFS server so all users must be in Azure AD.
AD group syncing is somewhat configurable via the "Scope" (see Step 15 of this tutorial)
If your Scope is set to "Sync only assigned users and groups", you can either
Change the scope to "Sync all users and groups" (may cause issues if you don't want to import all this data into Snowflake)
or
Confirm that your desired users' AD group is one of those assigned to be synced to Snowflake (requires manually assigning these users, or that all of these users are part of the same AD group that you choose to sync to Snowflake).
By seeing the error its not allowing user who don't have appropriate role for the application.
In these why can't we create generic stored procedure to assign default role and instance to new user based on the group they belong to.! Each time if we add any new user then we have to run stored procedure to assign default role and object prior to his login to snowflake.