I have a customer who has created SQL azure database and trying to give access to his on-premise Security group account in database. The challenge that we are facing is that the on-premise group is named as 'group account' i.e. there is a space between the words. This account is synched with Azure AD.
Two questions
1) How do you provide access to a security group on SQL Azure Database? I know that you will say to use syntax like below but that doesn't work in my case i) There is empty space between the words in name ii) this is not a mail enabled group therefore there is no corresponding #domain.com in Azure AD for this group
CREATE USER [name#domain.com]
FROM EXTERNAL PROVIDER
Firstly, you should login your Azure database with your AD admin account.
Then run this query(same with juunas provided) to add on-premise Security group to Azure SQL database.
CREATE USER [<Security Group Display Name>] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = [<schema>];
As you said, there is a space in your 'group account' name, I tried to the same operation and it work ok with no error.
For example, I login my Azure SQL database with my AD admin, ran this query to create a group accout 'test gp'.
CREATE USER [test gp] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = [dbo];
Running SELECT * FROM SYS.DATABASE_PRINCIPALS we could see that the group has been created in Azure SQL Database
I executed the TSQL: EXEC sp_addrolemember 'db_owner', 'test gp';
It seems everything is ok but when disconnect my SQL database and try to login with group account 'test gp#****.com'
There is an error happened:
You can also reference these blogs:
Unable to add Azure AD group with ':' in display name to Azure SQL, am I missing something?
Naming conventions in Active Directory for computers, domains,
sites, and OUs
I think Azure SQL database doesn't support using Security group name with special character to login the database, such as white space (blank).
Hope this helps.
I've used CREATE USER [Group Name] FROM EXTERNAL PROVIDER before and it has worked.
Related
I have created 2 azure security groups (Read-SQL and the second is Write-SQL) in order for them to login into multiple Azure SQL servers via SSMS using their Azure AD identity based on their group membership in order to access multiple databases on those services.
First of all I have configured an admin group on the SQL Server in our Azure tenant.
I have connected to the SQL via SSMS using my credentials and so far so good.
After that I opened a query and typed in master database
CREATE USER [SQL-READ] FROM external provider
ALTER ROLE db_datareader ADD MEMBER [SQL-READ];
(Did the same thing for Write-SQL)
only the user is created and no permission given with an error saying the user does not exist or I don't have permission.
I have Azure global administrator permission in Azure and I don't know why I get this error.
In the bottom line I would like that Read-SQL and Write-SQL will be able to login in to the SQL Server and have access to all databases within it as well as giving Read-SQL reading permissions and to Write-SQL writing permission.
I read a few Microsoft articles but I got even more confused since I don't know if I need to create a login or create a user or a contained user.
Please help
Thank you
Here are few screenshots for better understanding
enter image description here
enter image description here
Read the following articles but only partial success.
https://www.mssqltips.com/sqlservertip/6751/azure-ad-authentication-azure-sql-databases/
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#create-contained-users-mapped-to-azure-ad-identities
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresql
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver16
Whether you should create a login, user or contained user will depend on your access and security requirements. However, in Azure SQL Database, users are created per database. So, you can create the login in the master database and then you need to create the associated user in each database on that SQL Server.
This documentation gives more information on creating logins, users and contained users for Azure SQL Database.
My requirement I have 20 users all are configured in azure active directory resource group.
I have one Azure SQL Server under I have 3 Azure SQL Databases like Dev, QA and UAT
In Active Directory configured 20 users I need different access in each database level, some people need only read access and some people need both write and read, etc.
Please help me to do this.
Is it possible to create users group in each database level with different roles for azure active directory users?
users can login SSMS with azure active directory credentials but each user having different access in each database
you can create groups in AAD and provide the groups/users access on the database individually.
Execute the below queries in individual databases:
1)
CREATE USER [GroupName] FROM EXTERNAL PROVIDER or
CREATE USER [xyz#abc.com] FROM EXTERNAL PROVIDER
2)
exec sp_addrolemember 'db_datareader', '<>' or
exec sp_addrolemember 'dbowner', '<>' etc based on the roles which you want to assign.
Note :
Since the user is not created at server level and directly at databases level, while trying to connect via SSMS ,
Put the database name explicitly.
Per my experience, you need manually configure the AAD users with different permissions or database role in each database.
In addition, you need connect to the Azure SQL with Azure AD admin account, only the admin account can do the operations for each database.
For example, one of the AAD user 'aa#abc.com' only needs have the read permission in database Dev but needs read/writer permission in database QA and UAT. User 'bb#abc.com' needs read/writer permission in database 'Dev' and read permission in 'QA' and 'UAT'. In each database, different users are derived to two roles. Then we can not configure group level permission for these AAD users in each database.
After doing that, all the users in your AAD group will have the different permissions in different database. When connect to the database with SSMS, current user can see all the databases which he has the permission to access. You also can choose the specific database in SSMS connection properties like #Nandan said.
HTH.
I'm trying to create database users that are integrated with azure active directory. All of our users are guest users. I've been following multiple articles on how to create users in the SQL db but none have worked.
For example, this article: https://www.mssqltips.com/sqlservertip/5242/adding-users-to-azure-sql-databases/
Suggest to create users like so:
CREATE USER [name#domain.com]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
This yields the error:
Principal 'name#domain.comm' could not be found or this principal type is not supported.
Googling this error lands me on stackoverflow post (https://dba.stackexchange.com/questions/148325/add-active-directory-user-for-azure-sql-db):
which suggests:
CREATE USER [name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com] FROM EXTERNAL PROVIDER
and accesses:
EXEC sp_addrolemember 'db_datareader', 'name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com'
EXEC sp_addrolemember 'db_datawriter', 'name_domain.com#EXT##<yourAzureSubscriptionPrefix>.onmicrosoft.com'
and this does not give an error, but it also does not provide access to the database. Since I get error NT AUTHORITY/ANONYMOUS LOGIN
I also tried to create an AAD group and provide that group access, also no error here but couldn't login either.
Couple of notes:
All IP addresses are allowed on the firewall
all users have been added in sql db IAM (not sure if this is even necessary)
I've enabled Active Directory Admin in the sql server, I put the subscription admin here
This is also the users with which I created users in the SQL DB
I'm able to create native sql users without a problem
Still I'm only able to login using the Active Directory Admin, and no other user is able to login.
Any advice on how I can login to my Azure sql database using windows credentials from Azure Active Directory?
When using external users, you need to use the "mangled user principal name" when adding them.
That's this one:
CREATE USER [name_domain.com#EXT##<your-azure-ad-default-domain>.onmicrosoft.com] FROM EXTERNAL PROVIDER
Secondly, the users will be created only in that database; they cannot connect to master.
So you need to choose the DB to connect to.
You may also need to specify the AAD tenant id in advanced connection settings.
The reason you might need to do this is because by default an external user will login to their home tenant. Which is not the one connected to your DB. So you may need to specify the tenant to have them explicitly login against your tenant.
How do I check to see if the current user has access to create a database in SQL Azure?
In regular SQL Server, I have various easy methods at my disposal to check this. Normally, I might use IS_SRVROLEMEMBER('dbcreator'). Apparently SQL Azure has a dbmanager role instead, but IS_SRVROLEMEMBER('dbmanager') does not work either.
I also tried HAS_PERMS_BY_NAME(null, null, 'CREATE ANY DATABASE') but that does not work either.
I've verified that I do indeed have access to create a database. Does anyone have suggestions?
First: the query that should get you as close as possible to what you're looking for on the server specifically:
SELECT sys.database_role_members.role_principal_id, role.name AS RoleName,
sys.database_role_members.member_principal_id, member.name AS MemberName
FROM sys.database_role_members
JOIN sys.database_principals AS role
ON sys.database_role_members.role_principal_id = role.principal_id
JOIN sys.database_principals AS member
ON sys.database_role_members.member_principal_id = member.principal_id
WHERE role.name = 'db_owner';
From the RBAC poster on SQL Server:
NOTE: CREATE DATABASE is a database level permission that can only be
granted in the master database. For SQL Database use the dbmanager role
From the CREATE DATABASE (Azure SQL Database) documentation
To create a database a login must be one of the following:
The server-level principal login
The Azure AD administrator for the local Azure SQL Server
A login that is a member of the dbmanager database role
You can edit db_owner to any role on this page - this is the azure specific role:
dbmanager Can create and delete databases. A member of the dbmanager role that creates a database, becomes the owner of that databasee which allows that user to connect to that database as the dbo user. The dbo user has all database permissions in the database. Members of the dbmanager role do not necessarily have permission to access databases that they do not own.
An important note: You may have intertwined two different Role Based Access Control levels. SQL RBAC and Azure RBAC both have some relationship to SQL Server/SQL DB. In that way, they are related, certainly, but are not the same thing. For example: Being able to create a DB via the portal is different than being able to create a DB while connected to the server; it is possible to give an Azure user the ability to create a database while that user has no valid login to connect to the server. (Which would not be true if Azure RBAC and SQL RBAC were identical.)
Users with SQL DB Contributor or SQL Server Contributor roles will be able to create a database without ever connecting to the database. I examined enumerating these roles in a partially related question here.
You'll be able to audit the RBAC of Azure most easily through this powershell command:
Get-AzureRmRoleAssignment -ResourceGroupName <your resource group name>
-ResourceType Microsoft.Sql/servers -ResourceName <your server name>
-IncludeClassicAdministrators
I believe this should do what you are looking for. It will return "1" if the current login has the dbmanager role. You need to execute this in the master database.
SELECT 1 AS DatabaseManager
FROM sys.database_role_members rm
JOIN sys.database_principals r
ON rm.role_principal_id = r.principal_id
JOIN sys.database_principals m
ON rm.member_principal_id = m.principal_id
WHERE r.name = 'dbmanager' and m.name = CURRENT_USER;
There is a SQL Server 2005 database with mixed-mode authentication.
Among others, we have the following logins on the server: our-domain\developers-group-1, and our-domain\developers-group-2 which are AD groups.
The our-domain\developer-group-2 is added to the sysadmin role on the server, by virture of which all domain users of that group can access any database as SQL Server implictly maps the sysadmin role to the dbo user in each database.
There are two users our-domain\good-user and our-domain\bad-user
The issue is the following: Both the good-user and the bad-user have the exact same AD group memberships. They are both members of our-domain\developers-group-1 and our-domain\developers-group-2. The good-user is able to access all the databases, and the bad-user is not. The bad-user is able to login, but he is unable access any databases. By the way, I am the good-user.
How do I go about finding out why?
Here's what I tried so far:
When I do print current_user, I get dbo
When I do print system_user, I get my-domain\good-user
When I do select * from fn_my_permissions(NULL, 'SERVER'), I see permissions.
But if do execute as user='my-domain\good-user'; select * from fn_my_permissions(NULL, 'SERVER'), I dont see any permisisons.
And When I do, execute as user='my-domain\bad-user'; select * from fn_my_permissions(NULL, 'SERVER'), I dont see any permisisons.
Also, I was wondering if there is a sql command that will tell me, "hey! the current database user is able to access this database because he is a member such-and-such ad-group, which is a login that is mapped to such-and-such user in this database".
If you have the relevant permissions within Management Studio, this shouldn't take too long to work out. It sounds like the bad-user AD group has limited permissions within SQL Server.
You need to check the settings in Security in the GUI, and check the mappings for each of these AD groups - clicking on the databases to see what permissions they have on each database.
Is it possible that you simply have implicit permissions as the creator/owner of the objects, yet no explicit permissions have been granted on the AD groups/roles or to your user individually?