Using portal.azure.com I've created SQL Server and SQL Database. I've set myself as the SQL Server admin.
I'm able to connect with my AAD account using SSMS.
I add another AAD users to my database:
use [MyDatabase]
CREATE USER [usename_emaildomain#EXT##mydirectory.onmicrosoft.com] FROM EXTERNAL PROVIDER;
--add read permissions
EXEC sp_addrolemember 'db_datareader', [usename_emaildomain#EXT##mydirectory.onmicrosoft.com]
But how do grant him admin rights so that he has full access to all databases? I'm able to sent only one admin in Azure Portal.
I don't know why SQL Azure only allows one security principal to be designated as admin but anyway....
You can assign one user or one group. So put all of your users in a group and assign that group as the administrator
Related
I am trying to enable Active Directory access for an Azure SQL Database. But I ran in a bit of a chicken-egg problem:
On the properties tab of my SQL database, The Active Directory admin shows an AD user group I am a member of
I cannot login. If I try to connect to my database using this AD-user, either via the Query editor (preview) tab or through SSMS, I get "Login failed for user ''."
If I login using the Server admin login or through a SQL account, I can login, but I cannot execute CREATE USER myname FROM EXTERNAL PROVIDER. It returns "Only connections established with Active Directory accounts can create other Active Directory users"
How did I create this mess?
On Azure, I already had a SQL Server with a SQL database. I can login onto that server using my Active Directory account. I had a local database, and in SSMS I selected "Deploy database to Microsoft Azue SQL database..." and selected my existing SQL Server.
As I understand it, AAD needs to know the SQL server, not each individual SQL database. If I do a Point In Time restore of my main database, I can also access this database with my AAD-account. But of course, this database already contains the active directory user group.
So Azure thinks I can logon to the database with my AAD-account,
but the database itself does not know any AAD accounts.
And I can only create AAD accounts in the database when logged in with an AAD-account.
How do I create an Active Directory Account within my database without being logged on with an Active Directory Account?
How do I create an Active Directory Account within my database without being logged on with an Active Directory Account?
No, we can't. In Azure SQL database, you need to first to configure the Azure AD admin for the SQL Server, then login the database with AAD admin account to create the AAD user.
I think you have configured it. As you said you can login with you AAD-account. That's the Azure AD admin account. It has the permission to access all the database.
Important:
To create contained users mapped to Azure AD identities, you must be
logged in using an Azure AD account that is an administrator in the
database in Azure SQL Database. In SQL Managed Instance, a SQL login
with sysadmin permissions can also create an Azure AD login or user.
Ref here: Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics
I want to give a user permission to create other users but can only grant them roles to a specific database of my choice using SSMS with a query
Hi I have configured Azure active directory authentication on Azure SQL Server.
After that I have added contained DB users on a SQL Database by using the following queries
Created user
CREATE USER [John.Marsh#contoso.com] FROM EXTERNAL PROVIDER;
Assigned following permissions
EXEC sp_addrolemember 'db_datareader', 'John.Marsh#contoso.com';
GO
EXEC sp_addrolemember 'db_datawriter', 'John.Marsh#contoso.com';
GO
GRANT EXECUTE ON SCHEMA :: dbo TO [John.Marsh#contoso.com];
GO
GRANT ALTER ON SCHEMA :: dbo TO [John.Marsh#contoso.com];
GRANT CREATE TABLE TO [John.Marsh#contoso.com];
GRANT SELECT,DELETE,UPDATE,INSERT TO [John.Marsh#contoso.com];
GRANT VIEW ANY COLUMN MASTER KEY DEFINITION to [John.Marsh#contoso.com];
GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION to [John.Marsh#contoso.com];
Some users are able to login and access the DB but some users getting error message saying login failed for the user.
Do I need to provide more permissions?
By default, connections to Azure SQL that do not specify a specific database will attempt to log into the master database. Because AAD uses group based membership, if a user is part of a group that can access the master database, they will be able to login. Users that get denied login are typically denied because they have not been granted rights to master and no specific database was specified in the connection string.
To connect through SSMS: On the "Connect to Database Engine" dialog select the "Options" button, the "Connection Properties" tab and specify the database name in the "Connect to database:" dropdown. You'll need to know it b/c the user does may not have access to master to read the list of databases on the virtual database server.
You can get a connection string for your tech stack from the Azure Portal under the "Overview" for the database.
I have the following script which creates a new database, a new user and login. I have some custom software that my clients use to log into the database and create the necessary tables, SP and populate the tables with data. The databases are hosted remotely online which I have full access to.
**EDIT-> The problem I have is that I cannot open a new connection and create any tables using the new user. Its looks like a permissions issue as it works ok with sa root account login.
Ideally I would like run this single script so I can deploy a new database to a new client via SQL Server Management Studio easily with the minimal of fuss
Please see my script below:
-- SEARCH AND REPLACE THE FOLLOWING TERMS
--
-- db_TestDatabase Database name
-- TestPa$$w0rd password
-- TestUser1 username
use master
go
--create a test database
CREATE DATABASE [db_TestDatabase]
GO
--create user login
CREATE LOGIN [TestUser1] WITH PASSWORD=N'TestPa$$w0rd'
GO
--create user in database
CREATE USER [TestUser1] FOR LOGIN [TestUser1] WITH DEFAULT_SCHEMA=[test_Schema]
GO
--create role
CREATE ROLE [test_Role] AUTHORIZATION [dbo]
GO
--create schema
CREATE SCHEMA [test_Schema] AUTHORIZATION [TestUser1]
GO
--apply permissions to schemas
GRANT ALTER ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT CONTROL ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT DELETE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT INSERT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT UPDATE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT REFERENCES ON SCHEMA::[dbo] TO [test_Role]
GO
--ensure role membership is correct
EXEC sp_addrolemember N'test_Role ', N'TestUser1'
GO
--allow users to create tables in test_Schema
GRANT CREATE TABLE TO [test_Role]
GO
--Allow user to connect to database
GRANT CONNECT TO [TestUser1]
Any suggestions would be appreciated.
Thank you
It could be a User Access Control issue, try right clicking Management Studio and Run as Administrator, if you have that privilege and it may get past the issue you're seeing.
Some related reading:
User Account Control and SQL Server
User Account Control affects Microsoft SQL Server in terms of
connectivity (SQL Server login) and in limiting access to resources on
the administrators’ access control list (ACL).
In versions earlier than Windows Vista and Windows Server 2008,
members of the local administrator group do not need their own SQL
Server logins and they do not need to be granted administrator
privileges inside SQL Server. They connect to SQL Server as the
built-in server principal BUILTIN\Administrators (B\A), and they have
administrator privileges because B\A is a member of the sysadmin fixed
server role. Administrator rights are stripped away in Windows Vista
and Windows Server 2008, so administrator users cannot connect to SQL
Server instance by virtue of being B\A, unless connecting from an
elevated client application.
I have to setup a .net-application that connects to an SQL Server 2005 in a new database. The app uses an application role to authenticate on the server and handles then all security-checks in the app.
I have successfully created the application role and the app can successfully logon to the db. However, the role has no permissions to query any database-object.
How do I assign the roles db_datareader and db_datawriter to the application role so that it has full read-and write access to all tables of the database? Or is there another way to give the role full access to the tables, queries and stored-procedures.
(The app was developped on sql-server 2000, however there are already running instances of it with SQL Server 2005 but I have not seen how it is done that the application role has the desired rights.)
Please note, giving the app role manualy access to every object is not an option because the app creates dynamicly new objects (tables, queries and sp's) and the app must also have access to these new objects without change the roles security configuration.
For reading:
GRANT SELECT TO application_role
For writing:
GRANT INSERT TO application_role
GRANT UPDATE TO application_role
GRANT DELETE TO application_role