We currently have around 400 client databases hosted on a SQL Server in Azure. When initially setup, no Active Directory admin user was set, only a server admin and this server admin is used at the moment for all connection strings. If I were to add an Active Directory admin to the server, would this have any effect on the connection of any of the databases using the server admin? In other words, would the server admin still work fine and adding Active Directory admin not disconnect any users currently connected to the SQL server?
No, adding an Azure AD Admin won’t affect any connections using the Server Admin or any other login.
However, the recommended way applications should connect to SQL Azure databases is via contained users. Contained users do not get disconnected during failovers (geo-replication) and they travel with the databases (backups, readable copies).
Agree with Alberto Morillo, we should connect to SQL Azure databases via contained users.
More information about contained users, please refer to this link.
By the way, when we setting up the Azure AD admin, the new admin name
(user or group) cannot already be present in the virtual master
database as a SQL Server authentication user. If present, the Azure AD
admin setup will fail; rolling back its creation and indicating that
such an admin (name) already exists. Since such a SQL Server
authentication user is not part of the Azure AD, any effort to connect
to the server using Azure AD authentication fails.
More information about provision an Azure Active Directory adminstrator for your Azure SQL server, please refer to this article.
Related
I'm quite new to the Azure AD. So I will be grateful for any hint.
I need to enable members of a given domain (of a given Active Directory) to log in to Azure SQL Server using Azure Active Directory - Integrated Authentication.
So far I've logged into Windows and connected it to Azure Acticve Directory in Windows Setting.
Looking through the documentation, I understand that I need to select one of the authentication methods proposed by Microsoft within Azure Active Directory. The easiest seems to be Password hash synchronization. So I would like to pick this one (But if others are simpliest I am open to change that choice)
What is the easiest way to synchronise this? Can I avoid having to create a Windows Server VM and install Azure AD Connect there?
The current configuration of AD Connect on Azure Portal looks as follows:
To mention it again, the only service I care about is logging in via Azure Active Directory
I apologise if the whole question has been wrongly structured, but it is simply based on what I have found on the forums and in the documentation.
Thanks in advance for any tips
[for example: https://youtu.be/PyeAC85Gm7w?t=565, https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#using-an-azure-ad-identity-to-connect-using-ssms-or-ssdt, https://techcommunity.microsoft.com/t5/azure-sql-blog/azure-ad-pass-through-and-password-hash-authentication-support/ba-p/1269735]
You don't need Azure AD Connect or password hash sync unless you have an on-premise Windows Server AD that you want to sync to Azure AD. Should note that AD is not the same as Azure AD. You don't need Windows Server AD with Azure SQL, just Azure AD. To grant a certain security group access to the server, you can run CREATE USER [group-name-here] FROM EXTERNAL PROVIDER; in the Azure SQL DB. Then you can use standard SQL stuff to grant that "user" access to the DB/tables.
Users should then use Azure Active Directory - Universal with MFA as the authentication method in SQL Server Management Studio.
I have a local instance of SQL Server installed. I installed it as the machine's administrator.
Now I want to create a user for a database on that server, but the user is not a local windows user, but an Azure AD user.
I tried to execute the code mentioned in the Create SQL Login for Azure Active Directory User
CREATE USER [alice#fabrikam.onmicrosoft.com]
FROM EXTERNAL PROVIDER;
but I always get the error:
Incorrect syntax near 'PROVIDER'
Now to reiterate, it is not an Azure SQL database, it's a machine's local SQL Server hosting its own databases.
Unfortunately, you can't use Azure AD user for on-premises SQL Server user.
The link you have shared is only applicable for Azure PaaS services like Azure SQL Database, Azure Managed Instance, etc.
As per this official doc
Two questions I am not in a position to confirm via deploying to an Azure resource group (due to my account limitations). So far, I have not found resources that answers my questions.
1. AD Users and Groups
Can Active Directory (AD) Users and AD Groups SQL Server Logins or Database users be migrated from On premise SQL databases to Azure SQL?
The environment I will be working on has the on premise AD synced to Azure Active Directory (AAD).
So far, I have only seen that SQL Logins can be migrated.
2. Authentication
I know that SQL Login and Windows Authentication login are options to connect to the Source database. Are both of these option also available in the destination Azure SQL database?
So far I have only seen SQL Login as an option for connection to the destination database (see below screenshot). This might be because there are no AAD accounts associated with the blank Azure SQL target database I am trying to connect to. The Server Admin is set for the target database.
No, unfortunately you can't migrate the Active Directory (AD) Users and AD Groups to Azure SQL Database. Yes, you move SQL logins from the SQL Server source to Azure SQL Database by using Database Migration Service in offline mode.
You can also migrate Windows users and groups using T-SQL DDL syntax with the help of this tutorial.
You can use Azure AD authentication to connect with Azure SQL Database. It is an alternative to SQL Logins Authentication. Please refer Azure Active Directory authentication for more details.
You can simply use SQL Server Management Studio (SSMS) to connect with Azure SQL Database using Azure AD credentials. Install the SSMS on your local windows machine and login with AAD credentials as shown in image below.
I am trying to enable Active Directory access for an Azure SQL Database. But I ran in a bit of a chicken-egg problem:
On the properties tab of my SQL database, The Active Directory admin shows an AD user group I am a member of
I cannot login. If I try to connect to my database using this AD-user, either via the Query editor (preview) tab or through SSMS, I get "Login failed for user ''."
If I login using the Server admin login or through a SQL account, I can login, but I cannot execute CREATE USER myname FROM EXTERNAL PROVIDER. It returns "Only connections established with Active Directory accounts can create other Active Directory users"
How did I create this mess?
On Azure, I already had a SQL Server with a SQL database. I can login onto that server using my Active Directory account. I had a local database, and in SSMS I selected "Deploy database to Microsoft Azue SQL database..." and selected my existing SQL Server.
As I understand it, AAD needs to know the SQL server, not each individual SQL database. If I do a Point In Time restore of my main database, I can also access this database with my AAD-account. But of course, this database already contains the active directory user group.
So Azure thinks I can logon to the database with my AAD-account,
but the database itself does not know any AAD accounts.
And I can only create AAD accounts in the database when logged in with an AAD-account.
How do I create an Active Directory Account within my database without being logged on with an Active Directory Account?
How do I create an Active Directory Account within my database without being logged on with an Active Directory Account?
No, we can't. In Azure SQL database, you need to first to configure the Azure AD admin for the SQL Server, then login the database with AAD admin account to create the AAD user.
I think you have configured it. As you said you can login with you AAD-account. That's the Azure AD admin account. It has the permission to access all the database.
Important:
To create contained users mapped to Azure AD identities, you must be
logged in using an Azure AD account that is an administrator in the
database in Azure SQL Database. In SQL Managed Instance, a SQL login
with sysadmin permissions can also create an Azure AD login or user.
Ref here: Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics
I have a problem when connecting to an Azure SQL Database using SSMS under this scenario:
Have a work laptop connected to work domain via VPN
The database is in a different Azure tenant (tenant B) to my work Azure tenant
(tenant A).
My work account is set up via AAD in the work Azure tenant (A)
and is a guest account in other tenant (B)
Have the latest version of SSMS
Granted user access to the Azure SQL database
I connect via SSMS using the Azure Active Directory - Universal
with MFA option
Note all default options are set and have also tried setting the database
I know the database access has been correctly set up as I have successfully been able to connect in the above scenario when I use Azure Data Studio instead of SSMS, but only because I have the option to change "Azure AD tenant" property from "Tenant A" to "Default Directory".
I have been able to connect OK when using SSMS with my personal computer using the same account / method, except it is not using a work account and is not connected to the work domain.
Seems like my issue is that I cannot change the "Azure AD tenant" property in SSMS and it is using the tenant associated with my account. I have also tested with a number of different people and they have the same issue. I have also set the default Azure directory to tenant B in the Azure portal.
Does anyone have any suggestion how I can get this to work in SSMS?
Azure Data Studio connection
Thanks Tony
OK, I am answering my own question.
I have a work-around which involves:
Create a connection in Azure Data Studio and setting the Azure AD Tenant to "default directory"
In SSMS, connect to the Database using the Azure Data Studio connection in the Registered Servers pane
Not ideal, but it works.