Hi I have configured Azure active directory authentication on Azure SQL Server.
After that I have added contained DB users on a SQL Database by using the following queries
Created user
CREATE USER [John.Marsh#contoso.com] FROM EXTERNAL PROVIDER;
Assigned following permissions
EXEC sp_addrolemember 'db_datareader', 'John.Marsh#contoso.com';
GO
EXEC sp_addrolemember 'db_datawriter', 'John.Marsh#contoso.com';
GO
GRANT EXECUTE ON SCHEMA :: dbo TO [John.Marsh#contoso.com];
GO
GRANT ALTER ON SCHEMA :: dbo TO [John.Marsh#contoso.com];
GRANT CREATE TABLE TO [John.Marsh#contoso.com];
GRANT SELECT,DELETE,UPDATE,INSERT TO [John.Marsh#contoso.com];
GRANT VIEW ANY COLUMN MASTER KEY DEFINITION to [John.Marsh#contoso.com];
GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION to [John.Marsh#contoso.com];
Some users are able to login and access the DB but some users getting error message saying login failed for the user.
Do I need to provide more permissions?
By default, connections to Azure SQL that do not specify a specific database will attempt to log into the master database. Because AAD uses group based membership, if a user is part of a group that can access the master database, they will be able to login. Users that get denied login are typically denied because they have not been granted rights to master and no specific database was specified in the connection string.
To connect through SSMS: On the "Connect to Database Engine" dialog select the "Options" button, the "Connection Properties" tab and specify the database name in the "Connect to database:" dropdown. You'll need to know it b/c the user does may not have access to master to read the list of databases on the virtual database server.
You can get a connection string for your tech stack from the Azure Portal under the "Overview" for the database.
Related
Unfortunately I cannot find an answer to my problem.
I need a SQL Server login that allows to access, read, write/edit content of (a specific or several) database(s) and not more. So I created a new Login in SQL Server -> Security -> Logins. I have given all rights (User Mapping: db_datareader,db_datawriter - and also explicit permissions) that are needed for the purpose, but I cannot login to the server engine using SSMS and the created login with (yes) the correct password.
I already looked at the SQL Server logs which state:
Login failed for user 'example'.
Reason: Login-based server access validation failed with an infrastructure error. Login lacks Connect SQL permission.
Error: 18456, Severity: 14, State: 146
Needless to say I have also already granted Connect SQL Permission. I have also "login" enabled (in login settings). The server is in mixed authentication mode, connect rights given. Of course I can give server roles to this login (sysadmin) and suddenly I can login to the server engine, but, as said, I'm trying to adjust the permissions to my needs. Also restarted the server.
Already tried: cannot login to sql server with new user created
and: SQL Server sysadmin user server role
Other sources state to give sysadmin role, but this can't be the answer.
Has anyone ever come across this? Am I missing something simple?
The basics of SQL Server server-level permissions are:
SQL Server does not check permissions for sysadmin role members
GRANT and DENY permissions are cumulative (i.e. direct and via role memberships)
DENY takes precedence over GRANT of the same permission
All logins are a member of the built-in public role
After creating a login, the login is implicitly granted CONNECT SQL and inherits only the limited (out-of-the-box) public role permissions.
Based on the info in your question and comments, the effect of the DENY CONNECT SQL TO public; is that only sysadmin role members can connect (per #1 above) and all other logins cannot connect (#2, #3, and #4).
It is generally a best practice to avoid DENY. There is never a need to DENY a permission that was not previously granted or inherited via role membership. DENY is used in specialized cases where one needs to negate a permission granted via role membership. A login will not have server-level permissions like ALTER SERVER STATE and SHUTDOWN unless it is explicitly granted to the login or role the login belongs to.
The example below will provision a login with access to a database and grant read/write permissions to a table.
CREATE LOGIN YourLogin WITH PASSWORD='<password-here>';
USE YourDatabase;
CREATE USER YourLogin;
GRANTT SELECT, INSERT, UPDATE, DELETE TO YourLogin;
Run the query below to identify permissions inadvertently granted or denied to the public server role and execute the REVOKE script to remove the permission. Only the default VIEW ANY DATABASE permissions will remain.
SELECT N'REVOKE ' + perm.permission_name COLLATE DATABASE_DEFAULT + N' FROM ' + prin.name + N';' --, perm.state_desc, perm.permission_name
FROM sys.server_principals AS prin
JOIN sys.server_permissions AS perm ON perm.grantee_principal_id = prin.principal_id
WHERE
prin.name = 'public'
AND perm.class_desc = 'Server'
AND perm.permission_name <> 'VIEW ANY DATABASE';
Using portal.azure.com I've created SQL Server and SQL Database. I've set myself as the SQL Server admin.
I'm able to connect with my AAD account using SSMS.
I add another AAD users to my database:
use [MyDatabase]
CREATE USER [usename_emaildomain#EXT##mydirectory.onmicrosoft.com] FROM EXTERNAL PROVIDER;
--add read permissions
EXEC sp_addrolemember 'db_datareader', [usename_emaildomain#EXT##mydirectory.onmicrosoft.com]
But how do grant him admin rights so that he has full access to all databases? I'm able to sent only one admin in Azure Portal.
I don't know why SQL Azure only allows one security principal to be designated as admin but anyway....
You can assign one user or one group. So put all of your users in a group and assign that group as the administrator
I have created Logins in Azure SQL via SSMS on two other environments, but on the third Azure SQL Server, the same exact SQL command creates logins but they don't show in SSMS. I am using these Logins to then users for databases. As I have stated it has worked on every other Azure SQL Server.
However, when I create my Logins, they don't show up under Security > Logins and if I try to create user for the db, I get the following error:
'myuser' is not a valid login or you do not have permission.
Here is my SQL to create the Login:
CREATE LOGIN myuser WITH PASSWORD = 'p#ssword';
Here is my SQL I run on a selected database to add the above created user with execute rights:
CREATE USER [myuser] FROM LOGIN [myuser];
GRANT EXECUTE TO [myuser]
To be clear, the Login (first SQL) said that it is created, but it doesn't show in SSMS and doesn't allow me to create Users in the DBs
I have the following script which creates a new database, a new user and login. I have some custom software that my clients use to log into the database and create the necessary tables, SP and populate the tables with data. The databases are hosted remotely online which I have full access to.
**EDIT-> The problem I have is that I cannot open a new connection and create any tables using the new user. Its looks like a permissions issue as it works ok with sa root account login.
Ideally I would like run this single script so I can deploy a new database to a new client via SQL Server Management Studio easily with the minimal of fuss
Please see my script below:
-- SEARCH AND REPLACE THE FOLLOWING TERMS
--
-- db_TestDatabase Database name
-- TestPa$$w0rd password
-- TestUser1 username
use master
go
--create a test database
CREATE DATABASE [db_TestDatabase]
GO
--create user login
CREATE LOGIN [TestUser1] WITH PASSWORD=N'TestPa$$w0rd'
GO
--create user in database
CREATE USER [TestUser1] FOR LOGIN [TestUser1] WITH DEFAULT_SCHEMA=[test_Schema]
GO
--create role
CREATE ROLE [test_Role] AUTHORIZATION [dbo]
GO
--create schema
CREATE SCHEMA [test_Schema] AUTHORIZATION [TestUser1]
GO
--apply permissions to schemas
GRANT ALTER ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT CONTROL ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[test_Schema] TO [test_Role]
GO
GRANT DELETE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT INSERT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT SELECT ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT UPDATE ON SCHEMA::[dbo] TO [test_Role]
GO
GRANT REFERENCES ON SCHEMA::[dbo] TO [test_Role]
GO
--ensure role membership is correct
EXEC sp_addrolemember N'test_Role ', N'TestUser1'
GO
--allow users to create tables in test_Schema
GRANT CREATE TABLE TO [test_Role]
GO
--Allow user to connect to database
GRANT CONNECT TO [TestUser1]
Any suggestions would be appreciated.
Thank you
It could be a User Access Control issue, try right clicking Management Studio and Run as Administrator, if you have that privilege and it may get past the issue you're seeing.
Some related reading:
User Account Control and SQL Server
User Account Control affects Microsoft SQL Server in terms of
connectivity (SQL Server login) and in limiting access to resources on
the administrators’ access control list (ACL).
In versions earlier than Windows Vista and Windows Server 2008,
members of the local administrator group do not need their own SQL
Server logins and they do not need to be granted administrator
privileges inside SQL Server. They connect to SQL Server as the
built-in server principal BUILTIN\Administrators (B\A), and they have
administrator privileges because B\A is a member of the sysadmin fixed
server role. Administrator rights are stripped away in Windows Vista
and Windows Server 2008, so administrator users cannot connect to SQL
Server instance by virtue of being B\A, unless connecting from an
elevated client application.
I wanted to grand a CREATE DATABASE permission inside my SQL Azure Server to a specific user. I went to windows.azure.com, logged in, selected "Database" on the left pane, logged into the "master" database under the database admin account, selected "New Query" - a window with master: Query(Untitled1.sql) header appeared.
I typed
GRANT CREATE DATABASE TO THATUSERLOGIN;
and pressed execute and the query result is
CREATE DATABASE permission can only be granted in the master database.
What am I doing wrong? How do I do that right?
Try
USE master
GO
GRANT CREATE DATABASE TO THATUSERLOGIN
If that does not help then try to look at the Managing Databases and Logins in SQL Azure guide:
http://msdn.microsoft.com/en-us/library/windowsazure/ee336235.aspx