Azure SQL Server - can't authenticate linked service from pipeline - azure

So, I was provisioned an Azure SQL server into my subscription of Azure, and I am using Azure Data Factory. Well, starting to use it
The problem I ran into is the following.
I am able to connect
to Azure SQL Server database via
- SQL Management Studio,
- via Visual Studio Code with SQL Tools extension,
- and with Azure data studio.
I was able to create tables and stored procedures.
All this I am doing by logging in using Authentication type
"Azure Active Directory - Universal With MFA"
.. and providing my "Active Directory Admin". (The "Server Admin" does not work as I do not know what the password was when it was created and our sys admin said "it was blank" ??)
However, when I try to set up a linked service on Azure Data Factory and connect to the same SQL Server - I do not see that option (Azure Active Directory - Universal With MFA) in the drop down for Authentication type.
Those available
- SQL Authentication
- System Assigned Managed Identity
- Service Principal
- User Assigned Managed Identity
I tried them all, and I can't connect using either.
My understanding is that there is more to be done on the server management side, but I do not understand what.

You can use service principal method to create a success linked service to your SQL database using Azure active directory authentication. You need to follow the steps below:
First create an app registration in Azure active directory. Go to azure active directory and select App registrations.
Create a new app registration with certain name. As you can see in the above image, I have created it with the name for_sql_db.
Since you already have set your SQL server with Azure Active directory admin, create a user using the name of the app registration created above. Assign this user any required role. I have used the following queries in my query editor of SQL database.
CREATE USER [for_sql_db] FROM EXTERNAL PROVIDER;
ALTER ROLE [db_owner] ADD MEMBER [for_sql_db];
Once the user is created in your SQL database, go to data factory to create linked service.
Select the SQL server and database you want to create linked service to. Choose the Authentication as Service Principal.
Then you can see Tenant , Service principal ID and Service principal key. Go to the app registration you have created. Here you can see Directory tenant ID and application client ID. Give them as following:
linked service Tenant: Directory Tenant ID
Service principal ID: application client ID
For Service principal key, you need to create a secret in your app registration (for_sql_db).
After creating the client secret, copy its value and use it as Service principal key in data factory linked service.
You can see that, I have followed the above procedure and successfully created linked service to my SQL database.

Related

SQL Server Management Studio - Login errors <Token identified principal>

I have an Azure SQL Server resource for which I'm the Azure AD admin. I have provided the resource access "Contributor" to another user who cannot access the database through SQL Server Management Studio as he is receiving the following error using the correct server and database name with Azure authentication using MFA option:
Then, we thought of switching to Azure Data Studio, somehow the database is getting connected there but in there, the issue is that the user cannot alter the table designs, as the following error pops up:
What can be done to possibly sort at least one of the issues?
For ADS and SSMS, User is created within database with db_datareader, db_datawriter and db_ddladmin rights. He has a contributor role to the Azure SQL Server instance.
In SSMS, sometimes while connecting to the database, it accesses the database which tries to connect to the master db. We have tried entering the database name manually still the same error.
Under the SQL Server -> Azure AD Admin -> I have even tried to set that user as the admin, even then the SSMS shows the same error.
Please help.
For the SSMS Connection to Azure SQL Server with MFA:
If you are connecting from SSMS you may also need to change the default database option. By default, it will try to connect to master DB where this user may not exist there as AAD users are contained inside each user database.
In the SSMS Connect Explorer > Options - Connection properties - Give the Database Name and in the Login Tab > Authentication as Azure AD - Universal with MFA and username is your Azure Account username.
I have made my user as SQL Server Admin in the Azure Portal.
While creating the SQL Server, selected the sample database provided by Azure and I have changed the design of the table, it is working as expected.
For the Azure Data Studio connection to the Azure SQL Server:
I have given below details in Data Studio Explorer to connect and it connected Successfully:
Added a column to the existing Table:
Result:
Note:
To use the SQL Server Authentication as Azure AD with Universal MFA, the user account must be Azure AD Account.
Make that user as Azure SQL - AD Admin and following the steps as #Junnas said here - Create the user with Grant Permissions for working on the database using either database roles or database permissions.
Also Give the Contributor role to that user on the Azure SQL Server Instance Level by going to Azure Portal > SQL Server > Access Control > Add Role Assignment either to SQL Server Contributor or SQL DB Contributor:
Contributor role does nothing for SQL database access.
It only gives access to Azure resource management APIs; SQL endpoints are not under those APIs.
The user must be added in the database with something like:
CREATE USER [test.user#example.com] FROM EXTERNAL PROVIDER;
-- Grant permissions etc.
Then the user should select "Azure Active Directory - Universal with MFA support" as the authentication type.
They also need to ensure the target database is selected, not master.
I think the user also needs to ensure the right Azure AD tenant is selected.
In Azure Data Studio there is a selection for it.

Is it possible to change the Azure AD that an Azure SQL instance authenticates against?

When we create an Azure SQL server, we can opt to have it authenticate users against Azure AD, but I don't see any option during creation (or afterward in the settings pages of the server instance) to select which directory, if the account has more than one; it seems to just use the one marked as "default" in the directories list. The account I'm creating the SQL server in has 4 directories, two normal and two B2C:
The "setup a new SQL server" wizard offers "Azure AD" as an option, but not any choice of which:
How do we change the directory a particular SQL server uses? And can it be an Azure AD B2C directory, or does it have to be an Azure AD type directory?
• You can surely set the directory of the Azure SQL server that you are connecting to by specifying the ‘Azure subscription context’ and the Azure subscription and tenant details as shown below in the ‘Connect-AzAccount’ cmdlet and then connecting to the correct Azure SQL database through the SQL Server Management Studio. As when through the powershell, you connect to the Azure subscription account by specifying the correct details in the context of your Azure tenant and subscription, the device based login is done successfully and when you connect through the SSMS, the SQL servers and databases are shown that are created in the specified tenant.
Thus, in this way, you can connect to the Azure SQL Database server with the configured Azure AD authentication. Also, please do take note that when you are provisioning an Azure SQL server, it asks you an option to select the ‘Azure AD Admin’ for that SQL server as below in which you can select the user (default) that needs to be used an SQL Administrator for the deployed Azure SQL DB Server.
• Therefore, in this way, you can select the Azure AD tenant from which you want to authenticate to the SQL server. Also, please remember that each subscription can only trust a single directory/Azure AD instance, whereas multiple subscriptions can trust the same Azure AD instance. As a result, in the same Azure AD tenant, you can associate multiple subscriptions but the vice versa is not possible. Hence, please check accordingly.
Please check the below given link for more details: -
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory

Can an Azure "group" be used as Azure Sql Database's "Active Directory Admin"?

Azure SQL Database lets you set a user as an Active Directory Admin. This allows you to log into the database using your microsoft account credentials. I would like to use an Azure security group instead of a single user so that multiple people in our domain can be Azure SQL DB admins.
I've tried creating an Azure security group "TestGroup" and using it in the Azure configuration. I can successfully set "TestGroup" as the Active Direcory Admin in the Azure portal for the DB, but when I try to log into the DB using SQL Server Management Studio, it doesn't let me in. I confirmed my user is in this group.
This is the error it returns:
From what you described you did assign the Active Directory admin as group correctly.
I suspect that your problem lies with the logging in method, in order to log in by AAD, you need to select "Azure Active Directory - Universal with MFA" option, and under user name provide email from within the AAD security group. Then the azure login window should pop up.
Azure "groups" can be used as "Active Directory administrators" for Azure Sql databases.
When using Azure Active Directory authentication, put Azure Active
Directory users into an Azure Active Directory security group. Create
a contained database user for the group. Place one or more database
users into a custom database role with specific permissions
appropriate to that group of users.
When using SQL authentication, create contained database users in the
database. Place one or more database users into a custom database role
with specific permissions appropriate to that group of users.
I hope this article will help you here.

Azure Active Directory - No Valid Subscription Found

I am trying to get a Database configured to use Integrated Auth. In other words, I have an App Service, and I want it to use Integrated Auth so that I don't have to use Sql Server username/password in a connection string.
So I went to my existing Azure Account and created an Azure Active Directory.
The Active Directory was created, and I then switched to this Directory. However, all of the resources of my usual Azure account are not to be found. It is as if I had created a brand new Azure account.
If I try to create a resource, it tells me that I have no subscription, and that I need to create one. So I created one, but it ended up getting linked to my original account, not the new Active Directory Account.
I tried again to add a subscription, but it asks me to sign in, but I don't understand how I am supposed to sign in to the new AD account.
I am not understanding what is going on here. Is an Azure Active Directory a new and different account than my original?
How do I "sign in" to the new active directory so I can add a subscription?
An Azure subscription is always linked to an Azure AD tenant (directory).
The hierarchy looks like this:
Your default Azure AD
Subscription
SQL DB
The new Azure AD you created
So you can see the SQL DB is looking at the Azure AD you already had.
Because that's the one linked to the sub where the DB is.
Make sure you are looking at the directory where your DB is, you should be able to go to "Azure Active Directory" from the service list.
"Integrated auth" usually means AD authentication, so I want to clarify that Azure SQL does not support that.
Neither does App Service.
What they do support is Azure AD authentication, which is documented here: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication.
Mostly I recommend enabling a Managed Identity on the App Service, granting it access to the database, and then using that from within the app to connect.

Azure SQL - How to add AD users to SQL Pool Databases

Problem: I am trying to add active directory users & groups (synced from on-prem to Azure AD) to SQL databases that exist in a SQL elastic pool on Azure in the same tenant. I do not want to use SQL Server Authentication (integrated). It seems that I am not able to log in with an AD account (required) to add additional AD accounts.
The on premise directory is synced to Azure AD. Tenant is configured and working with O365 email and we now have several SQL databases that exist in our tenant in an elastic pool.
Note: this is not a managed SQL instance. When I manage the elastic pool or database directly, I do not have the menu option Active Directory admin available, as outlined here.
My AD administrator account is added to elastic pool Access control (IAM) as an owner.
Using SSMS to connect to database in cloud, it is possible to connect to database using SQL Server Authentication. When I try to CREATE USER [username#mytenant.com] FROM EXTERNAL PROVIDER I receive error Principal 'username#mytenant.com' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
The reason for this, also outlined here, is "Users that are not based on an Azure AD account (including the Azure SQL server administrator account), cannot create Azure AD-based users, because they do not have permission to validate proposed database users with the Azure AD."
Using SSMS again and connecting with Active Directory - Universal with MFA support as username#mytenant.com, on login attempt I receive error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456). Same results when I configure Connect to database as DBName and AD domain name or tenant ID as mytenant.onmicrosoft.com. I have the same outcome even when using the initial tenant administrator account that we created when setting up environment.
So my question at the end of the day - How do I add an AD user synced from on prem to an Azure SQL database (or elastic pool) so that I can login with that user and begin adding additional AD users to the database?
I am clearly missing something fundamental and just need a point in the right direction. Thanks for any assistance provided.
First create an Active Directory Admin for the pool.
Select your existing Elastic Pool in the portal
From “Overview”, click on your “Server Name”
Select “Active Directory Admin” -> “Set Admin”. You can set a single user or an AD Group as the Administrator.
You can also do this from the CLI:
> az sql server ad-admin create --object-id <Object-Id-OfUserOrGroup>
-s <Database-Name>
-g <Resource-Group>
-u <NameOrEmailAkaDisplayName>
Now, you should now be able to log in to a database in the Elastic Pool with your AD Admin login via SSMS. In this case you can log in via “Active Directory Password Authentication”, but you can also use “Universal Authentication” or “Integrated Authentication”.
Once you’re logged in as the AD Administrator, you can create a new SQL Server USER that corresponds to an AD Group. Please consider I’ve already created an AD group called “SQL Developers” so I can map it to an Azure SQL Server database and add it to db_datareader fixed role like this:
CREATE USER [SQL Developers] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [SQL Developers]

Resources