What is the best approach for syncing users between Azure AD and an Azure-hosted SQL DB? I would like users to be able to authenticate to the Azure site and then the .Net core v3.1 application will use the authenticated Azure AD user Id to insert table row data based on the authenticated user ID. I am sure this is pretty straight forward but some articles or advice would be helpful as this is my first stab at hosting an Azure .Net Core solution with Azure AD and website SQL DB.
My site currently authenticates users that I've added to Azure Active Directory and I have the tenant connecting and working correctly.
Do you want users to be able to only see or add data based on their authentication? Or do you only want the app to insert the data of the user like an automated process?
If the first option, consider Row-level Security
If the second option you need to add permissions for all users to the DB then its like any other connection. Connect to the DB using AAD then you can insert data under that user
Related
We have written some code (I hesitate to use the term "application") in .NET Core using Visual Studio 2019. This concept is relatively simple; when a user opens a "proprietary" Excel workbook (an Excel file that calls our code) the code goes out to a hosted (by us) Azure SQL Managed database and returns data based on the parameters passed in by the user.
In Azure, we have a single production App Service plan with an App Service dedicated to each client (company). My question is about security: I'd like to tie each App Service to the related company's Azure AD. I do NOT want to create an account on my Azure AD for each user, although I can certainly do this through the "invitation" process using B2B. Can each App Service be "pointed" to a specific external instance of Azure AD so that only users from that company can access the related data?
Thanks.
You may use two different flows:
Each WebApp will authenticate users from only one specific Azure AD tenant
One WebApp will authenticate users from multiple Azure AD tenants
Both solution can be achieved with Azure AD multi-tenant authentication application pattern.
Here are steps you need to implement:
Update App registration to be multi-tenant
Update your code to send requests to /common
Update your code to handle multiple/single issuer values
Here is a picture that describes the flow
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant
TLDR;
How do I add AD users to an Azure database created in a DevOps pipeline?
Our DBA has a process to create daily bacpacs from production and store them in an azure blob container, I then provided the developers with a DevOps pipeline that restores a specified bacpac into the development server. The issue is that the developers can't connect to these databases using their domain account. I don't know how to give them access because
AFAIK I can't connect with a domain user to the database from the pipeline
Azure requires that the connected user is an AD user to be able to create other AD users
I could work around it by creating an sql user and grant that user permissions in the pipeline, however the company is actually moving away from sql users and relying more on AD security and MFA, so this isn't really a solution for me.
For one to add domin account to the database, one must be logged in to the database via a domain account that has adminstrative privileges.
So there is a Azure SQL database deployment task in Azure devops wherein you have the property to execute SQL queries.
So you can use that task to automate the user access through SQL tasks by connecting through the AD account.
Note: Recently a new authentication has been added of service principal
Hope this is what you are expecting :)
Our project is using Azure B2C for customer identity/information and Azure SQL for transactions and such. We need to run reports that pulls from both places (i.e. a transaction report).
What is the best way to create such reports? Is there a pattern for this?
I could copy just the fields needed to B2C into SQL but that introduces consistency issues.
Thank you for any information!
You can use Azure Active Directory for authentication with your Azure SQL Database , Not Azure AD B2C.
If you would like to use Azure AD authentication with your SQL database please refer the document
Microsoft allows use of the Authentication command in Azure SQL to connect to the database using an Azure AD account.
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
Under heading 7.1. Connecting using integrated (Windows) authentication
How can I use this on an Azure App Service?
Note: I am specifically trying NOT to include the password as the next heading shows. I specifically want integrated.
If my understanding of the documentation is correct, you can achieve this yourself using Token Based authentication. It shouldn't require anything special from Azure App Service. See here for details and sample code:
https://blogs.msdn.microsoft.com/sqlsecurity/2016/02/09/token-based-authentication-support-for-azure-sql-db-using-azure-ad-auth/
The new token-based authentication method allows middle-tier services to obtain a token from Azure AD and use it to connect to Azure SQL Database.
Azure App Service machines are not part of your domain, so this isn't going to work. This was designed to let domain joined clients connect to SQL.
SQL Username/password is the only option left.
Update: see Chris Post about the new token based features
I have a question on how we currently deploy applications on premises and how this would work in Azure.
So our on premises application is as follows:
We have a web application deployed on
our web server (WebAppExample1) that
talks to an application
(AppServerExample1) on our App
Server.
AppServerExample1 goes to our
database for data in Table1.
In our database the only application that
requires permission to Table1 is
AppServerExample1, so we create a DB
Role and grant appropriate
permissions. We associate this role
with an Active directory user
(AppServerExample1User) that
AppServerExample1 runs as.
How can this be done in Azure?
From looking at some samples I dont see anyone defining permissions at this level, which to me should be done (least privelage).
Also I believe you can not be an Admin in SQL Azure so does this mean you cannot create DB roles?
Thanks for replies
From everything I've read I believe you can create Roles in SQL Azure - e.g. see http://www.structuretoobig.com/post/2010/02/13/SQL-Azure-Logins.aspx
If you try and find you can't, then perhaps you could achieve this using users with different permissions rather than roles - see http://msdn.microsoft.com/en-us/library/ee336235.aspx#DatabasePerms
This database-level permission model in SQL Azure Database is same as
an on-premise instance of SQL Server.
For information, see the following
topics in SQL Server Books Online
references.
Identity and Access Control (Database Engine)
Managing Logins, Users, and Schemas How-to Topics
Lesson 2: Configuring Permissions on Database Objects