TLDR;
How do I add AD users to an Azure database created in a DevOps pipeline?
Our DBA has a process to create daily bacpacs from production and store them in an azure blob container, I then provided the developers with a DevOps pipeline that restores a specified bacpac into the development server. The issue is that the developers can't connect to these databases using their domain account. I don't know how to give them access because
AFAIK I can't connect with a domain user to the database from the pipeline
Azure requires that the connected user is an AD user to be able to create other AD users
I could work around it by creating an sql user and grant that user permissions in the pipeline, however the company is actually moving away from sql users and relying more on AD security and MFA, so this isn't really a solution for me.
For one to add domin account to the database, one must be logged in to the database via a domain account that has adminstrative privileges.
So there is a Azure SQL database deployment task in Azure devops wherein you have the property to execute SQL queries.
So you can use that task to automate the user access through SQL tasks by connecting through the AD account.
Note: Recently a new authentication has been added of service principal
Hope this is what you are expecting :)
Related
When we create an Azure SQL server, we can opt to have it authenticate users against Azure AD, but I don't see any option during creation (or afterward in the settings pages of the server instance) to select which directory, if the account has more than one; it seems to just use the one marked as "default" in the directories list. The account I'm creating the SQL server in has 4 directories, two normal and two B2C:
The "setup a new SQL server" wizard offers "Azure AD" as an option, but not any choice of which:
How do we change the directory a particular SQL server uses? And can it be an Azure AD B2C directory, or does it have to be an Azure AD type directory?
• You can surely set the directory of the Azure SQL server that you are connecting to by specifying the ‘Azure subscription context’ and the Azure subscription and tenant details as shown below in the ‘Connect-AzAccount’ cmdlet and then connecting to the correct Azure SQL database through the SQL Server Management Studio. As when through the powershell, you connect to the Azure subscription account by specifying the correct details in the context of your Azure tenant and subscription, the device based login is done successfully and when you connect through the SSMS, the SQL servers and databases are shown that are created in the specified tenant.
Thus, in this way, you can connect to the Azure SQL Database server with the configured Azure AD authentication. Also, please do take note that when you are provisioning an Azure SQL server, it asks you an option to select the ‘Azure AD Admin’ for that SQL server as below in which you can select the user (default) that needs to be used an SQL Administrator for the deployed Azure SQL DB Server.
• Therefore, in this way, you can select the Azure AD tenant from which you want to authenticate to the SQL server. Also, please remember that each subscription can only trust a single directory/Azure AD instance, whereas multiple subscriptions can trust the same Azure AD instance. As a result, in the same Azure AD tenant, you can associate multiple subscriptions but the vice versa is not possible. Hence, please check accordingly.
Please check the below given link for more details: -
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Most of the sample ARM templates I find for deploying an Azure App Service + Azure SQL database end up configuring the connection string for the web app using the administrator login credentials provided when creating the Azure SQL Server (this one from Microsoft, for example). I've also seen the App Service configured for Managed Identity and then that user granted administrative access over the Azure SQL instance via AAD.
I'd never want to provision a production application this way, but I can't find examples in a more secure configuration.
The only other info I find about provisioning non-admin users is via SQL after the Azure SQL instance is already up. This means I have to add another step outside of my ARM deployment to get my system fully functional.
As of the time this question was written, running custom Powershell scripts as part of an ARM deploy is in preview and that could be a path forward, but it's not ideal.
Can non-administrative users be provisioned in Azure SQL via an ARM template, without resorting to PowerShell?
If you want to create non-administrative users in Azure SQL database via arm template, it is impossible. Because Azure ARM template team just defines Administrators type and does not define user type or user property in server. We just can create SQL Admin or Azure AD Admin via ARM template. For more details, please refer to here and here
So if you want to create non-administrative users, you need to write custom scripting.
If you want to create the users as part of a template deployment, you can use the deploymentScripts resource to run TSQL or any arbitrary script:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-script-template?tabs=CLI
If you want to do it as part of the declaration of the Microsoft.SQL/servers resource, no you can't (as Jim mentioned).
Problem: I am trying to add active directory users & groups (synced from on-prem to Azure AD) to SQL databases that exist in a SQL elastic pool on Azure in the same tenant. I do not want to use SQL Server Authentication (integrated). It seems that I am not able to log in with an AD account (required) to add additional AD accounts.
The on premise directory is synced to Azure AD. Tenant is configured and working with O365 email and we now have several SQL databases that exist in our tenant in an elastic pool.
Note: this is not a managed SQL instance. When I manage the elastic pool or database directly, I do not have the menu option Active Directory admin available, as outlined here.
My AD administrator account is added to elastic pool Access control (IAM) as an owner.
Using SSMS to connect to database in cloud, it is possible to connect to database using SQL Server Authentication. When I try to CREATE USER [username#mytenant.com] FROM EXTERNAL PROVIDER I receive error Principal 'username#mytenant.com' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
The reason for this, also outlined here, is "Users that are not based on an Azure AD account (including the Azure SQL server administrator account), cannot create Azure AD-based users, because they do not have permission to validate proposed database users with the Azure AD."
Using SSMS again and connecting with Active Directory - Universal with MFA support as username#mytenant.com, on login attempt I receive error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456). Same results when I configure Connect to database as DBName and AD domain name or tenant ID as mytenant.onmicrosoft.com. I have the same outcome even when using the initial tenant administrator account that we created when setting up environment.
So my question at the end of the day - How do I add an AD user synced from on prem to an Azure SQL database (or elastic pool) so that I can login with that user and begin adding additional AD users to the database?
I am clearly missing something fundamental and just need a point in the right direction. Thanks for any assistance provided.
First create an Active Directory Admin for the pool.
Select your existing Elastic Pool in the portal
From “Overview”, click on your “Server Name”
Select “Active Directory Admin” -> “Set Admin”. You can set a single user or an AD Group as the Administrator.
You can also do this from the CLI:
> az sql server ad-admin create --object-id <Object-Id-OfUserOrGroup>
-s <Database-Name>
-g <Resource-Group>
-u <NameOrEmailAkaDisplayName>
Now, you should now be able to log in to a database in the Elastic Pool with your AD Admin login via SSMS. In this case you can log in via “Active Directory Password Authentication”, but you can also use “Universal Authentication” or “Integrated Authentication”.
Once you’re logged in as the AD Administrator, you can create a new SQL Server USER that corresponds to an AD Group. Please consider I’ve already created an AD group called “SQL Developers” so I can map it to an Azure SQL Server database and add it to db_datareader fixed role like this:
CREATE USER [SQL Developers] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [SQL Developers]
We just completed the data migration from Teradata system to Azure SQL DW.
Now we just need to provide necessary access to all supporting Teradata Users and Service accounts to Azure SQL DW. For this i have some basic query:
All the accounts/Users are of domain type,so can i use Azure Active
directory to set up those accounts and configure it to have access
Azure SQL DW. Please let me know the process.
What kind of privilege/Access is needed in Azure Portal for
creating those account within Azure Active Directory.
In Azure SQL DW how do i add Azure AD account to specific roles
that i'll be creating. How the authentication will happen here.
Let me know if the above steps is feasible. Is there any alternative approach in providing on-prem User accounts access to Azure SQL DW
Thanks
You can follow the instructions on the Use Azure Active Directory Authentication for authentication with SQL Database, Managed Instance, or SQL Data Warehouse for setting up Azure Active Directory with SQL Data Warehouse. A subscription admin can configure the permissions - see the Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse.
In addition, there is a description of how to create AD users Adding AD Users and Security Groups to Azure SQL Data Warehouse. It's a simple matter of using the CREATE USER and CREATE LOGIN statements.
For users:
CREATE USER <alias#domain> FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = <schema>;
For security groups:
CREATE USER <Security Group Display Name> FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = <schema>;
I created a user in our AD Connected on-prem Active Directory. The user is synced up to AAD.
This user is now tied to our on-prem domain
I have added this user as the SQL Active Directory Admin
My issue is:
I cannot login to azure sql with this AD Admin via SSMS or sqlcmd
I receive the error, login failed, as if the password isn’t correct or something
My question is:
Can I login to Azure sql with an on-prem ad synced aad user account?
Does Azure sql tie to the AAD tenant domain only, regardless of we have an AD-Connect set up with our on-prem domain?
I need to login to sql with the ad admin account, to beable to add other aad users or groups as a sql dB user
I believe that creating the user in our Ad makes the azure sql not recognize it, since the azure sql is on the aad domain
Is this possible?
Use this Azure documentation to configure Azure Active Directory (AAD) and use it to access an Azure SQL Database. After configuring AAD, you just need to add an ADD group as Azure SQL Database admin and all user part of that group will be able to use MFA authentication. You can use SQL Server Management Studio to test it.
SQLCMD does not support MFA authentication.