Azure Active Directory non-admin user access Azure SQL database - azure

I need to create several users in Azure active directory and allow them to access my Azure SQL DB. What I do is create them here
And then I create them in database
CREATE USER [vitaliy#xxx.com] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [vitaliy#xxx.com];
But after I login, it triggers the browser-based authentication and then I get the following error
However, it works awesome with the AD account that set as Active Directory Admin
I am using SSMS and 'Azure Active Directory - Universal with MFA' authentication mechanizm

Answer: in this case, you don't have permissions to connect to the server so you should specify the database when you log in

Related

SQL Server Management Studio - Login errors <Token identified principal>

I have an Azure SQL Server resource for which I'm the Azure AD admin. I have provided the resource access "Contributor" to another user who cannot access the database through SQL Server Management Studio as he is receiving the following error using the correct server and database name with Azure authentication using MFA option:
Then, we thought of switching to Azure Data Studio, somehow the database is getting connected there but in there, the issue is that the user cannot alter the table designs, as the following error pops up:
What can be done to possibly sort at least one of the issues?
For ADS and SSMS, User is created within database with db_datareader, db_datawriter and db_ddladmin rights. He has a contributor role to the Azure SQL Server instance.
In SSMS, sometimes while connecting to the database, it accesses the database which tries to connect to the master db. We have tried entering the database name manually still the same error.
Under the SQL Server -> Azure AD Admin -> I have even tried to set that user as the admin, even then the SSMS shows the same error.
Please help.
For the SSMS Connection to Azure SQL Server with MFA:
If you are connecting from SSMS you may also need to change the default database option. By default, it will try to connect to master DB where this user may not exist there as AAD users are contained inside each user database.
In the SSMS Connect Explorer > Options - Connection properties - Give the Database Name and in the Login Tab > Authentication as Azure AD - Universal with MFA and username is your Azure Account username.
I have made my user as SQL Server Admin in the Azure Portal.
While creating the SQL Server, selected the sample database provided by Azure and I have changed the design of the table, it is working as expected.
For the Azure Data Studio connection to the Azure SQL Server:
I have given below details in Data Studio Explorer to connect and it connected Successfully:
Added a column to the existing Table:
Result:
Note:
To use the SQL Server Authentication as Azure AD with Universal MFA, the user account must be Azure AD Account.
Make that user as Azure SQL - AD Admin and following the steps as #Junnas said here - Create the user with Grant Permissions for working on the database using either database roles or database permissions.
Also Give the Contributor role to that user on the Azure SQL Server Instance Level by going to Azure Portal > SQL Server > Access Control > Add Role Assignment either to SQL Server Contributor or SQL DB Contributor:
Contributor role does nothing for SQL database access.
It only gives access to Azure resource management APIs; SQL endpoints are not under those APIs.
The user must be added in the database with something like:
CREATE USER [test.user#example.com] FROM EXTERNAL PROVIDER;
-- Grant permissions etc.
Then the user should select "Azure Active Directory - Universal with MFA support" as the authentication type.
They also need to ensure the target database is selected, not master.
I think the user also needs to ensure the right Azure AD tenant is selected.
In Azure Data Studio there is a selection for it.

Azure SQL Server - can't authenticate linked service from pipeline

So, I was provisioned an Azure SQL server into my subscription of Azure, and I am using Azure Data Factory. Well, starting to use it
The problem I ran into is the following.
I am able to connect
to Azure SQL Server database via
- SQL Management Studio,
- via Visual Studio Code with SQL Tools extension,
- and with Azure data studio.
I was able to create tables and stored procedures.
All this I am doing by logging in using Authentication type
"Azure Active Directory - Universal With MFA"
.. and providing my "Active Directory Admin". (The "Server Admin" does not work as I do not know what the password was when it was created and our sys admin said "it was blank" ??)
However, when I try to set up a linked service on Azure Data Factory and connect to the same SQL Server - I do not see that option (Azure Active Directory - Universal With MFA) in the drop down for Authentication type.
Those available
- SQL Authentication
- System Assigned Managed Identity
- Service Principal
- User Assigned Managed Identity
I tried them all, and I can't connect using either.
My understanding is that there is more to be done on the server management side, but I do not understand what.
You can use service principal method to create a success linked service to your SQL database using Azure active directory authentication. You need to follow the steps below:
First create an app registration in Azure active directory. Go to azure active directory and select App registrations.
Create a new app registration with certain name. As you can see in the above image, I have created it with the name for_sql_db.
Since you already have set your SQL server with Azure Active directory admin, create a user using the name of the app registration created above. Assign this user any required role. I have used the following queries in my query editor of SQL database.
CREATE USER [for_sql_db] FROM EXTERNAL PROVIDER;
ALTER ROLE [db_owner] ADD MEMBER [for_sql_db];
Once the user is created in your SQL database, go to data factory to create linked service.
Select the SQL server and database you want to create linked service to. Choose the Authentication as Service Principal.
Then you can see Tenant , Service principal ID and Service principal key. Go to the app registration you have created. Here you can see Directory tenant ID and application client ID. Give them as following:
linked service Tenant: Directory Tenant ID
Service principal ID: application client ID
For Service principal key, you need to create a secret in your app registration (for_sql_db).
After creating the client secret, copy its value and use it as Service principal key in data factory linked service.
You can see that, I have followed the above procedure and successfully created linked service to my SQL database.

Can an Azure "group" be used as Azure Sql Database's "Active Directory Admin"?

Azure SQL Database lets you set a user as an Active Directory Admin. This allows you to log into the database using your microsoft account credentials. I would like to use an Azure security group instead of a single user so that multiple people in our domain can be Azure SQL DB admins.
I've tried creating an Azure security group "TestGroup" and using it in the Azure configuration. I can successfully set "TestGroup" as the Active Direcory Admin in the Azure portal for the DB, but when I try to log into the DB using SQL Server Management Studio, it doesn't let me in. I confirmed my user is in this group.
This is the error it returns:
From what you described you did assign the Active Directory admin as group correctly.
I suspect that your problem lies with the logging in method, in order to log in by AAD, you need to select "Azure Active Directory - Universal with MFA" option, and under user name provide email from within the AAD security group. Then the azure login window should pop up.
Azure "groups" can be used as "Active Directory administrators" for Azure Sql databases.
When using Azure Active Directory authentication, put Azure Active
Directory users into an Azure Active Directory security group. Create
a contained database user for the group. Place one or more database
users into a custom database role with specific permissions
appropriate to that group of users.
When using SQL authentication, create contained database users in the
database. Place one or more database users into a custom database role
with specific permissions appropriate to that group of users.
I hope this article will help you here.

Azure SQL - How to add AD users to SQL Pool Databases

Problem: I am trying to add active directory users & groups (synced from on-prem to Azure AD) to SQL databases that exist in a SQL elastic pool on Azure in the same tenant. I do not want to use SQL Server Authentication (integrated). It seems that I am not able to log in with an AD account (required) to add additional AD accounts.
The on premise directory is synced to Azure AD. Tenant is configured and working with O365 email and we now have several SQL databases that exist in our tenant in an elastic pool.
Note: this is not a managed SQL instance. When I manage the elastic pool or database directly, I do not have the menu option Active Directory admin available, as outlined here.
My AD administrator account is added to elastic pool Access control (IAM) as an owner.
Using SSMS to connect to database in cloud, it is possible to connect to database using SQL Server Authentication. When I try to CREATE USER [username#mytenant.com] FROM EXTERNAL PROVIDER I receive error Principal 'username#mytenant.com' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
The reason for this, also outlined here, is "Users that are not based on an Azure AD account (including the Azure SQL server administrator account), cannot create Azure AD-based users, because they do not have permission to validate proposed database users with the Azure AD."
Using SSMS again and connecting with Active Directory - Universal with MFA support as username#mytenant.com, on login attempt I receive error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456). Same results when I configure Connect to database as DBName and AD domain name or tenant ID as mytenant.onmicrosoft.com. I have the same outcome even when using the initial tenant administrator account that we created when setting up environment.
So my question at the end of the day - How do I add an AD user synced from on prem to an Azure SQL database (or elastic pool) so that I can login with that user and begin adding additional AD users to the database?
I am clearly missing something fundamental and just need a point in the right direction. Thanks for any assistance provided.
First create an Active Directory Admin for the pool.
Select your existing Elastic Pool in the portal
From “Overview”, click on your “Server Name”
Select “Active Directory Admin” -> “Set Admin”. You can set a single user or an AD Group as the Administrator.
You can also do this from the CLI:
> az sql server ad-admin create --object-id <Object-Id-OfUserOrGroup>
-s <Database-Name>
-g <Resource-Group>
-u <NameOrEmailAkaDisplayName>
Now, you should now be able to log in to a database in the Elastic Pool with your AD Admin login via SSMS. In this case you can log in via “Active Directory Password Authentication”, but you can also use “Universal Authentication” or “Integrated Authentication”.
Once you’re logged in as the AD Administrator, you can create a new SQL Server USER that corresponds to an AD Group. Please consider I’ve already created an AD group called “SQL Developers” so I can map it to an Azure SQL Server database and add it to db_datareader fixed role like this:
CREATE USER [SQL Developers] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [SQL Developers]

Logging into Azure Sql

I created a user in our AD Connected on-prem Active Directory. The user is synced up to AAD.
This user is now tied to our on-prem domain
I have added this user as the SQL Active Directory Admin
My issue is:
I cannot login to azure sql with this AD Admin via SSMS or sqlcmd
I receive the error, login failed, as if the password isn’t correct or something
My question is:
Can I login to Azure sql with an on-prem ad synced aad user account?
Does Azure sql tie to the AAD tenant domain only, regardless of we have an AD-Connect set up with our on-prem domain?
I need to login to sql with the ad admin account, to beable to add other aad users or groups as a sql dB user
I believe that creating the user in our Ad makes the azure sql not recognize it, since the azure sql is on the aad domain
Is this possible?
Use this Azure documentation to configure Azure Active Directory (AAD) and use it to access an Azure SQL Database. After configuring AAD, you just need to add an ADD group as Azure SQL Database admin and all user part of that group will be able to use MFA authentication. You can use SQL Server Management Studio to test it.
SQLCMD does not support MFA authentication.

Resources