How to configure a Windows authentication login for an Azure SQL database?
Azure SQL database doesn't support Windows authentication for now. Please reference this document Authentication:
SQL Database supports two types of authentication:
SQL Authentication:
This authentication method uses a username and password. When you created the SQL Database server for your database, you specified a "server admin" login with a username and password. Using these credentials, you can authenticate to any database on that server as the database owner, or "dbo."
Azure Active Directory Authentication:
This authentication method uses identities managed by Azure Active Directory and is supported for managed and integrated domains. If you want to use Azure Active Directory Authentication, you must create another server admin called the "Azure AD admin," which is allowed to administer Azure AD users and groups. This admin can also perform all operations that a regular server admin can. See Connecting to SQL Database By Using Azure Active Directory Authentication for a walkthrough of how to create an Azure AD admin to enable Azure Active Directory Authentication.
Reference tutorial: Use Azure Active Directory Authentication for authentication with SQL.
That means that you can not configure a Windows authentication login for an Azure SQL database.
Reference blog: Login to SQL Azure using Windows Authentication.
Hope this helps.
Related
When setting up a Data Migration Project, migrating from SQL database to Azure SQL Database in Azure Portal, I can only see the option to connect to the Target database using SQL Login Authentication Type.
I expect to see more options - like Azure AD integrated Mode.
I am in Azure AD Group assigned as SQL Admin on the Azure SQL Server.
Is any other Authentication Type supported for the target Azure Server?
If others are support, what do I need to do to get them to be available in the Authentication Option for the target server?
Thank you
The following tutorial spells out that only SQL Logins are currently supported:
https://learn.microsoft.com/en-us/azure/dms/tutorial-sql-server-to-azure-sql#specify-target-details
I have been trying to find out some nodejs code in order to connect from my nodeJs application to Azure SQL db via Azure AD authentication. But this will involve only my email Id. I don't have any Azure AD app as this will be from an email ID. I usually login onto my Azure SQL DB using my email Id and choosing the option 'Azure Active Directory-Universal with MFA' from MSSMS. Is there any way that we can replicate this from Code in NodeJs
If you want to Use Azure Active Directory authentication for your Azure SQL database, you must configure Azure AD for it.
Please ref this tutorial: Configure and manage Azure AD authentication with Azure SQL
SSMS and SqlPackage.exe are the only tools currently enabled for MFA through Active Directory Universal Authentication.
For your question "Is there any way that we can replicate this from Code in NodeJs", the answer is no, there isn't. Node.js only support these types:
authentication.type
Type of the authentication method, valid types are default, ntlm,
azure-active-directory-password, azure-active-directory-access-token,
azure-active-directory-msi-vm, or azure-active-directory-msi-app-service
Ref: https://tediousjs.github.io/tedious/api-connection.html
HTH.
Problem: I am trying to add active directory users & groups (synced from on-prem to Azure AD) to SQL databases that exist in a SQL elastic pool on Azure in the same tenant. I do not want to use SQL Server Authentication (integrated). It seems that I am not able to log in with an AD account (required) to add additional AD accounts.
The on premise directory is synced to Azure AD. Tenant is configured and working with O365 email and we now have several SQL databases that exist in our tenant in an elastic pool.
Note: this is not a managed SQL instance. When I manage the elastic pool or database directly, I do not have the menu option Active Directory admin available, as outlined here.
My AD administrator account is added to elastic pool Access control (IAM) as an owner.
Using SSMS to connect to database in cloud, it is possible to connect to database using SQL Server Authentication. When I try to CREATE USER [username#mytenant.com] FROM EXTERNAL PROVIDER I receive error Principal 'username#mytenant.com' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
The reason for this, also outlined here, is "Users that are not based on an Azure AD account (including the Azure SQL server administrator account), cannot create Azure AD-based users, because they do not have permission to validate proposed database users with the Azure AD."
Using SSMS again and connecting with Active Directory - Universal with MFA support as username#mytenant.com, on login attempt I receive error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456). Same results when I configure Connect to database as DBName and AD domain name or tenant ID as mytenant.onmicrosoft.com. I have the same outcome even when using the initial tenant administrator account that we created when setting up environment.
So my question at the end of the day - How do I add an AD user synced from on prem to an Azure SQL database (or elastic pool) so that I can login with that user and begin adding additional AD users to the database?
I am clearly missing something fundamental and just need a point in the right direction. Thanks for any assistance provided.
First create an Active Directory Admin for the pool.
Select your existing Elastic Pool in the portal
From “Overview”, click on your “Server Name”
Select “Active Directory Admin” -> “Set Admin”. You can set a single user or an AD Group as the Administrator.
You can also do this from the CLI:
> az sql server ad-admin create --object-id <Object-Id-OfUserOrGroup>
-s <Database-Name>
-g <Resource-Group>
-u <NameOrEmailAkaDisplayName>
Now, you should now be able to log in to a database in the Elastic Pool with your AD Admin login via SSMS. In this case you can log in via “Active Directory Password Authentication”, but you can also use “Universal Authentication” or “Integrated Authentication”.
Once you’re logged in as the AD Administrator, you can create a new SQL Server USER that corresponds to an AD Group. Please consider I’ve already created an AD group called “SQL Developers” so I can map it to an Azure SQL Server database and add it to db_datareader fixed role like this:
CREATE USER [SQL Developers] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [SQL Developers]
I created a user in our AD Connected on-prem Active Directory. The user is synced up to AAD.
This user is now tied to our on-prem domain
I have added this user as the SQL Active Directory Admin
My issue is:
I cannot login to azure sql with this AD Admin via SSMS or sqlcmd
I receive the error, login failed, as if the password isn’t correct or something
My question is:
Can I login to Azure sql with an on-prem ad synced aad user account?
Does Azure sql tie to the AAD tenant domain only, regardless of we have an AD-Connect set up with our on-prem domain?
I need to login to sql with the ad admin account, to beable to add other aad users or groups as a sql dB user
I believe that creating the user in our Ad makes the azure sql not recognize it, since the azure sql is on the aad domain
Is this possible?
Use this Azure documentation to configure Azure Active Directory (AAD) and use it to access an Azure SQL Database. After configuring AAD, you just need to add an ADD group as Azure SQL Database admin and all user part of that group will be able to use MFA authentication. You can use SQL Server Management Studio to test it.
SQLCMD does not support MFA authentication.
We have easily sent up our AD with Azure SQL which now we can login and run queries, etc... with SSMS. Now we would like to set our apps in Azure App Services to run as an AD user. This would be to mimic IIS apps using an application pool that's is running as an AD user. I have not found a clear blog or step by step guide on how to do this. any help would be greatly appreciated.
UPDATE:
This is specifically to be able to connect to the database using AD Credentials and not using SQL Credentials.
Azure Active Directory authentication for SQL Database or SQL Data Warehouse supports the following methods of connecting to a database using Azure AD identities( refer here):
Using integrated Windows authentication
Using an Azure AD principal name and a password
Using Application token authentication
And the scenario you mentioned is not support. We can create an application in Azure AD and using the token authentication for this scenario. More detail about Azure AD authentication, you can refer the link below:
Configure and manage Azure Active Directory authentication with SQL Database or SQL Data Warehouse- Azure AD token
In addition, if you have any idea or feedback about Azure SQL database, you can submit them from here.