Problem: I am trying to add active directory users & groups (synced from on-prem to Azure AD) to SQL databases that exist in a SQL elastic pool on Azure in the same tenant. I do not want to use SQL Server Authentication (integrated). It seems that I am not able to log in with an AD account (required) to add additional AD accounts.
The on premise directory is synced to Azure AD. Tenant is configured and working with O365 email and we now have several SQL databases that exist in our tenant in an elastic pool.
Note: this is not a managed SQL instance. When I manage the elastic pool or database directly, I do not have the menu option Active Directory admin available, as outlined here.
My AD administrator account is added to elastic pool Access control (IAM) as an owner.
Using SSMS to connect to database in cloud, it is possible to connect to database using SQL Server Authentication. When I try to CREATE USER [username#mytenant.com] FROM EXTERNAL PROVIDER I receive error Principal 'username#mytenant.com' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
The reason for this, also outlined here, is "Users that are not based on an Azure AD account (including the Azure SQL server administrator account), cannot create Azure AD-based users, because they do not have permission to validate proposed database users with the Azure AD."
Using SSMS again and connecting with Active Directory - Universal with MFA support as username#mytenant.com, on login attempt I receive error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456). Same results when I configure Connect to database as DBName and AD domain name or tenant ID as mytenant.onmicrosoft.com. I have the same outcome even when using the initial tenant administrator account that we created when setting up environment.
So my question at the end of the day - How do I add an AD user synced from on prem to an Azure SQL database (or elastic pool) so that I can login with that user and begin adding additional AD users to the database?
I am clearly missing something fundamental and just need a point in the right direction. Thanks for any assistance provided.
First create an Active Directory Admin for the pool.
Select your existing Elastic Pool in the portal
From “Overview”, click on your “Server Name”
Select “Active Directory Admin” -> “Set Admin”. You can set a single user or an AD Group as the Administrator.
You can also do this from the CLI:
> az sql server ad-admin create --object-id <Object-Id-OfUserOrGroup>
-s <Database-Name>
-g <Resource-Group>
-u <NameOrEmailAkaDisplayName>
Now, you should now be able to log in to a database in the Elastic Pool with your AD Admin login via SSMS. In this case you can log in via “Active Directory Password Authentication”, but you can also use “Universal Authentication” or “Integrated Authentication”.
Once you’re logged in as the AD Administrator, you can create a new SQL Server USER that corresponds to an AD Group. Please consider I’ve already created an AD group called “SQL Developers” so I can map it to an Azure SQL Server database and add it to db_datareader fixed role like this:
CREATE USER [SQL Developers] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [SQL Developers]
Related
I have an Azure SQL Server resource for which I'm the Azure AD admin. I have provided the resource access "Contributor" to another user who cannot access the database through SQL Server Management Studio as he is receiving the following error using the correct server and database name with Azure authentication using MFA option:
Then, we thought of switching to Azure Data Studio, somehow the database is getting connected there but in there, the issue is that the user cannot alter the table designs, as the following error pops up:
What can be done to possibly sort at least one of the issues?
For ADS and SSMS, User is created within database with db_datareader, db_datawriter and db_ddladmin rights. He has a contributor role to the Azure SQL Server instance.
In SSMS, sometimes while connecting to the database, it accesses the database which tries to connect to the master db. We have tried entering the database name manually still the same error.
Under the SQL Server -> Azure AD Admin -> I have even tried to set that user as the admin, even then the SSMS shows the same error.
Please help.
For the SSMS Connection to Azure SQL Server with MFA:
If you are connecting from SSMS you may also need to change the default database option. By default, it will try to connect to master DB where this user may not exist there as AAD users are contained inside each user database.
In the SSMS Connect Explorer > Options - Connection properties - Give the Database Name and in the Login Tab > Authentication as Azure AD - Universal with MFA and username is your Azure Account username.
I have made my user as SQL Server Admin in the Azure Portal.
While creating the SQL Server, selected the sample database provided by Azure and I have changed the design of the table, it is working as expected.
For the Azure Data Studio connection to the Azure SQL Server:
I have given below details in Data Studio Explorer to connect and it connected Successfully:
Added a column to the existing Table:
Result:
Note:
To use the SQL Server Authentication as Azure AD with Universal MFA, the user account must be Azure AD Account.
Make that user as Azure SQL - AD Admin and following the steps as #Junnas said here - Create the user with Grant Permissions for working on the database using either database roles or database permissions.
Also Give the Contributor role to that user on the Azure SQL Server Instance Level by going to Azure Portal > SQL Server > Access Control > Add Role Assignment either to SQL Server Contributor or SQL DB Contributor:
Contributor role does nothing for SQL database access.
It only gives access to Azure resource management APIs; SQL endpoints are not under those APIs.
The user must be added in the database with something like:
CREATE USER [test.user#example.com] FROM EXTERNAL PROVIDER;
-- Grant permissions etc.
Then the user should select "Azure Active Directory - Universal with MFA support" as the authentication type.
They also need to ensure the target database is selected, not master.
I think the user also needs to ensure the right Azure AD tenant is selected.
In Azure Data Studio there is a selection for it.
When we create an Azure SQL server, we can opt to have it authenticate users against Azure AD, but I don't see any option during creation (or afterward in the settings pages of the server instance) to select which directory, if the account has more than one; it seems to just use the one marked as "default" in the directories list. The account I'm creating the SQL server in has 4 directories, two normal and two B2C:
The "setup a new SQL server" wizard offers "Azure AD" as an option, but not any choice of which:
How do we change the directory a particular SQL server uses? And can it be an Azure AD B2C directory, or does it have to be an Azure AD type directory?
• You can surely set the directory of the Azure SQL server that you are connecting to by specifying the ‘Azure subscription context’ and the Azure subscription and tenant details as shown below in the ‘Connect-AzAccount’ cmdlet and then connecting to the correct Azure SQL database through the SQL Server Management Studio. As when through the powershell, you connect to the Azure subscription account by specifying the correct details in the context of your Azure tenant and subscription, the device based login is done successfully and when you connect through the SSMS, the SQL servers and databases are shown that are created in the specified tenant.
Thus, in this way, you can connect to the Azure SQL Database server with the configured Azure AD authentication. Also, please do take note that when you are provisioning an Azure SQL server, it asks you an option to select the ‘Azure AD Admin’ for that SQL server as below in which you can select the user (default) that needs to be used an SQL Administrator for the deployed Azure SQL DB Server.
• Therefore, in this way, you can select the Azure AD tenant from which you want to authenticate to the SQL server. Also, please remember that each subscription can only trust a single directory/Azure AD instance, whereas multiple subscriptions can trust the same Azure AD instance. As a result, in the same Azure AD tenant, you can associate multiple subscriptions but the vice versa is not possible. Hence, please check accordingly.
Please check the below given link for more details: -
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Azure SQL Database lets you set a user as an Active Directory Admin. This allows you to log into the database using your microsoft account credentials. I would like to use an Azure security group instead of a single user so that multiple people in our domain can be Azure SQL DB admins.
I've tried creating an Azure security group "TestGroup" and using it in the Azure configuration. I can successfully set "TestGroup" as the Active Direcory Admin in the Azure portal for the DB, but when I try to log into the DB using SQL Server Management Studio, it doesn't let me in. I confirmed my user is in this group.
This is the error it returns:
From what you described you did assign the Active Directory admin as group correctly.
I suspect that your problem lies with the logging in method, in order to log in by AAD, you need to select "Azure Active Directory - Universal with MFA" option, and under user name provide email from within the AAD security group. Then the azure login window should pop up.
Azure "groups" can be used as "Active Directory administrators" for Azure Sql databases.
When using Azure Active Directory authentication, put Azure Active
Directory users into an Azure Active Directory security group. Create
a contained database user for the group. Place one or more database
users into a custom database role with specific permissions
appropriate to that group of users.
When using SQL authentication, create contained database users in the
database. Place one or more database users into a custom database role
with specific permissions appropriate to that group of users.
I hope this article will help you here.
I need to create several users in Azure active directory and allow them to access my Azure SQL DB. What I do is create them here
And then I create them in database
CREATE USER [vitaliy#xxx.com] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [vitaliy#xxx.com];
But after I login, it triggers the browser-based authentication and then I get the following error
However, it works awesome with the AD account that set as Active Directory Admin
I am using SSMS and 'Azure Active Directory - Universal with MFA' authentication mechanizm
Answer: in this case, you don't have permissions to connect to the server so you should specify the database when you log in
I created a user in our AD Connected on-prem Active Directory. The user is synced up to AAD.
This user is now tied to our on-prem domain
I have added this user as the SQL Active Directory Admin
My issue is:
I cannot login to azure sql with this AD Admin via SSMS or sqlcmd
I receive the error, login failed, as if the password isn’t correct or something
My question is:
Can I login to Azure sql with an on-prem ad synced aad user account?
Does Azure sql tie to the AAD tenant domain only, regardless of we have an AD-Connect set up with our on-prem domain?
I need to login to sql with the ad admin account, to beable to add other aad users or groups as a sql dB user
I believe that creating the user in our Ad makes the azure sql not recognize it, since the azure sql is on the aad domain
Is this possible?
Use this Azure documentation to configure Azure Active Directory (AAD) and use it to access an Azure SQL Database. After configuring AAD, you just need to add an ADD group as Azure SQL Database admin and all user part of that group will be able to use MFA authentication. You can use SQL Server Management Studio to test it.
SQLCMD does not support MFA authentication.