We just completed the data migration from Teradata system to Azure SQL DW.
Now we just need to provide necessary access to all supporting Teradata Users and Service accounts to Azure SQL DW. For this i have some basic query:
All the accounts/Users are of domain type,so can i use Azure Active
directory to set up those accounts and configure it to have access
Azure SQL DW. Please let me know the process.
What kind of privilege/Access is needed in Azure Portal for
creating those account within Azure Active Directory.
In Azure SQL DW how do i add Azure AD account to specific roles
that i'll be creating. How the authentication will happen here.
Let me know if the above steps is feasible. Is there any alternative approach in providing on-prem User accounts access to Azure SQL DW
Thanks
You can follow the instructions on the Use Azure Active Directory Authentication for authentication with SQL Database, Managed Instance, or SQL Data Warehouse for setting up Azure Active Directory with SQL Data Warehouse. A subscription admin can configure the permissions - see the Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance, or SQL Data Warehouse.
In addition, there is a description of how to create AD users Adding AD Users and Security Groups to Azure SQL Data Warehouse. It's a simple matter of using the CREATE USER and CREATE LOGIN statements.
For users:
CREATE USER <alias#domain> FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = <schema>;
For security groups:
CREATE USER <Security Group Display Name> FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = <schema>;
Related
I would like to connect to an Azure SQL Database using my Azure Data Factory. The Azure SQL Database is created on another tenant and has SQL authentication disabled.
Is there another option to connect to this Azure SQL Database than using a Service Principal?
I tried to connect using User Managed Instance and System Managed Instance, but this does not seem to work as the Azure SQL Database is on another tenant. SQL Authentication is also not an option.
In case if the Azure SQL Database is in another tenant than ADF, then SQL Auth and Service principal auth are the only ways for the connectivity .
Managed identities are only leveraged for same tenant components.
When we create an Azure SQL server, we can opt to have it authenticate users against Azure AD, but I don't see any option during creation (or afterward in the settings pages of the server instance) to select which directory, if the account has more than one; it seems to just use the one marked as "default" in the directories list. The account I'm creating the SQL server in has 4 directories, two normal and two B2C:
The "setup a new SQL server" wizard offers "Azure AD" as an option, but not any choice of which:
How do we change the directory a particular SQL server uses? And can it be an Azure AD B2C directory, or does it have to be an Azure AD type directory?
• You can surely set the directory of the Azure SQL server that you are connecting to by specifying the ‘Azure subscription context’ and the Azure subscription and tenant details as shown below in the ‘Connect-AzAccount’ cmdlet and then connecting to the correct Azure SQL database through the SQL Server Management Studio. As when through the powershell, you connect to the Azure subscription account by specifying the correct details in the context of your Azure tenant and subscription, the device based login is done successfully and when you connect through the SSMS, the SQL servers and databases are shown that are created in the specified tenant.
Thus, in this way, you can connect to the Azure SQL Database server with the configured Azure AD authentication. Also, please do take note that when you are provisioning an Azure SQL server, it asks you an option to select the ‘Azure AD Admin’ for that SQL server as below in which you can select the user (default) that needs to be used an SQL Administrator for the deployed Azure SQL DB Server.
• Therefore, in this way, you can select the Azure AD tenant from which you want to authenticate to the SQL server. Also, please remember that each subscription can only trust a single directory/Azure AD instance, whereas multiple subscriptions can trust the same Azure AD instance. As a result, in the same Azure AD tenant, you can associate multiple subscriptions but the vice versa is not possible. Hence, please check accordingly.
Please check the below given link for more details: -
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
Our organization having an Azure Synapse Dedicated Pool instance. I am trying to register the Azure Synapse Dedicated Pool with Azure Purview and want to scan the Synapse DB. However, I am getting the following Error every time:
“Failed to access the Azure Dedicated SQL pool with the given credentials”
Following are the process I followed to Register the Data Source:
I opened “Purview Studio”
There I have created a “Collection”
Then I go to “Register Sources”
Then I search for “Azure Synapse Dedicated Pool”
Then I select the subscription where my Azure Synapse Dedicated Pool is present
Then I Registered my Data Source
Now I am trying to create a New Scan for my Synapse Dedicated Pool
The problem starts from here, First of all I selected the subscription, then I selected the resource group and then I selected the Synapse DB name. I tried two authentication methods to authenticate my Synapse Instance. First one is Purview MSI account and second one is SQL Authentication. I have added my Purview MSI account as a user in Synapse Dedicated pool using following command.
CREATE USER [PurviewAccountName] FROM EXTERNAL PROVIDER
GO
EXEC sp_addrolemember 'db_datareader', [PurviewAccountName]
GO
Now I tried to test the connection but it is not working and giving me following Error:
“Failed to access the Azure Dedicated SQL pool with Purview MSI account”
My Azure Synapse Dedicated Pool instance in not publically accessible, we have put it behind the private link. I can connect my Azure Synapse Instance using VPN connectivity on my machine and login through SSMS and Azure Data Studio.
I also tried with SQL authentication by using SQL username and Password which is kept under the keyvault. I have checked it multiple times and I am confident I have configured it correctly. But still when I try to test the connection. It is showing following error:
“Failed to access the Azure Dedicated SQL pool with the given credentials”
Some where I have read I need self-hosted-integration runtime if the Azure Synapse instance is behind private link.
So I installed integration runtime on my machine, configure it and tested for the Synapse connection with SQL Authentication by connecting to VPN. Self-Hosted IR configured successfully. I tested with both the IR. Azure IR and Self-hosted-IR. But no luck, I am getting the same error.
I have also added Purview MSI account to Access Policy in keyVault and provided GET, List permission on keys and Secrets.
However, I am not getting what I am missing here and why it is giving me the same error.
Any help on this is really means a lot me..
CREATE USER [PurviewAccountName] FROM EXTERNAL PROVIDER
GO
EXEC sp_addrolemember 'db_datareader', [PurviewAccountName]
GO
According to Microsoft official documentation, to execute the above command one must be Azure Synapse Administrator in the workspace. It is alsi required that your purview account name must have reader role set which can be done from Access Control (IAM) under the Azure Synapse Workspace resource.
To create SQL Pools, Apache Spark Pools and Integration Runtimes, users must have at least Azure Contributor role in the workspace. The contributor role also allows these users to manage the resources, including pausing and scaling. If you're- using Azure Portal or Synapse Studio to create SQL Pools, Apache Spark Pools and INtegration Runtimes, then you need Azure Contributor role at the resource group level.
To GRANT access to a Dedicated SQL Pool database, the scripts can be run by the workspace creator or any member of the workspace1_SynapseAdministrators group.
Follow the below steps in the Azure Synapse SQL script editor:
Create the USER in the database by running the following command on the target database, selected using the Connect to dropdown:
CREATE USER [<alias#domain.com>] FROM EXTERNAL PROVIDER;
Grant a user a role to access the database
EXEC sp_addrolemember 'db_owner', '<alias#domain.com>'
TLDR;
How do I add AD users to an Azure database created in a DevOps pipeline?
Our DBA has a process to create daily bacpacs from production and store them in an azure blob container, I then provided the developers with a DevOps pipeline that restores a specified bacpac into the development server. The issue is that the developers can't connect to these databases using their domain account. I don't know how to give them access because
AFAIK I can't connect with a domain user to the database from the pipeline
Azure requires that the connected user is an AD user to be able to create other AD users
I could work around it by creating an sql user and grant that user permissions in the pipeline, however the company is actually moving away from sql users and relying more on AD security and MFA, so this isn't really a solution for me.
For one to add domin account to the database, one must be logged in to the database via a domain account that has adminstrative privileges.
So there is a Azure SQL database deployment task in Azure devops wherein you have the property to execute SQL queries.
So you can use that task to automate the user access through SQL tasks by connecting through the AD account.
Note: Recently a new authentication has been added of service principal
Hope this is what you are expecting :)
Problem: I am trying to add active directory users & groups (synced from on-prem to Azure AD) to SQL databases that exist in a SQL elastic pool on Azure in the same tenant. I do not want to use SQL Server Authentication (integrated). It seems that I am not able to log in with an AD account (required) to add additional AD accounts.
The on premise directory is synced to Azure AD. Tenant is configured and working with O365 email and we now have several SQL databases that exist in our tenant in an elastic pool.
Note: this is not a managed SQL instance. When I manage the elastic pool or database directly, I do not have the menu option Active Directory admin available, as outlined here.
My AD administrator account is added to elastic pool Access control (IAM) as an owner.
Using SSMS to connect to database in cloud, it is possible to connect to database using SQL Server Authentication. When I try to CREATE USER [username#mytenant.com] FROM EXTERNAL PROVIDER I receive error Principal 'username#mytenant.com' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
The reason for this, also outlined here, is "Users that are not based on an Azure AD account (including the Azure SQL server administrator account), cannot create Azure AD-based users, because they do not have permission to validate proposed database users with the Azure AD."
Using SSMS again and connecting with Active Directory - Universal with MFA support as username#mytenant.com, on login attempt I receive error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. (Microsoft SQL Server, Error: 18456). Same results when I configure Connect to database as DBName and AD domain name or tenant ID as mytenant.onmicrosoft.com. I have the same outcome even when using the initial tenant administrator account that we created when setting up environment.
So my question at the end of the day - How do I add an AD user synced from on prem to an Azure SQL database (or elastic pool) so that I can login with that user and begin adding additional AD users to the database?
I am clearly missing something fundamental and just need a point in the right direction. Thanks for any assistance provided.
First create an Active Directory Admin for the pool.
Select your existing Elastic Pool in the portal
From “Overview”, click on your “Server Name”
Select “Active Directory Admin” -> “Set Admin”. You can set a single user or an AD Group as the Administrator.
You can also do this from the CLI:
> az sql server ad-admin create --object-id <Object-Id-OfUserOrGroup>
-s <Database-Name>
-g <Resource-Group>
-u <NameOrEmailAkaDisplayName>
Now, you should now be able to log in to a database in the Elastic Pool with your AD Admin login via SSMS. In this case you can log in via “Active Directory Password Authentication”, but you can also use “Universal Authentication” or “Integrated Authentication”.
Once you’re logged in as the AD Administrator, you can create a new SQL Server USER that corresponds to an AD Group. Please consider I’ve already created an AD group called “SQL Developers” so I can map it to an Azure SQL Server database and add it to db_datareader fixed role like this:
CREATE USER [SQL Developers] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [SQL Developers]