Currently, I am a server admin on an Azure SQL server. When I create an azure function app and connect to a database (on the server) I have to specify a sql connection string from the app. The connection string will use my username and password.
I want to change this so that the server admin is an active directory group (development group or something). Microsoft support told me I can not set a password to an active directory group. How do I create the connection string without a password? Or do I have to create an office 365 account with a development identity so I can set a development user and development password?
In Sql server management (ssms), the server admin is listed under the security directory. I have been using the server admin username and password to connect to the database from azure function apps.
Now I created a user called Development on ssms like this:
USE CompanyDatabase
CREATE LOGIN Development
WITH PASSWORD = 'password';
GO
I tried using the development login as parameters in my connection string and got this error:
Exception has been thrown by the target of an invocation. .Net SqlClient Data Provider: The server principal "Development" is not able to access the database
You have only created a LOGIN so far with the command that you mentioned.
Next step is to create the USER which will use this login and then assign some permissions to that user. I have given an example with db_datawriter, but you can choose something different like db_datareader or db_owner etc.
CREATE USER [Development] FROM LOGIN [Development]
EXEC sp_addrolemember 'db_datawriter', 'Development';
Also on a side note, Azure SQL Database supports contained database user model, where you don't need to create a server level login first and then a user based on it, instead you directly create a user which is contained only in that database. There are some pros and cons to using this model. You can get more information about it here -
https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-2017
Related
I get the error Login failed for user ''. (Microsoft SQL Server, Error: 18456) from Azure SQL server when a user tries to login using Azure Active Directory - Universal with MFA.
My Azure AD login is within a group, other members of the group can login to the database, but I get the error '<token-identified principal>'. (Microsoft SQL Server, Error: 18456), however If the user is added to the database, then I can login and it works.
create user [myUserName#contoso.com] from external provider
GO
EXEC sp_addrolemember N'db_datareader', N'myUserName#contoso.com'
I was wondering if there is a reason for this.
The error you are getting is an identical issue its already been raised over Microsoft Q&A Plateform a year ago.
You need to add the users to your SQL DB as AAD Users first to accces the Specifiv SQLServer.
The error "Microsoft SQL Server, Error: 18456 <token-identified-principal>" means that the user used to login to
SQL Server Management Studio is invalid. It is usually related to an
AAD user which is not added on SQL DB that you are trying to connect
(User DB or Master DB) or that the AAD user is not the AAD Server
Admin.
You just need to add an AAD user in Azure SQL DB. You can follow the
steps mentioned here:
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?tabs=azure-powershell#create-contained-database-users-in-your-database-mapped-to-azure-ad-identities
Note : Use User UPN(name#domain.com) to access the SQL DB not logged on as this user: "domain\name.surname" on my environment.
I have created an Azure Cosmos DB account and database, container etc. I am a member of a security group that can access Azure portal and do the above. Now I need to access this database from a console program by c#. The thing is, I do not want to maintain any secrets so I was wondering, is it possible to access the cosmos db with my current Windows login from that console program? Popup prompt to login with my organization user name, which is also my windows login, is ok. It is like when the console is launched, there will be a popup page to ask me to log in. I then choose my organization login/user account to log in.
What I am trying to do is using AD or AAD to do the auths. My windows login is configured in both ad and aad. I do not want to maintain any secret either in local /client side or in key vault.
We have multiple non-contained Azure sql databases. We plan to create contained database users in each of them. These users are for SQL Authentication. My question: Do these users have to be created in the master database?
Thank you in advance!
Here are the steps I tried:
Scenario 1 where the user is created BUT failed to sign into the server using SSMS.
In the application database
CREATE USER someContainedDBUser WITH PASSWORD = 'somepwd';
In the application database, grant roles
Attempt to sign in with SSMS ( failure)
Scenario 2 where the user is created and can sign into the server using SSMS.
In master database,
CREATE USER someContainedDBUser WITH PASSWORD = 'somepwd';
In the application database,
CREATE USER someContainedDBUser WITH PASSWORD = 'somepwd';
In the application database, grant roles
Attempt to sign in with SSMS ( success)
You don't have to create them in master also. You do have to specify the database you want to connect to via the Options section in SSMS, eg
I have an Azure SQL Server with two databases for which I'm trying to use Azure Active Directory Integrated Authentication. One of these databases is critical and most of the users need to be granted only 'read' access for this database.
To add a new user with a 'Reader Role', I did the following:
Added the user with Reader role under Access Control(IAM) from the Azure portal.
The user wasn't able to connect after this step.
Then I tried adding the user using the following commands:
CREATE USER [name#domain.com] FROM EXTERNAL PROVIDER;
sp_addrolemember db_datareader, [name#domain.com];
The user is still not able to connect to the server using AAD Integrated Authentication. In both the cases I get an Anonymous Logon error.
Click to see the snip of the error message
Am I missing something? If not, is there any other way I can add users with specific permissions to the database?
Sorry for the delay, M.
Yeah, you've confused two different levels of access control; the IAM controls that you described (Reader role assignment) allows a user to view (read) the settings in the Azure Portal. Instead, I suspect you want a user (AAD authenticated) to be able to only read the data on the server. That's done via T-SQL and has nothing to do with the Access Control defined by the portal.
Now, you're attempting to create an external user (AAD access) on the database level, and you want them to have read permissions- make sure you've covered all the steps outlined here.
At a glance, the following may be necessary steps:
1.) Ensure that you've assigned an AAD admin for the SQL Server.
2.) Ensure that you're connecting to the database you want to create the users on, not the master db as you ordinarily would on a non-azure SQL Server instance. Create the user via T-SQL using the following:
CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
3.) Grant the user db_datareader permissions on that database:
ALTER ROLE db_datareader ADD MEMBER <Azure_AD_principal_name>
GO
I have two users (name#company.com) in our Azure AD that have been granted owner permissions to an Azure server via the Azure portal.
First, is it possible to create a login that links/pulls from Azure AD for these login credentials? I've searched and haven't found a specific answer to this, though my suspicion is no.
Second, I have created logins/users for the same database, however, while access to the server is fine, access to the database is denied. I have granted connect to the logins as well as executed sp_addrolemember as datareader to each for the database. In double checking my work, I had referenced several examples that show the same syntax I'm using for Azure logins/users, and yet access is still denied.
Any help would be appreciated.
Steve.
Code:
CREATE LOGIN [login_name]
WITH PASSWORD = N'password'
CREATE USER [user_name]
FROM LOGIN [login_name]
WITH DEFAULT_SCHEMA = dbo
GO
GRANT CONNECT TO [user_name]
EXEC sp_addrolemember 'db_datareader', 'user_name'
First, is it possible to create a login that links/pulls from Azure AD
for these login credentials? I've searched and haven't found a
specific answer to this, though my suspicion is no.
No. In Azure SQL Database you can only use users and logins created in Azure SQL Database - SQL Login.
Second, I have created logins/users for the same database, however,
while access to the server is fine, access to the database is denied.
I have granted connect to the logins as well as executed
sp_addrolemember as datareader to each for the database. In double
checking my work, I had referenced several examples that show the same
syntax I'm using for Azure logins/users, and yet access is still
denied.
Logins should be created in the Master db, while the users, grants and sp_addrolemember should be executed in the context of the targeted DB. If you executed sp_addrolemember in the Master database, your user will not have access to the targeted db.
Also, something important, when you try to connect to the DB with the new logins (and please note that to login to the db you use the login not the user), you have to explicitly select the database to which this new user has access!
My wild guess is that you have executed the create user, grantand sp_addrolemember in the context of your master database. Thus these users now have only access to the master database. You cannot grant explicit grants to other database when you are in the context of master.
It is possible to access Azure SQL DB with Azure AD users:
https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/
You can't use AD users to login to SQL server. Logins has to be created in the master database and you need to use that login to create user and permission grants by connecting the user database. However SQL DB V12 supports contained user where you don't need to create logins in the master any more. The login can be executed in the user database context itself and this will be very helpful if you setup Geo Replication for ( restore using Point in time restore feature of) for your database in Azure. Based on my experience, I would recommend contained users in Azure database.