I created a SQL Server Instance and Database through Azure.
Then over the course of development I deleted and recreated that database through SQL Management Studio.
I can still see the Database under the SQL Server Instance but when I click on it I get:
Access denied
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
Note: This only occurs on the new Azure Portal. The old one works fine, but it will soon be going away.
Any idea what I need to do to get access in the new Azure Portal
I wasn't even aware you could delete and create Azure SQL Databases from SSMS...
I'm guessing it has created the DB with different credentials then. If you have Owner/Contributor/Reader role in the resource group where the DB is you should be able to access it. Even more so if you have one of those roles on the subscription/are an admin.
You need to check your roles.
Related
I have an Azure SQL Server resource for which I'm the Azure AD admin. I have provided the resource access "Contributor" to another user who cannot access the database through SQL Server Management Studio as he is receiving the following error using the correct server and database name with Azure authentication using MFA option:
Then, we thought of switching to Azure Data Studio, somehow the database is getting connected there but in there, the issue is that the user cannot alter the table designs, as the following error pops up:
What can be done to possibly sort at least one of the issues?
For ADS and SSMS, User is created within database with db_datareader, db_datawriter and db_ddladmin rights. He has a contributor role to the Azure SQL Server instance.
In SSMS, sometimes while connecting to the database, it accesses the database which tries to connect to the master db. We have tried entering the database name manually still the same error.
Under the SQL Server -> Azure AD Admin -> I have even tried to set that user as the admin, even then the SSMS shows the same error.
Please help.
For the SSMS Connection to Azure SQL Server with MFA:
If you are connecting from SSMS you may also need to change the default database option. By default, it will try to connect to master DB where this user may not exist there as AAD users are contained inside each user database.
In the SSMS Connect Explorer > Options - Connection properties - Give the Database Name and in the Login Tab > Authentication as Azure AD - Universal with MFA and username is your Azure Account username.
I have made my user as SQL Server Admin in the Azure Portal.
While creating the SQL Server, selected the sample database provided by Azure and I have changed the design of the table, it is working as expected.
For the Azure Data Studio connection to the Azure SQL Server:
I have given below details in Data Studio Explorer to connect and it connected Successfully:
Added a column to the existing Table:
Result:
Note:
To use the SQL Server Authentication as Azure AD with Universal MFA, the user account must be Azure AD Account.
Make that user as Azure SQL - AD Admin and following the steps as #Junnas said here - Create the user with Grant Permissions for working on the database using either database roles or database permissions.
Also Give the Contributor role to that user on the Azure SQL Server Instance Level by going to Azure Portal > SQL Server > Access Control > Add Role Assignment either to SQL Server Contributor or SQL DB Contributor:
Contributor role does nothing for SQL database access.
It only gives access to Azure resource management APIs; SQL endpoints are not under those APIs.
The user must be added in the database with something like:
CREATE USER [test.user#example.com] FROM EXTERNAL PROVIDER;
-- Grant permissions etc.
Then the user should select "Azure Active Directory - Universal with MFA support" as the authentication type.
They also need to ensure the target database is selected, not master.
I think the user also needs to ensure the right Azure AD tenant is selected.
In Azure Data Studio there is a selection for it.
Our organization having an Azure Synapse Dedicated Pool instance. I am trying to register the Azure Synapse Dedicated Pool with Azure Purview and want to scan the Synapse DB. However, I am getting the following Error every time:
“Failed to access the Azure Dedicated SQL pool with the given credentials”
Following are the process I followed to Register the Data Source:
I opened “Purview Studio”
There I have created a “Collection”
Then I go to “Register Sources”
Then I search for “Azure Synapse Dedicated Pool”
Then I select the subscription where my Azure Synapse Dedicated Pool is present
Then I Registered my Data Source
Now I am trying to create a New Scan for my Synapse Dedicated Pool
The problem starts from here, First of all I selected the subscription, then I selected the resource group and then I selected the Synapse DB name. I tried two authentication methods to authenticate my Synapse Instance. First one is Purview MSI account and second one is SQL Authentication. I have added my Purview MSI account as a user in Synapse Dedicated pool using following command.
CREATE USER [PurviewAccountName] FROM EXTERNAL PROVIDER
GO
EXEC sp_addrolemember 'db_datareader', [PurviewAccountName]
GO
Now I tried to test the connection but it is not working and giving me following Error:
“Failed to access the Azure Dedicated SQL pool with Purview MSI account”
My Azure Synapse Dedicated Pool instance in not publically accessible, we have put it behind the private link. I can connect my Azure Synapse Instance using VPN connectivity on my machine and login through SSMS and Azure Data Studio.
I also tried with SQL authentication by using SQL username and Password which is kept under the keyvault. I have checked it multiple times and I am confident I have configured it correctly. But still when I try to test the connection. It is showing following error:
“Failed to access the Azure Dedicated SQL pool with the given credentials”
Some where I have read I need self-hosted-integration runtime if the Azure Synapse instance is behind private link.
So I installed integration runtime on my machine, configure it and tested for the Synapse connection with SQL Authentication by connecting to VPN. Self-Hosted IR configured successfully. I tested with both the IR. Azure IR and Self-hosted-IR. But no luck, I am getting the same error.
I have also added Purview MSI account to Access Policy in keyVault and provided GET, List permission on keys and Secrets.
However, I am not getting what I am missing here and why it is giving me the same error.
Any help on this is really means a lot me..
CREATE USER [PurviewAccountName] FROM EXTERNAL PROVIDER
GO
EXEC sp_addrolemember 'db_datareader', [PurviewAccountName]
GO
According to Microsoft official documentation, to execute the above command one must be Azure Synapse Administrator in the workspace. It is alsi required that your purview account name must have reader role set which can be done from Access Control (IAM) under the Azure Synapse Workspace resource.
To create SQL Pools, Apache Spark Pools and Integration Runtimes, users must have at least Azure Contributor role in the workspace. The contributor role also allows these users to manage the resources, including pausing and scaling. If you're- using Azure Portal or Synapse Studio to create SQL Pools, Apache Spark Pools and INtegration Runtimes, then you need Azure Contributor role at the resource group level.
To GRANT access to a Dedicated SQL Pool database, the scripts can be run by the workspace creator or any member of the workspace1_SynapseAdministrators group.
Follow the below steps in the Azure Synapse SQL script editor:
Create the USER in the database by running the following command on the target database, selected using the Connect to dropdown:
CREATE USER [<alias#domain.com>] FROM EXTERNAL PROVIDER;
Grant a user a role to access the database
EXEC sp_addrolemember 'db_owner', '<alias#domain.com>'
TLDR;
How do I add AD users to an Azure database created in a DevOps pipeline?
Our DBA has a process to create daily bacpacs from production and store them in an azure blob container, I then provided the developers with a DevOps pipeline that restores a specified bacpac into the development server. The issue is that the developers can't connect to these databases using their domain account. I don't know how to give them access because
AFAIK I can't connect with a domain user to the database from the pipeline
Azure requires that the connected user is an AD user to be able to create other AD users
I could work around it by creating an sql user and grant that user permissions in the pipeline, however the company is actually moving away from sql users and relying more on AD security and MFA, so this isn't really a solution for me.
For one to add domin account to the database, one must be logged in to the database via a domain account that has adminstrative privileges.
So there is a Azure SQL database deployment task in Azure devops wherein you have the property to execute SQL queries.
So you can use that task to automate the user access through SQL tasks by connecting through the AD account.
Note: Recently a new authentication has been added of service principal
Hope this is what you are expecting :)
Azure SQL Database lets you set a user as an Active Directory Admin. This allows you to log into the database using your microsoft account credentials. I would like to use an Azure security group instead of a single user so that multiple people in our domain can be Azure SQL DB admins.
I've tried creating an Azure security group "TestGroup" and using it in the Azure configuration. I can successfully set "TestGroup" as the Active Direcory Admin in the Azure portal for the DB, but when I try to log into the DB using SQL Server Management Studio, it doesn't let me in. I confirmed my user is in this group.
This is the error it returns:
From what you described you did assign the Active Directory admin as group correctly.
I suspect that your problem lies with the logging in method, in order to log in by AAD, you need to select "Azure Active Directory - Universal with MFA" option, and under user name provide email from within the AAD security group. Then the azure login window should pop up.
Azure "groups" can be used as "Active Directory administrators" for Azure Sql databases.
When using Azure Active Directory authentication, put Azure Active
Directory users into an Azure Active Directory security group. Create
a contained database user for the group. Place one or more database
users into a custom database role with specific permissions
appropriate to that group of users.
When using SQL authentication, create contained database users in the
database. Place one or more database users into a custom database role
with specific permissions appropriate to that group of users.
I hope this article will help you here.
I have a question on how we currently deploy applications on premises and how this would work in Azure.
So our on premises application is as follows:
We have a web application deployed on
our web server (WebAppExample1) that
talks to an application
(AppServerExample1) on our App
Server.
AppServerExample1 goes to our
database for data in Table1.
In our database the only application that
requires permission to Table1 is
AppServerExample1, so we create a DB
Role and grant appropriate
permissions. We associate this role
with an Active directory user
(AppServerExample1User) that
AppServerExample1 runs as.
How can this be done in Azure?
From looking at some samples I dont see anyone defining permissions at this level, which to me should be done (least privelage).
Also I believe you can not be an Admin in SQL Azure so does this mean you cannot create DB roles?
Thanks for replies
From everything I've read I believe you can create Roles in SQL Azure - e.g. see http://www.structuretoobig.com/post/2010/02/13/SQL-Azure-Logins.aspx
If you try and find you can't, then perhaps you could achieve this using users with different permissions rather than roles - see http://msdn.microsoft.com/en-us/library/ee336235.aspx#DatabasePerms
This database-level permission model in SQL Azure Database is same as
an on-premise instance of SQL Server.
For information, see the following
topics in SQL Server Books Online
references.
Identity and Access Control (Database Engine)
Managing Logins, Users, and Schemas How-to Topics
Lesson 2: Configuring Permissions on Database Objects