I have a question on how we currently deploy applications on premises and how this would work in Azure.
So our on premises application is as follows:
We have a web application deployed on
our web server (WebAppExample1) that
talks to an application
(AppServerExample1) on our App
Server.
AppServerExample1 goes to our
database for data in Table1.
In our database the only application that
requires permission to Table1 is
AppServerExample1, so we create a DB
Role and grant appropriate
permissions. We associate this role
with an Active directory user
(AppServerExample1User) that
AppServerExample1 runs as.
How can this be done in Azure?
From looking at some samples I dont see anyone defining permissions at this level, which to me should be done (least privelage).
Also I believe you can not be an Admin in SQL Azure so does this mean you cannot create DB roles?
Thanks for replies
From everything I've read I believe you can create Roles in SQL Azure - e.g. see http://www.structuretoobig.com/post/2010/02/13/SQL-Azure-Logins.aspx
If you try and find you can't, then perhaps you could achieve this using users with different permissions rather than roles - see http://msdn.microsoft.com/en-us/library/ee336235.aspx#DatabasePerms
This database-level permission model in SQL Azure Database is same as
an on-premise instance of SQL Server.
For information, see the following
topics in SQL Server Books Online
references.
Identity and Access Control (Database Engine)
Managing Logins, Users, and Schemas How-to Topics
Lesson 2: Configuring Permissions on Database Objects
Related
What is the best approach for syncing users between Azure AD and an Azure-hosted SQL DB? I would like users to be able to authenticate to the Azure site and then the .Net core v3.1 application will use the authenticated Azure AD user Id to insert table row data based on the authenticated user ID. I am sure this is pretty straight forward but some articles or advice would be helpful as this is my first stab at hosting an Azure .Net Core solution with Azure AD and website SQL DB.
My site currently authenticates users that I've added to Azure Active Directory and I have the tenant connecting and working correctly.
Do you want users to be able to only see or add data based on their authentication? Or do you only want the app to insert the data of the user like an automated process?
If the first option, consider Row-level Security
If the second option you need to add permissions for all users to the DB then its like any other connection. Connect to the DB using AAD then you can insert data under that user
Azure SQL Database lets you set a user as an Active Directory Admin. This allows you to log into the database using your microsoft account credentials. I would like to use an Azure security group instead of a single user so that multiple people in our domain can be Azure SQL DB admins.
I've tried creating an Azure security group "TestGroup" and using it in the Azure configuration. I can successfully set "TestGroup" as the Active Direcory Admin in the Azure portal for the DB, but when I try to log into the DB using SQL Server Management Studio, it doesn't let me in. I confirmed my user is in this group.
This is the error it returns:
From what you described you did assign the Active Directory admin as group correctly.
I suspect that your problem lies with the logging in method, in order to log in by AAD, you need to select "Azure Active Directory - Universal with MFA" option, and under user name provide email from within the AAD security group. Then the azure login window should pop up.
Azure "groups" can be used as "Active Directory administrators" for Azure Sql databases.
When using Azure Active Directory authentication, put Azure Active
Directory users into an Azure Active Directory security group. Create
a contained database user for the group. Place one or more database
users into a custom database role with specific permissions
appropriate to that group of users.
When using SQL authentication, create contained database users in the
database. Place one or more database users into a custom database role
with specific permissions appropriate to that group of users.
I hope this article will help you here.
In our current on-prem world we rely on Windows authentication. Each IIS app pool runs under identity of a service account. And this service account has dbo permissions on sql database. How can I establish this similar (i know same is not possible) security model for Azure PaaS website?
I referred MSDN link which talks about sql authentication however I couldn't find anything relevant to my scenario in there. Any ideas on how others are dealing with this?
Have you looked at using Azure Active Directory and then integrated this with your Azure SQL Database? https://learn.microsoft.com/en-us/azure/sql-database/sql-database-control-access-aad-authentication-get-started
I created a SQL Server Instance and Database through Azure.
Then over the course of development I deleted and recreated that database through SQL Management Studio.
I can still see the Database under the SQL Server Instance but when I click on it I get:
Access denied
You do not have access
Looks like you don't have access to this content. To get access, please contact the owner.
Note: This only occurs on the new Azure Portal. The old one works fine, but it will soon be going away.
Any idea what I need to do to get access in the new Azure Portal
I wasn't even aware you could delete and create Azure SQL Databases from SSMS...
I'm guessing it has created the DB with different credentials then. If you have Owner/Contributor/Reader role in the resource group where the DB is you should be able to access it. Even more so if you have one of those roles on the subscription/are an admin.
You need to check your roles.
I'm looking to setup AD for our company. We have developed a cloud based app that needs robust permissions abilities, which AD easily can handle. The app is bases out of Heroku which runs on AWS. I really need AD to manage logins and organizational hierarchy.
I'd like to use a cloud based service to act as the primary Domain controller and in the future, setup on-premise servers to provide local authentication to manage file/print and computer services. This is a secondary need to the authentication needs for our app.
Does anyone know if this architecture is possible? That is, a AD's DC in Azure with replicated services to other on-premise servers, at a later time? This seems to be the reverse of most setups in Azure. I'm ok with using other cloud services than Azure. It just seems they have the most documentation for cloud AD setups.
Any thoughts or help would be greatly appreciated.
Thanks,
AT
Although I wouldn't go for Cloud to be my primary DC, here are some guidelines which might help you:
Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines
Install a new Active Directory forest in Windows Azure
In order to fully validate your scenario, how do you think to join the Heroku computers to your domain controller? Because joining the server where your application runs will make the total sense of what you are trying to achieve.
If you just want to provide LDAP access from your application to the primary DC, and your app is not part of the Domain, then it makes no sense to install AD in Azure.
If you plan to just query the AD for organizational structure, I highly suggest that you take a look at the Windows Azure Active Directory and its Graph API. this is what you need, in the case you will not join any computers to the domain, because Windows Azure Active Directory is not a Domain Controller.
UPDATE
Please update your question with better description of simply to allow our Heroku based app to pull in the directory structure and login information to allow our users to authenticate to it. - I am afraid I can't really understand the application architecture and user login flow here.