Azure SQL Database - Auditing members of Admin group - azure-sql-database

I have some Azure SQL Database environments where the Activity Directory admin is set to an AAD group.
I need to set up auditing on Azure SQL Database environments so that all activity from the members of that group users is captured. I've got the basic Azure SQL Auditing set up and working but it generates way too much logging.
I think I need to use the PowerShell command Set-AzSqlServerAudit to filter it with the PredicateExpression option, but I cannot find any query that will filter for members of that group. Any similar approach would be acceptable (e.g. checking for any elevated permissions, whether in that group or not) as long as it includes that group.
Is it possible?

I found that I can use the following PredicateExpression to audit any admin activity on the database:
-PredicateExpression "[database_principal_name]= 'dbo'
I used the audit log definition at https://learn.microsoft.com/en-us/azure/azure-sql/database/audit-log-format?view=azuresql to see the list of available fields.

Related

How to query AAD Security Group Membership from Azure SQL

I'm trying to find a way from within Azure SQL to either 1) enumerate members of an Azure Active Directory security group or 2) check if a user login is a member of an SG. I've found various articles about doing it from a domain joined standalone SQL installation but not from Azure SQL. Most of the samples for the standalone installation use system sprocs like xp_cmdshell which don't exist in Azure SQL. I know I can create an Azure Function or Logic App to sync users to a table but I'd like to avoid using an external process to do this if possible.
#Kalyan Chanumolu-MSFT's comment should be very helpful to you. This scenario is not supported today.
You can try to use his suggestion.
You will have to talk to Microsoft Graph API from an intermediate like an Azure function to relay the data to Azure SQL Database.
You also can raise a support ticket to confirm it and also can put forward your suggestions in the feedback.

SQL Server 2008 RS Roles multiple databases

I have a front end application needs access to 3 different SQL Server databases:
1st. database read/only
2nd. database read/write
3rd. database read/write
The user’s logins that will be using the database/application are using Windows authentication.
This application also calls a few SQL jobs that need to run.
What I would like to do is set up role to accomplish this and then easily map users to the role as needed.
Is there a way to do this in SQL Server 2008 R2?
Is there a better or easier approach?
I'm trying to avoid need to explicitly set up each user.
Thanks
Create an AD Group for your application. Get the DBA to hand out the appropriate permissions to the AD Group. Then have the Service-Desk add users to the AD Group as the business requires it.

Setting up read-only Azure database, allow open access

I need to set up a training database on Azure that will allow all users to run Select statements (nothing else, it will be read-only).
Multiple users would all be logging in as the same read-only login, and creating/running select statements via SSMS or some other tool.
Any caveats to doing this? I'm planning on opening up the firewall and allowing all IP addresses to access it.
You can use the AdventureWorkLT database that you can install from Azure portal as shown here.
Take in consideration that Basic tier only allows 300 sessions and 30 concurrent logins. You may have to use Standard tiers depending on the number of sessions expected. Please visit this documentation for more information about limits of Azure SQL tiers.

SSMS not displaying databases though able to switch database in Query window

We want to give SELECT permission to a security group for only one database. We followed the below steps:
We added the security group as login.
We added the security group as user to the database.
We gave SELECT permission on a schema to the security group.
Now, Security group members are able to use query window for writing queries and switch database using USE Databasename; command. But, still Sql Server Management Studio is not showing the database in the databases node.
The databases node just shows the system database as shown in the image below. What could be the reason for this? Unless, we give sysadmin permission, the security group members are not able to see the database in the databases node. They are using latest version of SSMS i.e., 17.
Have you removed the View Any Database permission from the Public role? If the Public role doesn't have the View Any Database permission an account has to be the owner of the DB to see it.

SQL Server Database Audting for Windows AD group which are having sysadmin server role

I have been trying to get a solution for this topic.actually I already posted this several times but still I didn't receive any solution.
What I am looking .In our Database environment there more than 1000 users , these users are Windows users and these users are added as members in several Windows AD Groups based on the DB access requirements.
There are few AD groups which are having Sysadmin server role.
Now the requirements is we need to configure DATABASE AUDIT for those AD groups which are having 'SysAdmin' Server Role.We need to audit for DML operation (Insert, Update,Delete) for all those AD groups which are having 'SysAdmin' Server Role. Please let me know what should be the Database configuration details.I have already tested in different way but I am getting any correct result.