We need to configure Azure SQL server with Azure AD such that while connecting to Azure SQL server through JDBC our users should be able to use their AD username and password.
We are unable to find documentations on how to setup Azure AD with Azure SQL server.
We are looking for some documentation or some steps to configure Azure AD with Azure SQL server.
Firstly, while creating the Azure SQL Server, you need to make sure to choose Use only Azure Active Directory (Azure AD) Authentication in Authentication method option.
The JDBC driver allows you to specify your Azure Active Directory
credentials in the JDBC connection string to connect to Azure SQL
Database.
To know how to configure Azure Active Directory authentication visit Microsoft official document Connecting to SQL Database By Using Azure Active Directory Authentication.
To connect the Azure SQL Database with Azure AD through JDBC, there is a proper setup required in which you need to install and configure some prerequisites. This official document from Microsoft will guide you to do same.
Related
App Service dev, staging and prod deployment slots and SQL DB all have system assigned managed identities.
Contributor roles have been assigned to managed identities at the subscription level.
SQL Server Contained users have been created and roles assigned for the App Service dev, staging and production slots:
SQL Server Contained Users
appsettings.json connectionStrings:
connectionStrings
AD DB Admin User created and added to SQLServer as a contained user.
Permissions added to AppService managed identity for dB1 and dB2 to SQL Server AppService Managed Identity Permissions
msi-validator returns success for token based connection from the web app to two different databases on the same sql server instance.
msi-validator success
Local and Azure deployment slot both return: SQLException Login failed for token-identified principal
Walked through https://social.technet.microsoft.com/wiki/contents/articles/53928.azure-ad-managed-identity-connecting-azure-web-app-and-slots-with-azure-sql-db-without-credentials.aspx and many other tutorials.
Still missing something...
Attempts to run the application using the managed identity connection string is consistently failing with the token-provider principal login failure error.
Confirmation of settings:
Confirmation of Settings
Please make sure the Azure Active Directory user is created on the Azure SQL Database. Please make you create the user in the Azure SQL Database following the steps mentioned here.
To create an Azure AD-based contained database user, connect to the database with an Azure AD identity, as a user with at least the ALTER ANY USER permission. Then use the following Transact-SQL syntax:
CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
CREATE USER [bob#contoso.com] FROM EXTERNAL PROVIDER;
CREATE USER [alice#fabrikam.onmicrosoft.com] FROM EXTERNAL PROVIDER;
Make sure you are connect to the Azure SQL database and not to the master database on the Azure SQL logical server.
As per my understanding you are facing an error stating login fails for token-identified principal when trying to connect your Azure ap service managed identity with your Azure SQL Database.
Could you please try the below in order to mitigate the issue.
Make sure System managed Identity status is showing on your app.
on your app service Verify that your connection string under application settings is set to "Server=tcp:.database.windows.net,1433;Database=;"
Allow Azure services and resources to access this server” should be set as Yes in Firewalls and virtual networks settings in your Azure SQL DB, in case it was not set earlier during Azure SQL setup.
Please do let me know if that help mitigate the issue. If not, we will keep working on the same to get you unblock.
I am looking for the connection string to connect to SQL server on Azure Cloud
used below string to connect to SQL user
OLEDB;Provider=SQLOLEDB;Data Source=#DATASOURCE#;Initial Catalog=#CATALOG#;UID=userid;Password=pwd;
this is working fine. but when I try connecting with windows user I need to update the connection string as
ODBC;Driver={ODBC Driver 17 for SQL Server};Provider=SQLOLEDB;Data Source=#DATASOURCE#;Initial Catalog=#CATALOG#;Encrypt=yes;TrustServerCertificate=no;Authentication=ActiveDirectoryInteractive;UID=myemailid
Is there a way I can use OLEDB driver to connect using windows authentication?
thanks in advance for help
No, we can't. Azure SQL database doesn't support Windows authentication for now.
Azure SQL Database only supports two types of authentication: SQL Authentication and Azure Active Directory Authentication.
No matter which driver you use to connect the Azure SQL database, the windows authentication won't work.
For more details, please ref this document: Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics
Case
I want to work with Azure SQL Server, as noted in the best practices how to secure Azure SQL Server it is good to use AAD account for accessing your server/database instead of SQL Accounts.
I read several posts on the documentation site of Microsoft and blogs, but I cannot find that it is possible to disable/remove the Server Admin account, after you have the Azure SQL Server and an created AAD SQL Administrator and attached it to Azure SQL Server.
I know Server Admin Login and Password is mandatory, when you create the Azure SQL, but I hoped it was possible to delete after creation of server and AAD SQL Admin.
Why do I want this?
There are enough companies who have to rule (inherited from the on-prem) that accounts must be controlled by a centralized Identity Store, such as AAD.
Password rotation must be done, it is a lot easier when you have a centralized identity Store instead that you have to do it for a lot of Azure SQL Servers.
Question
Is it possible to disable the SQL Server Admin (sql account)?
I don't believe it is (or can be) possible to disable the SQL Server Admin.
The Azure Subscription Owner and the AAD SQL Admin identity have joint ownership of the Azure SQL Server. Either one needs to be able to re-acquire administrative access to the server.
And the mechanism that the Azure Subscription Owner uses to force their way into their own database is to reset the SQL Server Admin password from the Azure Portal.
This is roughly analogous to how a Windows Administrator can force sysadmin access to a SQL Server by starting the service in single-user mode.
I think the best you can do is to throw away the SQL Server Admin's password, so no one could log in using that account without first resetting the password in the portal. EG run:
declare #sql nvarchar(max) = concat(N'alter LOGIN [youradmin] WITH PASSWORD=N''',newid(), N'''')
exec (#sql)
Update 06/21:
Microsoft released Azure Active Directory only authentication for Azure SQL which effectively disables the possibility to use any SQL user for authentication.
Note the caveats
Azure AD-only auth is supported at the Azure SQL server level
This means that when this mode is enabled, all databases that belong to this server can only be accessed using Azure AD
authentication
Enabling Azure AD-only auth does not remove existing SQL logins or SQL users based on these logins. They continue being stored in SQL
metadata, but cannot be used for SQL authentication
Even though the Azure AD-only auth is enabled, with proper SQL permissions for Azure AD users, SQL logins and SQL users can be
created. However, the authentication process to connect to Azure SQL
using SQL logins/users will fail
Azure AD users with proper permissions can impersonate existing SQL users
Impersonation continues working between SQL authentication users even though the Azure AD-only auth feature is enabled. This is
consistent to the way impersonation works today, where even disabled
users can be impersonated.
Microsoft is working on allowing so called "AAD-only authentication" which will effectively disable the server admin login, as the complete SQL authentiction is disabled.
In working towards setting up ADF for SSIS access to my Azure DB, I need to check that the "Allow azure services to access server" is enabled. The database has however already been created and I cannot find any obvious links in Azure portal as to where I can find this setting now.
As example of what I'm looking for. refer https://www.purplefrogsystems.com/paul/2018/01/azure-ssis-how-to-setup-deploy-execute-schedule-packages/
If I understand it right, you could follow my steps to find the setting.
1.open your Azure Sql Database on azure portal,then go to Set server firewall.
2.check the Allow access to Azure services setting.
I am trying connect to Azure SQL database with PowerBI using AD Authentication. Basically we want users of the PowerBI report to use their own AD credentials when they connect to the database.
Using windows authentication I can connect to the Azure SQL via SSMS. But when I try the exact same way via PowerBI its says "user was not authorized"
I have on Azure SQL Server created a AD user (FROM EXTERNAL) that is my AD User.
Am I missing something?
Please ensure firewall rules for the SQL Azure database are configured to "Allow access to Azure services".
Currently Power BI doesn’t support AAD authentication when connecting to Azure SQL Database, but using Microsoft ODBC Driver 13 it is possible to do it as explained here.
ODBC (for AD PW Auth; must have ODBC Drive 13 for SQL Server)
Driver={ODBC Driver 13 for SQL Server};Server=<servernamehere>;Database=<databasenamehere>;Encrypt=yes;TrustServerCertificate=no;Connection Timeout=30;Authentication=ActiveDirectoryPassword