During the setup of an Azure Synapse Serverless (OnDemand) SQL Database, I can't create an AAD User/Group because of insufficient permissions of the Server Identity. The query is executed token-based with a Service Principal from a CI/CD Pipeline (Azure DevOps).
I'm able to create a database using a Service Principal (which is in the AAD Group set as Synapse AD Administrator) with the following command:
Invoke-SqlCmd -AccessToken (Get-AzAccessToken -ResourceUrl https://sql.azuresynapse.net).Token -ServerInstance "mysynapseworkspacename-ondemand.sql.azuresynapse.net" -Database "master" -Query "CREATE DATABASE [MYDB]"
Unfortunately, it is not possible to create an AAD User/Group with the Service Principal, as the System Managed Identity of Synapse does not have sufficient permissions:
Invoke-SqlCmd -AccessToken (Get-AzAccessToken -ResourceUrl https://sql.azuresynapse.net).Token -ServerInstance "mysynapseworkspacename-ondemand.sql.azuresynapse.net" -Database "MYDB" -Query "CREATE USER [My-User-Group] FROM EXTERNAL PROVIDER"
Invoke-SqlCmd : Server identity does not have Azure Active Directory Readers permission. Please follow the steps here: https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-service-principal
However, the Service Principal (with which the SQL command is executed) does have the necessary permissions (User.Read.All, GroupMember.Read.All, and Application.Read.ALL) and is added to the workspace as "Synapse SQL Administrator". Assigning the necessary permissions to the System Managed Identity (of the Synapse Workspace) is not possible, as the workspace (and its System Managed Identity) may not be persistent. As an alternative, there would be a User Assigned Managed Identity (with the necessary permissions) available within the Synapse Workspace.
Is there a possibility to connect or execute the command using the User Assigned Managed Identity or force to use the Service Principal for the creation of the AAD User/Group? How can I change the SQL "Server identity" to the User Assigned Managed Identity?
Related
App Service dev, staging and prod deployment slots and SQL DB all have system assigned managed identities.
Contributor roles have been assigned to managed identities at the subscription level.
SQL Server Contained users have been created and roles assigned for the App Service dev, staging and production slots:
SQL Server Contained Users
appsettings.json connectionStrings:
connectionStrings
AD DB Admin User created and added to SQLServer as a contained user.
Permissions added to AppService managed identity for dB1 and dB2 to SQL Server AppService Managed Identity Permissions
msi-validator returns success for token based connection from the web app to two different databases on the same sql server instance.
msi-validator success
Local and Azure deployment slot both return: SQLException Login failed for token-identified principal
Walked through https://social.technet.microsoft.com/wiki/contents/articles/53928.azure-ad-managed-identity-connecting-azure-web-app-and-slots-with-azure-sql-db-without-credentials.aspx and many other tutorials.
Still missing something...
Attempts to run the application using the managed identity connection string is consistently failing with the token-provider principal login failure error.
Confirmation of settings:
Confirmation of Settings
Please make sure the Azure Active Directory user is created on the Azure SQL Database. Please make you create the user in the Azure SQL Database following the steps mentioned here.
To create an Azure AD-based contained database user, connect to the database with an Azure AD identity, as a user with at least the ALTER ANY USER permission. Then use the following Transact-SQL syntax:
CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
CREATE USER [bob#contoso.com] FROM EXTERNAL PROVIDER;
CREATE USER [alice#fabrikam.onmicrosoft.com] FROM EXTERNAL PROVIDER;
Make sure you are connect to the Azure SQL database and not to the master database on the Azure SQL logical server.
As per my understanding you are facing an error stating login fails for token-identified principal when trying to connect your Azure ap service managed identity with your Azure SQL Database.
Could you please try the below in order to mitigate the issue.
Make sure System managed Identity status is showing on your app.
on your app service Verify that your connection string under application settings is set to "Server=tcp:.database.windows.net,1433;Database=;"
Allow Azure services and resources to access this server” should be set as Yes in Firewalls and virtual networks settings in your Azure SQL DB, in case it was not set earlier during Azure SQL setup.
Please do let me know if that help mitigate the issue. If not, we will keep working on the same to get you unblock.
I am trying to install TFS on the server but it requires to have the user SYSADMIN role which can only be assigned using the sa user login.
I am using SQL Server 2014 Express. To enable the sa user, I tried enabling the mixed mode authentication but I get this error:
The EXECUTE permission was denied on the object 'xp_instance_regwrite', database 'mssqlsystemresource', schema 'sys'. (Microsoft SQL Server, Error: 229)
How do I fix that?
Update:
The problem is that I am Windows User and logging in with windows authentication. So using that user I am not able to assign any roles to myself or other user.
You can use an existing installation of SQL Server for Azure DevOps Server/TFS. To do so, you need administrative credentials granted by the SQL Server administrator. You must be a member of the sysadmin server role in SQL Server to install and configure Azure DevOps Server/TFS. So you need to contact SQL Server administrator and grant your account appropriate permission to install Azure DevOps Server/TFS.
If you want to start a new installation of SQL Server, you could refer to the following link:
https://learn.microsoft.com/en-us/azure/devops/server/install/sql-server/install-sql-server?view=azure-devops
Using New-AzureRmSqlDatabaseExport i'm able to export a database to a blob storage within the same subscription. However I would like to export database from subscription A into blob storage in subscription B. For security reasons it's not acceptable to expose subscription A Azure account credentials.
This is possible by creating a new server in subscription A, create a copy of db and then switch the new server to subscription B. That seems overly complicated and is affecting subscription A.
Code below is possible if I provide Connect-AzureRmAccount credentials for subscription A, but that's not an option.
New-AzureRmSqlDatabaseExport
-ResourceGroupName "SubscriptionA'"
–ServerName "SubscriptionA"
–DatabaseName "SubscriptionA"
–AdministratorLogin "SubscriptionA"
–AdministratorLoginPassword "SubscriptionA"
–StorageKeyType "SubscriptionB"
–StorageKey "SubscriptionB"
-StorageUri "SubscriptionB"
How can this be achieved using New-AzureRmSqlDatabaseExport with only providing database user/pass and not the account credentials?
Running Azure PowerShell commands requires you to be logged in to Azure. Database users have rights only on the database, they don't have any rights on the Azure Fabric, which is what you are trying to use here.
If you must use New-AzureRmSqlDatabaseExport then you will need to provide credentials that can log on to Azure. You can limit the scope of these credentials to only have rights on this server, and only to backup databases (look at custom roles for RBAC), but you will need to use an Azure user.
Alternatively, you can look at using other tools that work at the database layer to do your export. One example is exporting a BacPac file - https://learn.microsoft.com/en-us/azure/sql-database/sql-database-export
The Storage account credentials are the New-AzureRmSqlDatabaseExport required parameters.
Other words, we could not export an Azure SQL Database to a storage account without account credentials.
For more details, you can see New-AzureRmSqlDatabaseExport
and Required Parameters.
For security, you can export your Azure SQL database to a BACPAC file and then upload the file to your Blob Storage in subscription B.
Hope this can helps you.
Suppose I create an Azure SQL Database and want to use the Azure Cloud Shell to administer it.
The first port of call would be the 'allow access to Azure services' option. However it is implied that this is rather too liberal as it allows access from any Azure service. I don't want to do that. I only want to grant access to the Cloud Shell.
The documentation describes setting up a server-level firewall rule - setting an IP address range of 0.0.0.0 to 255.255.255.255 would permit any IP to connect to the database. I don't want to do that either - this is clearly not production-ready and even more liberal than allowing access to any service within Azure.
I don't know the IP address of Cloud Shell, it's presumably dynamically allocated.
How do I grant access to just the Cloud Shell?
The PowerShell/CLI commands you execute in Azure Cloud Shell use the same management APIs as the Portal, so if you can manage a database in the portal than you can the exact same in Azure Cloud Shell. Firewall rules apply to data connections (i.e. T-SQL connections for running queries on the DB), not management operations.
If you run your sql command via Cloud Shell an error will be returned that provide the IP address of Cloud Shell to be white listed in your azure SQL Server firewall! See sample commands and error below:
Import-Module SQLServer
Import-Module Az.Accounts -MinimumVersion 2.2.0
Note: the sample assumes that you or your DBA configured the server to accept connections using
that Service Principal and has granted it access to the database (in this example at least
the SELECT permission).
Obtain the Access Token: this will bring up the login dialog
Connect-AzAccount
$access_token = (Get-AzAccessToken -ResourceUrl https://database.windows.net).Token
Now that we have the token, we use it to connect to the database 'mydb' on server 'myserver'
Invoke-Sqlcmd -ServerInstance myserver.database.windows.net -Database mydb -AccessToken $access_token`
-query 'select * from Table1'
--Invoke-Sqlcmd: Cannot open server 'myserver' requested by the login. Client with IP address '20.XXX.XXX.XX' is not allowed to access the server. To enable access, use the Windows Azure Management Portal or run sp_set_firewall_rule on the master database to create a firewall rule for this IP address or address range. It may take up to five minutes for this change to take effect.
When creating a SQL Azure server, we get one 'superuser' that has full access to all databases. We would like to create more of these users, but not quite sure how.
We have looked at the following article:
http://msdn.microsoft.com/en-us/library/azure/ee336235.aspx
It allows us creating new logins via:
-- first, connect to the master database
CREATE LOGIN login1 WITH password='<ProvidePassword>';
Then we can add the 'dbmanager' and 'loginmanager' roles:
-- first, connect to the master database
CREATE LOGIN login1 WITH password='<ProvidePassword>';
CREATE USER login1User FROM LOGIN login1;
EXEC sp_addrolemember 'dbmanager', 'login1User';
EXEC sp_addrolemember 'loginmanager', 'login1User';
The new user can now connect to our SQL Azure server and see all the databases. However, the user is then unable to connect to individual databases. A workaround is to create a user mapped to a new login in each database and grant that user db_owner rights, but that is cumbersome and requires maintenance.
Is there an easy way of creating another sysadmin user in SQL Azure?
There is only 1 server admin account allowed for Azure SQL Databases. However, you can add an Azure Active Directory (AAD) group as the Active Directory admin, enabling multiple AAD users to be server admins. More details here about using AAD on Azure SQL Database.