Can someone tell me how can I add Azure Active Directory groups into the azure sql server, I am using server manager tool to do this but cant find any way to figure this out, I can add simple Azure Active Directory user though..What about groups?
I will assume that you are wanting to provide access for end-users to connect, not Database Administrators. For my example below, let's say that the end-users are in a group called "AZ-Users", and that your Database Administrators (including you) are in a group called "AZ-DBAs".
For Azure SQL Databases, there are key things that must be in place to get this to work:
There must be an "Active Directory admin" configured for your server. This can be any AAD user or an AAD group. You can check if this has been set or not by going to the Azure portal page for your server. Be careful that you are looking at the Overview page for the server, not the individual database, they are not the same thing. Detailed instructions here. In our example, we would configure this to be the AAD group called "AZ-DBAs".
When you are ready to create the AAD login for "AZ-Users" on your Azure SQL Database, you must yourself be logged in using AAD... meaning a member of the "AZ-DBAs" group from my example above. You can use SSMS or any other similar tool for executing TSQL commands. Note that if you try a SQL auth connection instead, it won't work for step 4 below - you'll get this error:
Msg 33159, Level 16, State 1, Line 1
Principal 'AZ-Users' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Change the context to the database you want to provide access to for your end users.
Execute this statement:
CREATE USER [AZ-Users] FROM EXTERNAL PROVIDER
Note that this will create a "contained database user", as detailed here. That's it. This process works for AAD groups and AAD users.
You will probably also want to grant some level of permissions as well, such as:
EXEC sp_addrolemember 'db_datareader', 'AZ-Users'
All you need to know about how to configure and manage Azure Active Directory Authentication you can find it in this article.
Then to connect to SQL Azure using Azure Active Directory authentication please read here.
Connect to the server via SSMS as your Azure AD admin. Create a new query with the db you want to affect. Run this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
To modify permissions, do something like this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
Related
On the master db of a Serverless Synapse Analytics instance an external login is created for AAD Security Group.
CREATE LOGIN [sg-aad-name] FROM EXTERNAL PROVIDER;
The login does not show up in the table sys.server_principals.
The following query doesn't return any results:
SELECT SUSER_SID('sg-aad-name')
But I can't ALTER or DROP the login. The message that is returned: 'it does not exist or you do not have permission'. When I try to create it again, it indicates that is already exists.
When I try to add the login to a server role, it again indicates 'it does not exist or you do not have permission'.
I have SQL Administrator rights and so does the AAD security group for which I try to create the login. This issues appears on two instances. On another instance it worked and is functioning properly.
What am I overlooking? Can someone enlighten me on what is happening here or how this can be solved? I want to create an external login, have it visible in the sys.server_principals table and add to server role.
Tried all statements above. Read various blog posts and fora such a Stackoverflow.
Issue solved. The security group already had a login in sys.server_principals where the name was the Azure object ID of the security group. Dropping this login allowed for creation of the new login. This new external login was stored under the name of the security group in sys.server_principals.
I need to have rights to my Azure SQL Server where I can read and access data and also add other AD users to access the DB but they should not be allowed to create any new database. I couldnt find any roles which does that...nor I am able to find a custom role in AD which does that. Can someone please specify step by step how can I configure this for my AD users?
I am trying to provide DBAdmin privilege for a user on multiple databases.
I know how to do from on premises SQL database, I can directly map the user to required databases.
Can anyone let me know how to do it in Azure managed instance. Since the added user is external user, can,t see it in the Logins to map the user.
I have like 100 databases on which the user should have db admin right. Is there a easiest way to do that?
You can use an Azure Active Directory Login
eg
CREATE LOGIN [someuser#somecompany.onmicrosoft.com] FROM EXTERNAL PROVIDER
then create users mapped to this login in the appropriate databases, or make this login a sysadmin. Not sure if this shows up in SSMS, as it was added relatively recently. So you may have to create the users and grant them permissions in the target databases in TSQL, as per: https://learn.microsoft.com/en-us/azure/sql-database/sql-database-managed-instance-aad-security-tutorial
I am trying to synchronise databases in two different subscriptions using Azure datasync on the new portal
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-get-started-sql-data-sync
On the portal, I do not get the ability to choose subscription or connection string to connect to a Azure database on a different subscription (this is not on premise)
The options presented are either
a) Database from existing subscription + database server
b) on-premise database- with a sync agent to be downloaded
Can linking to another database via connection string be implemented via API's or is there any restriction or feature limitation around this?
Based on your comment, your issue is due to you having different logins for each subscription. In order to achieve what you want to do, you will need to cross add the various users to the subscriptions.
First, log into your Azure portal. Navigate to the subscription you are the admin for. Click on Access control (IAM) to manage the permissions for it.
Click the Add button which will bring up a dialog to add permissions. Simply select the role you wish to grant (I believe you will need contributor for this) and enter the email address of the user that you want to grant permissions to.
Create a new user/login in sql azure with access to read/insert/update on the database items like tables sp,view etc.
This user will not have the permission to drop table/drop procedures.
Please give me an example.
First connect to the server and switch to the master database. In master create a login and then add a user for that login to the master database.
CREATE LOGIN [MyLogin] WITH password='xxxxxxxxx'
GO
CREATE USER [MyUser] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
Next connect/switch to the database you want the new user for. Create a user in that database
CREATE USER [MyUser] FOR LOGIN [MyLogin] WITH DEFAULT_SCHEMA=[dbo]
GO
EXEC sp_addrolemember 'db_datareader', 'MyUser';
GO
EXEC sp_addrolemember 'db_datawriter', 'MyUser';
GO
GRANT EXECUTE ON SCHEMA :: dbo TO MyUser;
GO
You can also use the Azure User Management console - AUMC to manage the Logins and Users.
It's an open-source project available on CodePlex AUMC.codeplex.com
UPDATE: Since CodePlex has been retired (thanks to #Danny the code was saved), I recreated a repo in GitHub and created a release.
This new version uses .NET 4.8
Project Description
Azure User Management Console - AUMC is a User
Graphic Interface (GUI) that manages the users and logins of an Azure
SQL database. The tool is simply converting your action into T-SQL
commands and executing them on the Azure SQL Database.
A quick simple tool with a user interface!
Enjoy!
please read this article from Microsoft on how to properly create logins, users and assigning access rights in SQL Azure: Managing Databases and Logins
Then, in order to assign or deny specific permissions, review this article from Microsoft as well: Granting Access to a Database Object
And here is the link to specifically deny access to permissions: Deny Object Permissions
Note that you can also apply permissions to schemas. A schema is a container of database objects on which you can assign permissions. So you could easily place all your stored procedures in a single schema that you created to that effect, deny alter/drop permission, and grant execute on the schema directly. This way, all the objects within that schema will inherit the permissions defined. Here is the article for schema permissions: GRANT Schema Permission
Also you can do it manually by assigning proper user roles. Check out article: How to create custom user login for Azure SQL Database
Some Azure sql administration tips can be found here
http://thetechnologychronicle.blogspot.in/2013/11/azure-sql-administration-useful-commands.html
http://thetechnologychronicle.blogspot.in/2013/11/securing-windows-azure-sql-using.html