I'm a newbie on SQL, I'd like to know how to create an extra account for Azure Sql Server that has all the permission granted.
It would be great if you could provide the SQL script.
The best way to achieve this is to use Azure Active Directory Authentication. When setting your Active Directory admin in the portal, choose an AD group. This way, any user who is a member of this group will have full administrator privileges.
Related
I am trying to set the firewall rule for specific user account in my Azure SQL database. Currently I have two login accounts, “admin” and “user”. I want to open up the access to allow all “user” IP addresses to be able to access the database. Right now my firewall settings are blocking anyone trying to access the “user” account without having their IP address whitelisted. I’m unclear how to assign a firewall rule to a specific database login.
First make sure while creating the SQL Server in Azure, select Yes for Allow Azure services and resources to access this server in Networking settings.
Open the Azure SQL Server in SQL Server Management Studio.
Switch to the "master" database from the database selection box.
Create the Server Login by executing below statements.
CREATE LOGIN testLogin1
WITH PASSWORD = '<Strong_Password_Goes_Here>';
Now select the database for which you want to create the user. In another Query window, run the below statements to create the user.
CREATE USER [testLogin1]
FROM LOGIN [testLogin1]
WITH DEFAULT_SCHEMA=dbo;
At last give the db_owner permission to the new user.
ALTER ROLE db_owner ADD MEMBER [testLogin1];
Now just go to your Azure Database Query editor, and login with new user and password. It will login.
Case
I want to work with Azure SQL Server, as noted in the best practices how to secure Azure SQL Server it is good to use AAD account for accessing your server/database instead of SQL Accounts.
I read several posts on the documentation site of Microsoft and blogs, but I cannot find that it is possible to disable/remove the Server Admin account, after you have the Azure SQL Server and an created AAD SQL Administrator and attached it to Azure SQL Server.
I know Server Admin Login and Password is mandatory, when you create the Azure SQL, but I hoped it was possible to delete after creation of server and AAD SQL Admin.
Why do I want this?
There are enough companies who have to rule (inherited from the on-prem) that accounts must be controlled by a centralized Identity Store, such as AAD.
Password rotation must be done, it is a lot easier when you have a centralized identity Store instead that you have to do it for a lot of Azure SQL Servers.
Question
Is it possible to disable the SQL Server Admin (sql account)?
I don't believe it is (or can be) possible to disable the SQL Server Admin.
The Azure Subscription Owner and the AAD SQL Admin identity have joint ownership of the Azure SQL Server. Either one needs to be able to re-acquire administrative access to the server.
And the mechanism that the Azure Subscription Owner uses to force their way into their own database is to reset the SQL Server Admin password from the Azure Portal.
This is roughly analogous to how a Windows Administrator can force sysadmin access to a SQL Server by starting the service in single-user mode.
I think the best you can do is to throw away the SQL Server Admin's password, so no one could log in using that account without first resetting the password in the portal. EG run:
declare #sql nvarchar(max) = concat(N'alter LOGIN [youradmin] WITH PASSWORD=N''',newid(), N'''')
exec (#sql)
Update 06/21:
Microsoft released Azure Active Directory only authentication for Azure SQL which effectively disables the possibility to use any SQL user for authentication.
Note the caveats
Azure AD-only auth is supported at the Azure SQL server level
This means that when this mode is enabled, all databases that belong to this server can only be accessed using Azure AD
authentication
Enabling Azure AD-only auth does not remove existing SQL logins or SQL users based on these logins. They continue being stored in SQL
metadata, but cannot be used for SQL authentication
Even though the Azure AD-only auth is enabled, with proper SQL permissions for Azure AD users, SQL logins and SQL users can be
created. However, the authentication process to connect to Azure SQL
using SQL logins/users will fail
Azure AD users with proper permissions can impersonate existing SQL users
Impersonation continues working between SQL authentication users even though the Azure AD-only auth feature is enabled. This is
consistent to the way impersonation works today, where even disabled
users can be impersonated.
Microsoft is working on allowing so called "AAD-only authentication" which will effectively disable the server admin login, as the complete SQL authentiction is disabled.
Can I create a credential in SQL Server 2012 for a group? Not an individual user.
I am trying to give a group of users access to execute SSIS packages using the SQL Server Agent. which requires a proxy account on a credential.
Instead of creating a credential for every single user, I just want to create one credential. I do not know the password for the group, is there a password which exists that the DBAs might know of?
These are two different things.
On the SSIS side, your SSIS package has to run in a security context that gives it rights to do what it needs - connect to databases, open remote files etc. This has nothing to do with the user that starts the package.
On the user side, users need to have rights to execute the package. The user does not need the same file and database rights as the package. So hopefully you can understand these are two different security items.
Your SQL Agent proxy needs to be granted all rights required by the package. This is a single credential (windows account). It isn't a group. A group doesn't have a password, it just contains a bunch of logins
Your users on other hand can be belong to a windows group. Then you add that group to the SQL Server as a SQL Server login. Then you give that windows group access to the msdb or SSISCatalog database and add them to appropriate roles.
Here are the list of roles:
https://msdn.microsoft.com/en-us/library/ms141053.aspx
and here is a guide on granting access at the individual package level
https://blogs.msdn.microsoft.com/mattm/2012/03/19/ssis-catalog-access-control-tips/
I know that links for answers are frowned on but the main concept is that the package execution security and user rights to execute packages are two separate things
When creating a SQL Azure server, we get one 'superuser' that has full access to all databases. We would like to create more of these users, but not quite sure how.
We have looked at the following article:
http://msdn.microsoft.com/en-us/library/azure/ee336235.aspx
It allows us creating new logins via:
-- first, connect to the master database
CREATE LOGIN login1 WITH password='<ProvidePassword>';
Then we can add the 'dbmanager' and 'loginmanager' roles:
-- first, connect to the master database
CREATE LOGIN login1 WITH password='<ProvidePassword>';
CREATE USER login1User FROM LOGIN login1;
EXEC sp_addrolemember 'dbmanager', 'login1User';
EXEC sp_addrolemember 'loginmanager', 'login1User';
The new user can now connect to our SQL Azure server and see all the databases. However, the user is then unable to connect to individual databases. A workaround is to create a user mapped to a new login in each database and grant that user db_owner rights, but that is cumbersome and requires maintenance.
Is there an easy way of creating another sysadmin user in SQL Azure?
There is only 1 server admin account allowed for Azure SQL Databases. However, you can add an Azure Active Directory (AAD) group as the Active Directory admin, enabling multiple AAD users to be server admins. More details here about using AAD on Azure SQL Database.
Best practices recommend not installing Sql Server to run as SYSTEM. What is the bare minumum you need to give the user account you create for it?
By default, SQL Server 2005 installation will create a security group called SQLServer2005MSSQLUser$ComputerName$MSSQLSERVER with the correct rights. You just need to create a domain user or local user and make it a member of that group.
More details are available in the SQL Server Books Online: Reviewing Windows NT Rights and Privileges Granted for SQL Server Service Accounts
Typically I create a Domain User with only the specific rights on the network which I will require the server to have (i.e. to write to the network backup drive), I then add the account to local power users or local administrators depending on what needs to be done on the machine, however this isn't required. I've installed SQL a number of times using a standard user as a Service Account but you need to ensure that the user has access to write to the resources as listed at https://web.archive.org/web/20081223155956/http://support.microsoft.com/kb/283811 . Its probably not as defined an answer as you wanted but I'm only a developer (not a professional DBA / System Engineer).
Mauro
PS dont downmark me for saying "only a developer" :P