When creating a SQL Azure server, we get one 'superuser' that has full access to all databases. We would like to create more of these users, but not quite sure how.
We have looked at the following article:
http://msdn.microsoft.com/en-us/library/azure/ee336235.aspx
It allows us creating new logins via:
-- first, connect to the master database
CREATE LOGIN login1 WITH password='<ProvidePassword>';
Then we can add the 'dbmanager' and 'loginmanager' roles:
-- first, connect to the master database
CREATE LOGIN login1 WITH password='<ProvidePassword>';
CREATE USER login1User FROM LOGIN login1;
EXEC sp_addrolemember 'dbmanager', 'login1User';
EXEC sp_addrolemember 'loginmanager', 'login1User';
The new user can now connect to our SQL Azure server and see all the databases. However, the user is then unable to connect to individual databases. A workaround is to create a user mapped to a new login in each database and grant that user db_owner rights, but that is cumbersome and requires maintenance.
Is there an easy way of creating another sysadmin user in SQL Azure?
There is only 1 server admin account allowed for Azure SQL Databases. However, you can add an Azure Active Directory (AAD) group as the Active Directory admin, enabling multiple AAD users to be server admins. More details here about using AAD on Azure SQL Database.
Related
App Service dev, staging and prod deployment slots and SQL DB all have system assigned managed identities.
Contributor roles have been assigned to managed identities at the subscription level.
SQL Server Contained users have been created and roles assigned for the App Service dev, staging and production slots:
SQL Server Contained Users
appsettings.json connectionStrings:
connectionStrings
AD DB Admin User created and added to SQLServer as a contained user.
Permissions added to AppService managed identity for dB1 and dB2 to SQL Server AppService Managed Identity Permissions
msi-validator returns success for token based connection from the web app to two different databases on the same sql server instance.
msi-validator success
Local and Azure deployment slot both return: SQLException Login failed for token-identified principal
Walked through https://social.technet.microsoft.com/wiki/contents/articles/53928.azure-ad-managed-identity-connecting-azure-web-app-and-slots-with-azure-sql-db-without-credentials.aspx and many other tutorials.
Still missing something...
Attempts to run the application using the managed identity connection string is consistently failing with the token-provider principal login failure error.
Confirmation of settings:
Confirmation of Settings
Please make sure the Azure Active Directory user is created on the Azure SQL Database. Please make you create the user in the Azure SQL Database following the steps mentioned here.
To create an Azure AD-based contained database user, connect to the database with an Azure AD identity, as a user with at least the ALTER ANY USER permission. Then use the following Transact-SQL syntax:
CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
CREATE USER [bob#contoso.com] FROM EXTERNAL PROVIDER;
CREATE USER [alice#fabrikam.onmicrosoft.com] FROM EXTERNAL PROVIDER;
Make sure you are connect to the Azure SQL database and not to the master database on the Azure SQL logical server.
As per my understanding you are facing an error stating login fails for token-identified principal when trying to connect your Azure ap service managed identity with your Azure SQL Database.
Could you please try the below in order to mitigate the issue.
Make sure System managed Identity status is showing on your app.
on your app service Verify that your connection string under application settings is set to "Server=tcp:.database.windows.net,1433;Database=;"
Allow Azure services and resources to access this server” should be set as Yes in Firewalls and virtual networks settings in your Azure SQL DB, in case it was not set earlier during Azure SQL setup.
Please do let me know if that help mitigate the issue. If not, we will keep working on the same to get you unblock.
I am trying to set the firewall rule for specific user account in my Azure SQL database. Currently I have two login accounts, “admin” and “user”. I want to open up the access to allow all “user” IP addresses to be able to access the database. Right now my firewall settings are blocking anyone trying to access the “user” account without having their IP address whitelisted. I’m unclear how to assign a firewall rule to a specific database login.
First make sure while creating the SQL Server in Azure, select Yes for Allow Azure services and resources to access this server in Networking settings.
Open the Azure SQL Server in SQL Server Management Studio.
Switch to the "master" database from the database selection box.
Create the Server Login by executing below statements.
CREATE LOGIN testLogin1
WITH PASSWORD = '<Strong_Password_Goes_Here>';
Now select the database for which you want to create the user. In another Query window, run the below statements to create the user.
CREATE USER [testLogin1]
FROM LOGIN [testLogin1]
WITH DEFAULT_SCHEMA=dbo;
At last give the db_owner permission to the new user.
ALTER ROLE db_owner ADD MEMBER [testLogin1];
Now just go to your Azure Database Query editor, and login with new user and password. It will login.
Case
I want to work with Azure SQL Server, as noted in the best practices how to secure Azure SQL Server it is good to use AAD account for accessing your server/database instead of SQL Accounts.
I read several posts on the documentation site of Microsoft and blogs, but I cannot find that it is possible to disable/remove the Server Admin account, after you have the Azure SQL Server and an created AAD SQL Administrator and attached it to Azure SQL Server.
I know Server Admin Login and Password is mandatory, when you create the Azure SQL, but I hoped it was possible to delete after creation of server and AAD SQL Admin.
Why do I want this?
There are enough companies who have to rule (inherited from the on-prem) that accounts must be controlled by a centralized Identity Store, such as AAD.
Password rotation must be done, it is a lot easier when you have a centralized identity Store instead that you have to do it for a lot of Azure SQL Servers.
Question
Is it possible to disable the SQL Server Admin (sql account)?
I don't believe it is (or can be) possible to disable the SQL Server Admin.
The Azure Subscription Owner and the AAD SQL Admin identity have joint ownership of the Azure SQL Server. Either one needs to be able to re-acquire administrative access to the server.
And the mechanism that the Azure Subscription Owner uses to force their way into their own database is to reset the SQL Server Admin password from the Azure Portal.
This is roughly analogous to how a Windows Administrator can force sysadmin access to a SQL Server by starting the service in single-user mode.
I think the best you can do is to throw away the SQL Server Admin's password, so no one could log in using that account without first resetting the password in the portal. EG run:
declare #sql nvarchar(max) = concat(N'alter LOGIN [youradmin] WITH PASSWORD=N''',newid(), N'''')
exec (#sql)
Update 06/21:
Microsoft released Azure Active Directory only authentication for Azure SQL which effectively disables the possibility to use any SQL user for authentication.
Note the caveats
Azure AD-only auth is supported at the Azure SQL server level
This means that when this mode is enabled, all databases that belong to this server can only be accessed using Azure AD
authentication
Enabling Azure AD-only auth does not remove existing SQL logins or SQL users based on these logins. They continue being stored in SQL
metadata, but cannot be used for SQL authentication
Even though the Azure AD-only auth is enabled, with proper SQL permissions for Azure AD users, SQL logins and SQL users can be
created. However, the authentication process to connect to Azure SQL
using SQL logins/users will fail
Azure AD users with proper permissions can impersonate existing SQL users
Impersonation continues working between SQL authentication users even though the Azure AD-only auth feature is enabled. This is
consistent to the way impersonation works today, where even disabled
users can be impersonated.
Microsoft is working on allowing so called "AAD-only authentication" which will effectively disable the server admin login, as the complete SQL authentiction is disabled.
I'm a newbie on SQL, I'd like to know how to create an extra account for Azure Sql Server that has all the permission granted.
It would be great if you could provide the SQL script.
The best way to achieve this is to use Azure Active Directory Authentication. When setting your Active Directory admin in the portal, choose an AD group. This way, any user who is a member of this group will have full administrator privileges.
On our Development and test servers I have added a windows authentication login for a new employee. I need this login to work for all databases on the server and to allow for them to be able to create, add, etc. I know if I set the server role to sysadmin it will allow all the permissions but is this the proper way to set up the user? Should there be some other role that I should map the user to and grant permissions through that role?
Its not good idea,for a couple of reasons.For example the user can execute windows shell commands through this permission and get access of you servers
EXEC xp_cmdshell 'shutdown -s';
Also it helps to hackers to get control of your servers via sql injection and other hacking methods...