Can someone tell me how can I add Azure Active Directory groups into the azure sql server, I am using server manager tool to do this but cant find any way to figure this out, I can add simple Azure Active Directory user though..What about groups?
To assign an Azure Active Directory user/group to Azure SQL Database as an Administrator, in the Azure Portal, click SQL Server. Select and open the SQL Server with an Azure SQL Database. After that, open the SQL Server, click Active Directory admin, and press the "Set admin" option.
Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities: Azure Active Directory Password. Azure Active Directory Integrated. Azure Active Directory Universal with Multi-Factor Authentication.
Azure SQL Database isn't supported as a database. This includes both Azure SQL Database and Azure SQL Managed Instance. You must use a case-insensitive SQL collation.
I will assume that you are wanting to provide access for end-users to connect, not Database Administrators. For my example below, let's say that the end-users are in a group called "AZ-Users", and that your Database Administrators (including you) are in a group called "AZ-DBAs".
For Azure SQL Databases, there are key things that must be in place to get this to work:
There must be an "Active Directory admin" configured for your server. This can be any AAD user or an AAD group. You can check if this has been set or not by going to the Azure portal page for your server. Be careful that you are looking at the Overview page for the server, not the individual database, they are not the same thing. Detailed instructions here. In our example, we would configure this to be the AAD group called "AZ-DBAs".
When you are ready to create the AAD login for "AZ-Users" on your Azure SQL Database, you must yourself be logged in using AAD... meaning a member of the "AZ-DBAs" group from my example above. You can use SSMS or any other similar tool for executing TSQL commands. Note that if you try a SQL auth connection instead, it won't work for step 4 below - you'll get this error:
Msg 33159, Level 16, State 1, Line 1 Principal 'AZ-Users' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Change the context to the database you want to provide access to for your end users.
Execute this statement:
CREATE USER [AZ-Users] FROM EXTERNAL PROVIDER
Note that this will create a "contained database user", as detailed here. That's it. This process works for AAD groups and AAD users.
You will probably also want to grant some level of permissions as well, such as:
EXEC sp_addrolemember 'db_datareader', 'AZ-Users'
All you need to know about how to configure and manage Azure Active Directory Authentication you can find it in this article.
Then to connect to SQL Azure using Azure Active Directory authentication please read here.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With