Unable to automate AD user creation in Azure SQL database - azure-devops

I'm trying to set up automated pipeline for database creation and need to open access for all users of some AD group. Last part is done through CREATE USER [Group Name] FROM EXTERNAL PROVIDER;
In order to execute this command, one needs to be logged in with AAD and the only Azure DevOps task used to execute SQL scripts (SqlAzureDacpacDeployment#1) has limited options to sign with AD. Currently it supports sign in with AD username/password and AD Integrated. User/password option is not possible as we use two factor authentication. And the latter requires self-hosted agent for pipeline which we do not have.
Additionally, there is one more sign in option that look promising (Service Principal: Uses the Authentication data from Azure Subscription), but after trying it failed miserably with error:
##[error]Principal 'web-API' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Are the any other options we could use to create AD users in Azure SQL database? Any help would be appreciated.

How to solve above error ?
Please follow below steps:
Step 1: Go to Azure portal and find out your SQL server resource and you will find Active director left side under settings. Please click Set Admin. Now your Active Directory user account becomes Admin to the SQL server.
Step 2: Now use SSMS login with Active directory authentication if Multi-factor Authentication (MFA) is enabled. Otherwise, you can choose either 'Active directory - Integrated' or 'Active Directory - Password.'
Step 3: Create new logins which you can see in the below code:
CREATE USER [User1#Domain.com]
FROM EXTERNAL PROVIDER
WITH DEFAULT_SCHEMA = dbo;
add user to roles for the particular database
ALTER ROLE dbmanager ADD MEMBER [User1#Domain.com];
ALTER ROLE loginmanager ADD MEMBER [User1#Domain.com];
Note : If you add a domain user that is configured for MFA, then for that user to log on using SSMS they should select the SSMS authentication option Azure Active Directory - Universal with MFA.
Regarding SqlAzureDacpacDeployment#1 follow this Link.
For more detail information refer this:
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-overview?view=azuresq
https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-ver15
https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-mfa-ssms-overview?view=azuresql

Related

Authenticate with Azure AD account while using Read-SqlTableData to read AzSQL tables

What other properties does one need to add to the ConnectionContext while connecting to AzSQL using an AzAD account?
$srv = new-object ('Microsoft.SqlServer.Management.Smo.Server') "<>.database.windows.net"
$srv.ConnectionContext.LoginSecure = $false
$srv.ConnectionContext.Authentication = [Microsoft.SqlServer.Management.Common.SqlConnectionInfo+AuthenticationMethod]::ActiveDirectoryPassword
$srv.ConnectionContext.Login = "<>#<>.onmicrosoft.com"
$srv.ConnectionContext.Password = "<>"
$srv.ConnectionContext.Connect()
Error :
MethodInvocationException: Exception calling "Connect" with "0" argument(s): "Failed to connect to server <>.database.windows.net."
The ActiveDirectoryPassword method works fine from SSMS. I'm trying to run Read-SqlTableData instead of invoking a TSQL query.
Read-SqlTableData -InputObject $srv.Databases["TestDB"].Tables["TestTable"] -TopN 5
Expecting screenshot or screenclip GIF that the answer code is working for an AzAD userid on AzSQL using Read-SqlTableData.
As discussed in person, this is just because the Read-SqlTableData has not been updated (yet) to support an -AccessToken parameter.
I've already had a few requests for other cmdlets as well... so I'll try to get it as soon as I can.
Please make sure to login as administrator .The user must have azure ad admin role for server to connect.
And make sure the user has diretory readers role from azure portal IAM access control.
Also Ensure that you've assigned an AAD admin for the SQL Server.
Try to create a service principal in azure ad if not already present and then give db_reader or db_writer or db_owner permissions granted .
CREATE USER [user or msi] FROM EXTERNAL PROVIDER;
ALTER ROLE [db_datareader] ADD MEMBER <Azure_AD_principal_name> --Grant the user db_datareader permissions on that database
GO
or write permission if required
ALTER ROLE [db_datawriter] ADD MEMBER <Azure_AD_principal_name>;
Or owner permission if required
ALTER ROLE [db_owner] ADD MEMBER <Azure_AD_principal_name>
Or Create Azure AD users in azure sql DB using service principals - Azure SQL Database | Microsoft Docs
Please check below references:
Adding a new user with specific permissions to an Azure Sql Database
using Active Directory Integrated Authentication - Stack Overflow
Connect an Azure App Registration to Azure SQL Database via
Powershell - Stack Overflow

Create Service Principle Connection from Crystal Reports to Azure Synapse Analytics

I have data held in an Azure Data Lake Gen 2 storage container. I would like to provision this data for an existing report authored in Crystal Reports using SQL on demand.
During development I used my own Azure AD login via an ODBC connection on my local machine. I have access to the Synapse environment and also the data lake. This worked successfully and although slow, pulled all information required.
To deploy this solution correctly I need to remove my AAD creds and use a provisioned service principle. I have given the service principle to read from the data lake and also added the principle to the SQL database. Now I am stuck on how to use the principle to connect to Crystal Reports.
I have tried the same authentication type as with my AAD but now I am using a clientID not a email. So when the system prompts for connection details it wants you to sign in and does not accept the clientID.
Does anyone have any suggestions on how to connect to Crystal Reports using this way or any other way?
Also: My org does not want this user or app reg to have restricted permissions so therefore adding them to the RBAC "synapse admin" wont work.
Thanks
Tom
Found a way around this.
Create a service account user on Azure Portal. Head to Synapse Analytics and open blank SQL script to give the user minimal permissions.
*USE [master]*
CREATE LOGIN [serviceaccountsynapseuser#company.onmicrosoft.com] FROM EXTERNAL PROVIDER
GRANT CONNECT ANY DATABASE TO [serviceaccountsynapseuser#company.onmicrosoft.com]
GRANT SELECT ALL USER SECURABLES TO [serviceaccountsynapseuser#company.onmicrosoft.com]
*USE [Reporting] (Serverless SQL DB)*
CREATE USER [serviceaccountsynapseuser#company.onmicrosoft.com] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [serviceaccountsynapseuser#company.onmicrosoft.com]
Finally head to the storage account and give the user storage blob reader role.

Azure Synapse Analytics | Login failed for user '<token-identified principal>'

I have created a dedicated SQL pool in Azure Synapse Analytics. When I am trying to create a table in my dedicated SQL pool then it is showing below error.
Login failed for user < token-identified principal>
Things I tried-
Reset user credentials
Login from multiple machines.
Pause and resume dedicated SQL pool
User I am using has workspace admin role. Attaching screenshot below.
You have to give SQL Active directory admin permission to access from your email-id
yourworkspace-->settings-->SQL Active Directory admin(left side list menu)-->setadmin then ***save***
If you want to give access to many users you have to create security group and add user in it and assign to this SQL Active Directory admin
Currently, the Access control within Synapse Studio does not apply to dedicated SQL pools. Workspace admin can create a user manually through T-SQL or they can add you through SQL Active Directory Admin option when they navigate to workspace resource in Azure Portal.

TfsMigrator: "VS4032856: The identity ** belongs to a different Azure Active Directory (AAD) tenant"

When trying to migrate from TFS to Azure Devops I run in an error during the import phase :
[Error] VS4032856: The identity RĂ©mi Benoit belongs to a different Azure Active Directory (AAD) tenant than the identity used during the prepare step. Please sign in with an identity in the same AAD tenant or re-run the prepare step using this identity.
The user I used for the prepare step is registered on the AAD tenant. I can login to Azure portal with it and read user details on the AAD page of the portal.
A possible problem: my user was created on a different tenant. I was then invited as a guest to the tenant domain used in the import. I can list all the users on the AAD from the Azure portal. I also changed my default Azure directory to the tenant of the import.
Should I use an account created specifically on the AAD to execute the import ? Or Am I just missing some rights ?
Fixed my problem by using another account.
Switched from using a guest account to a member account on the AAD.

Make VSTS SPN owner of AAD AppId

I have a scenario that requires a task running in VSTS add a "Reply URL" to an App registered in AAD.
I've added a service connection in VSTS, it created a SPN and made it a contributor of the Azure subscription, additionally I've added the SPN as an owner of the AppID by calling Add-AzureADApplicationOwner
Still the VSTS task can't operate on the AppID, it can't even read it, e.g. running Get-AzureRmADApplication I get:
[error]Insufficient privileges to complete the operation.
Refer to these steps below to grant permission:
Log on to the Azure portal
Select Azure Active Directory
Select App registrations
Select the corresponding application
Click Settings
Click Required permissions
Click + Add > Select an API
Select Windows Azure Active Directory >Select
Check necessary permissions in Select permissions > select.
Click Done
Click Grant Permissions button
An addition to starian chen-MSFT's answer. I managed to solve the same problem by adding and granting the following permissions on the answer's Step 9:
Read and write directory data
Manage apps that this app creates or owns