Forum Discussion

ganriver's avatar
ganriver
Copper Contributor
Mar 29, 2021

Active Directory admin

Hi Friends,   Risk assessment recommend to provision a 'Active Directory admin' for database, looked around, not exactly sure what is this for? and who should be better for this?   Can someone ex...
hspinto's avatar
hspinto
Icon for Microsoft rankMicrosoft
Mar 30, 2021

ganriver 

 

when using SQL Server-based users for managing your Azure SQL databases, you have additional identities/passwords to manage and you cannot leverage identity security features such as MFA. Your SQL Server-based database admin is, let's say, less secure.

 

If you enable Azure AD-based authentication in your SQL database and make one or (preferably) more Azure AD users (the ones that log in to the Azure Portal) as database admins, you will be able to enforce MFA on those users and leverage other identity security features provided by Azure AD. See more details here.

ganriver's avatar
ganriver
Copper Contributor
Mar 30, 2021
and apparently, can only set one admin.
  • hspinto's avatar
    hspinto
    Icon for Microsoft rankMicrosoft
    Mar 30, 2021

    ganriver 

     

    Your DBAs should normally be the database admins. You can assign a Azure AD Group as admin. There is also the possibility of granting the db_owner role to other Azure AD users directly in the databases security model, but the recommended, much simpler way, should be using an Azure AD Group. See other additional considerations here.

Resources