Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1069248%22%20slang%3D%22en-US%22%3EIntroducing%20Azure%20Active%20Directory%20authentication%20for%20Azure%20Database%20for%20PostgreSQL%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1069248%22%20slang%3D%22en-US%22%3E%3CP%3EThese%20days%2C%20we%20all%20care%20about%20securing%20access%20to%20our%20data.%20The%20last%20thing%20we%20want%20is%20someone%20using%20a%20weak%20password%20on%20a%20database%20they%20forgot%20about%2C%20causing%20a%20security%20incident.%20When%20using%20different%20kinds%20of%20databases%2C%20managed%20by%20different%20teams%2C%20it%20can%20be%20difficult%20to%20ensure%20consistency%20across%20your%20data%20estate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20help%20solve%20this%20problem%2C%20we%E2%80%99re%20excited%20to%20announce%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fpostgresql%2Fconcepts-aad-authentication%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3EPublic%20Preview%20of%20the%20Azure%20Active%20Directory%20integration%20for%20Azure%20Database%20for%20PostgreSQL%3C%2FSTRONG%3E%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThrough%20Azure%20Active%20Directory%20you%20can%20ensure%20that%20you%20have%20a%20single%20location%20where%20you%20can%20manage%20who%20gets%20access%20to%20your%20data.%20You%20can%20ensure%20that%20password%20complexity%20is%20enforced%20across%20the%20board.%20When%20a%20team%20member%20leaves%2C%20it's%20easy%20to%20revoke%20their%20access%20from%20all%20databases.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%E2%80%99s%20look%20how%20it%20works%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConfiguring%20the%20Azure%20AD%20Administrator%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EFirst%2C%20we%E2%80%99ll%20need%20to%20configure%20which%20Azure%20AD%20user%2C%20or%20group%2C%20is%20managing%20who%20gets%20access%20to%20our%20database.%20We%20can%20do%20this%20by%20navigating%20to%20our%20database%20in%20the%20Azure%20portal%2C%20and%20setting%20the%20Azure%20AD%20administrator%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162062iB91B53A5A7EF019C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Screen%20Shot%202019-12-16%20at%202.49.01%20PM.png%22%20title%3D%22Screen%20Shot%202019-12-16%20at%202.49.01%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ENow%2C%20we%20can%20connect%20to%20our%20database%20to%20manage%20which%20Azure%20AD%20users%20or%20groups%20we%E2%80%99d%20like%20to%20grant%20access%20to.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConnecting%20to%20your%20database%20using%20an%20Azure%20AD%20token%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ENow%2C%20we%E2%80%99ll%20need%20to%20authenticate%20using%20our%20Azure%20AD%20password.%20Instead%20of%20sending%20this%20password%20to%20our%20database%2C%20we%E2%80%99ll%20send%20it%20to%20the%20Azure%20Active%20Directory%2C%20and%20retrieve%20a%20time-limited%20token%20that%20grants%20us%20access.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20are%20the%20high-level%20steps%20we%E2%80%99ll%20follow%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20981px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F162063i9263037FF4A9C005%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22azure_ad_diagram_2.png%22%20title%3D%22azure_ad_diagram_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFirst%2C%20in%20order%20to%20retrieve%20the%20token%2C%20we%E2%80%99ll%20use%20the%20Azure%20CLI.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%201%3A%3C%2FSTRONG%3E%20Ensure%20you%20are%20logged%20in%20to%20the%20Azure%20CLI%3A%3C%2FP%3E%0A%3CPRE%3Eaz%20login%3C%2FPRE%3E%0A%3CP%3E%3CSTRONG%3EStep%202%3C%2FSTRONG%3E%3A%20Then%20call%20the%20following%20to%20retrieve%20an%20access%20token%20scoped%20to%20Azure%20Database%20for%20PostgreSQL%3A%3C%2FP%3E%0A%3CPRE%3Eaz%20account%20get-access-token%20--resource-type%20oss-rdbms%3C%2FPRE%3E%0A%3CP%3EThe%20results%20of%20this%20is%20a%20JSON%20document%2C%20with%20the%20following%20structure%3A%3C%2FP%3E%0A%3CPRE%3E%7B%3CBR%20%2F%3E%26nbsp%3B%20%22accessToken%22%3A%20%22%3CSTRONG%3ETOKEN%3C%2FSTRONG%3E%22%2C%3CBR%20%2F%3E%26nbsp%3B%20%22expiresOn%22%3A%20%22...%22%2C%3CBR%20%2F%3E%26nbsp%3B%20%22subscription%22%3A%20%22...%22%2C%3CBR%20%2F%3E%26nbsp%3B%20%22tenant%22%3A%20%22...%22%2C%3CBR%20%2F%3E%26nbsp%3B%20%22tokenType%22%3A%20%22Bearer%22%3CBR%20%2F%3E%7D%3C%2FPRE%3E%0A%3CP%3EThe%20part%20marked%20here%20as%20%3CSTRONG%3ETOKEN%3C%2FSTRONG%3E%2C%20which%20will%20be%20quite%20long%2C%20is%20your%20Azure%20AD%20token.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EStep%203%3C%2FSTRONG%3E%3A%20Now%2C%20in%20order%20to%20connect%2C%20we%E2%80%99ll%20pass%20this%20as%20the%20password%20for%20our%20database.%20In%20the%20case%20of%20psql%20we%E2%80%99ll%20use%20the%20PGPASSWORD%20environment%20variable%2C%20due%20to%20the%20very%20long%20length%20of%20the%20password%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3EWindows%20Example%3A%3C%2FP%3E%0A%3CPRE%3Eset%20PGPASSWORD%3D%26lt%3Bcopy%2Fpasted%20TOKEN%20value%20from%20step%202%26gt%3B%3C%2FPRE%3E%0A%3CP%3ELinux%2FmacOS%20Example%3A%3C%2FP%3E%0A%3CPRE%3Eexport%20PGPASSWORD%3D%26lt%3Bcopy%2Fpasted%20TOKEN%20value%20from%20step%202%26gt%3B%3C%2FPRE%3E%0A%3CP%3ENow%2C%20we%20can%20use%20psql%20to%20login%3A%3C%2FP%3E%0A%3CPRE%3Epsql%20%22host%3Dmydb.postgres...%20user%3Duser%40tenant.onmicrosoft.com%40mydb%20dbname%3Dpostgres%22%3C%2FPRE%3E%0A%3CP%3EIf%20you%E2%80%99re%20looking%20for%20a%20good%20visual%20client%20to%20connect%20with%2C%20we%20recommend%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Fazure-data-studio%2Fquickstart-postgres%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EPostgreSQL%20extension%20for%20Azure%20Data%20Studio%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EManaging%20Azure%20AD%20user%20access%3CBR%20%2F%3E%3C%2FSTRONG%3EOnce%20you%20are%20logged%20in%20as%20the%20Azure%20AD%20administrator%2C%20you%20can%20now%20create%20new%20roles%20for%20Azure%20AD%20access%20like%20this%3A%3C%2FP%3E%0A%3CPRE%3ECREATE%20USER%20%22user2%40tenant.onmicrosoft.com%22%20WITH%20LOGIN%20azure_ad_user%3B%3C%2FPRE%3E%0A%3CP%3EThis%20will%20validate%20that%20the%20user%20exists%20in%20the%20same%20Azure%20Active%20Directory%20tenant%20as%20your%20administrator%2C%20and%20grant%20them%20access%20to%20the%20database.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EIf%20you%20prefer%20to%20use%20a%20group%20to%20manage%20access%2C%20you%20can%20use%20the%20group%20name%20like%20this%3A%3C%2FP%3E%0A%3CPRE%3ECREATE%20USER%20%22DB_Read_Only%22%20WITH%20LOGIN%20azure_ad_user%3B%3C%2FPRE%3E%0A%3CP%3ENow%20any%20user%20that%20is%20a%20member%20of%20the%20group%20can%20login%20to%20the%20database.%20When%20you%20want%20to%20add%20someone%20new%20to%20have%20access%2C%20simply%20add%20them%20to%20the%20Azure%20AD%20group%2C%20without%20going%20to%20the%20database.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3ENote%20that%20permission%20management%20is%20still%20handled%20within%20the%20database.%20You%20can%20use%20regular%20GRANT%2FREVOKE%20statements%20to%20permit%20access.%20For%20example%2C%20we%20could%20revoke%20all%20privileges%20for%20the%20created%20group%2C%20and%20only%20let%20them%20access%20a%20specific%20table%3A%3C%2FP%3E%0A%3CPRE%3EREVOKE%20ALL%20ON%20SCHEMA%20public%20FROM%20%22DB_Read_Only%22%3B%3CBR%20%2F%3EGRANT%20SELECT%20ON%20analytics_table%20TO%20%22DB_Read_Only%22%3B%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ELearn%20More%3C%2FSTRONG%3E%3CBR%20%2F%3EYou%20can%20find%20more%20details%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fpostgresql%2Fconcepts-aad-authentication%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Eofficial%20documentation%3C%2FA%3E.%20You%20can%20give%20the%20Azure%20AD%20integration%20a%20try%20today.%20If%20you%20have%20questions%2C%20please%20reach%20out%20to%20the%20%3CA%20href%3D%22mailto%3AAskAzureDBforPostgreSQL%40service.microsoft.com%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAskAzureDBforPostgreSQL%40service.microsoft.com%3C%2FA%3E%20alias.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1069248%22%20slang%3D%22en-US%22%3E%3CP%3EWe%E2%80%99re%20excited%20to%20announce%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EPublic%20Preview%20of%20the%20Azure%20AD%20integration%20for%20Azure%20Database%20for%20PostgreSQL.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1069248%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

These days, we all care about securing access to our data. The last thing we want is someone using a weak password on a database they forgot about, causing a security incident. When using different kinds of databases, managed by different teams, it can be difficult to ensure consistency across your data estate.

 

To help solve this problem, we’re excited to announce the Public Preview of the Azure Active Directory integration for Azure Database for PostgreSQL.

 

Through Azure Active Directory you can ensure that you have a single location where you can manage who gets access to your data. You can ensure that password complexity is enforced across the board. When a team member leaves, it's easy to revoke their access from all databases.

 

Let’s look how it works:

 

Configuring the Azure AD Administrator

First, we’ll need to configure which Azure AD user, or group, is managing who gets access to our database. We can do this by navigating to our database in the Azure portal, and setting the Azure AD administrator:

 

Screen Shot 2019-12-16 at 2.49.01 PM.png

Now, we can connect to our database to manage which Azure AD users or groups we’d like to grant access to.

 

Connecting to your database using an Azure AD token

Now, we’ll need to authenticate using our Azure AD password. Instead of sending this password to our database, we’ll send it to the Azure Active Directory, and retrieve a time-limited token that grants us access.

 

These are the high-level steps we’ll follow:

azure_ad_diagram_2.png

First, in order to retrieve the token, we’ll use the Azure CLI.

 

Step 1: Ensure you are logged in to the Azure CLI:

az login

Step 2: Then call the following to retrieve an access token scoped to Azure Database for PostgreSQL:

az account get-access-token --resource-type oss-rdbms

The results of this is a JSON document, with the following structure:

{
  "accessToken": "TOKEN",
  "expiresOn": "...",
  "subscription": "...",
  "tenant": "...",
  "tokenType": "Bearer"
}

The part marked here as TOKEN, which will be quite long, is your Azure AD token.

 

Step 3: Now, in order to connect, we’ll pass this as the password for our database. In the case of psql we’ll use the PGPASSWORD environment variable, due to the very long length of the password:

Windows Example:

set PGPASSWORD=<copy/pasted TOKEN value from step 2>

Linux/macOS Example:

export PGPASSWORD=<copy/pasted TOKEN value from step 2>

Now, we can use psql to login:

psql "host=mydb.postgres... user=user@tenant.onmicrosoft.com@mydb dbname=postgres"

If you’re looking for a good visual client to connect with, we recommend the PostgreSQL extension for Azure Data Studio.

 

Managing Azure AD user access
Once you are logged in as the Azure AD administrator, you can now create new roles for Azure AD access like this:

CREATE USER "user2@tenant.onmicrosoft.com" WITH LOGIN azure_ad_user;

This will validate that the user exists in the same Azure Active Directory tenant as your administrator, and grant them access to the database.


If you prefer to use a group to manage access, you can use the group name like this:

CREATE USER "DB_Read_Only" WITH LOGIN azure_ad_user;

Now any user that is a member of the group can login to the database. When you want to add someone new to have access, simply add them to the Azure AD group, without going to the database.


Note that permission management is still handled within the database. You can use regular GRANT/REVOKE statements to permit access. For example, we could revoke all privileges for the created group, and only let them access a specific table:

REVOKE ALL ON SCHEMA public FROM "DB_Read_Only";
GRANT SELECT ON analytics_table TO "DB_Read_Only";

 

Learn More
You can find more details in the official documentation. You can give the Azure AD integration a try today. If you have questions, please reach out to the AskAzureDBforPostgreSQL@service.microsoft.com alias.