We are announcing a general availability for Azure AD user creation support for Azure SQL Database on behalf of Azure AD Applications (service principals). See Azure Active Directory service principal with Azure SQL.
What support for Azure AD user creation on behalf of Azure AD Applications means?
Azure SQL Database and SQL Managed Instance support the following Azure AD objects:
- Azure AD users (managed, federated and guest)
- Azure AD groups (managed and federated)
- Azure AD applications
For more information on Azure AD applications, see Application and service principal objects in Azure Active Directory and Create an Azure service principal with Azure PowerShell.
Formerly, only SQL Managed Instance supported the creation of those Azure AD object types on behalf of an Azure AD Application (using service principal). Support for this functionality in Azure SQL Database is now generally available.
This functionality is useful for automated processes where Azure AD objects are created and maintained in Azure SQL Database without human interaction by Azure AD applications. Since service principals could be an Azure AD admin for SQL DB as part of a group or an individual user, automated Azure AD object creation in SQL DB can be executed. This allows for a full automation of a database user creation. This functionality is also supported for Azure AD system-assigned managed identity and user-assigned managed identity that can be created as users in SQL Database on behalf of service principals (see the article, What are managed identities for Azure resources?).
Prerequisites
To enable this feature, the following steps are required:
1) Assign a server identity (a system managed identity) during SQL logical server creation or after the server is created.
See the PowerShell example below:
- To create a server identity during the Azure SQL logical server creation, execute the following command:
New-AzSqlServer -ResourceGroupName <resource group>
-Location <Location name> -ServerName <Server name>
-ServerVersion "12.0" -SqlAdministratorCredentials (Get-Credential)
-AssignIdentity
(See the New-AzSqlServer command for more details)
- For existing Azure SQL logical servers, execute the following command:
Set-AzSqlServer -ResourceGroupName <resource group>
-ServerName <Server name> -AssignIdentity
(See the Set-AzSqlServer command for more details)
To check if a server identity is assigned to the Azure SQL logical
server, execute the following command:
Get-AzSqlServer -ResourceGroupName <resource group>
- ServerName <Server name>
(See the Get-AzSqlServer command for more details)
2) Grant the Azure AD “Directory Readers” permission to the server identity
created above
(For more information, see Provision Azure AD admin (SQL Managed Instance)
How to use it
Once steps 1 and 2 are completed, an Azure AD application with the right permissions can create an Azure AD object (user/group or service principal) in Azure SQL DB. For more information, see the step-by-step tutorial doc
(see Tutorial: Create Azure AD users using Azure AD applications ).
Example
Using SMI (System-assigned Managed Identity) set up as an Azure AD admin for SQL DB,
create an Azure AD application as a SQL DB user.
Preparation
Enable steps 1 and 2 indicated above for the Azure SQL logical server
- In the example below, the server name is ‘testaadsql’
- The user database created under this serve is ‘testdb’
- Enable SMI on the Azure VM (see What are managed identities for Azure resources?)
- In the example below, the SMI name is ‘mytestvm’
- Copy the display name of the SMI which is your VM name
- Create an Azure AD application
See How to: Use the portal to create an Azure AD application and service principal that can access resou...
- Copy the display name of the application
- In the example below the app name is ‘myapp’
- Using the Azure portal, assign your SMI (display name mytestvm) as an Azure AD admin for the Azure SQL logical server (see the screenshot below).
- Create Azure AD application user in SQL DB on behalf of the SMI
- From your Azure VM, execute the PowerShell script indicated below that creates an Azure AD application user in SQL DB on behalf of the SMI that is an Azure AD admin for this server
(For more information on the SMI access see Tutorial: Use a Windows VM system-assigned managed identity to access Azure SQL) - Alternatively, the SMI could be also be represented as a regular Azure AD user created in the database ‘testdb’ with dbo permissions allowing to create other Azure AD users ( see an example in Tutorial: Create Azure AD users using Azure AD applications )
- To check that the user ‘myapp’ was created in the database ‘testdb’ you can execute the T-SQL command select * from sys.database_principals.
PowerShell Script
# PS script creating a SQL user myapp from an Azure AD application on behalf of SMI “mytestvm”
# that is also set as Azure AD admin for SQ DB
# Execute this script from the Azure VM with SMI name ‘mytestvm’
# Azure AD application - display name ‘myapp’
# This is the user name that is created in SQL DB ‘testdb’ in the server ‘testaadsql’
# Metadata service endpoint for SMI, accessible only from within the VM:
$response = Invoke-WebRequest -Uri
'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fdatabase.windows.net%2F' -Method GET -Headers @{Metadata="true"}
$content = $response.Content | ConvertFrom-Json
$AccessToken = $content.access_token
# Specify server name and database name
# For the server name, the server identity must be assigned and "Directory Readers"
# permission granted to the identity
$SQLServerName = "testaadsql"
$DatabaseName = 'testdb'
$conn = New-Object System.Data.SqlClient.SQLConnection
$conn.ConnectionString = "Data Source=$SQLServerName.database.windows.net;Initial Catalog=$DatabaseName;Connect Timeout=30"
$conn.AccessToken = $AccessToken
$conn.Open()
# Create SQL DB user [myapp] in the ‘testdb’ database
$ddlstmt = 'CREATE USER [myapp] FROM EXTERNAL PROVIDER;'
$command = New-Object -TypeName System.Data.SqlClient.SqlCommand($ddlstmt, $conn)
Write-host " "
Write-host "SQL DDL command was executed"
$ddlstmt
Write-host "results"
$command.ExecuteNonQuery()
$conn.Close()
For more information see
- Azure Active Directory service principal with Azure SQL. and
- Tutorial: Create Azure AD users using Azure AD applications
For feedback/questions on this preview feature, please reach out to the SQL AAD team at SQLAADFeedback@Microsoft.com
Updated May 12, 2021
Version 1.0MirekSztajno
Microsoft
Joined October 09, 2018
Azure SQL Blog
Follow this blog board to get notified when there's new activity