Active Directory admin

ganriver · ‎Mar 29 2021

Hi Friends,

Risk assessment recommend to provision a 'Active Directory admin' for database, looked around, not exactly sure what is this for? and who should be better for this?

Can someone explain it?

Many thanks.

hspinto · ‎Mar 30 2021

@ganriver

when using SQL Server-based users for managing your Azure SQL databases, you have additional identities/passwords to manage and you cannot leverage identity security features such as MFA. Your SQL Server-based database admin is, let's say, less secure.

If you enable Azure AD-based authentication in your SQL database and make one or (preferably) more Azure AD users (the ones that log in to the Azure Portal) as database admins, you will be able to enforce MFA on those users and leverage other identity security features provided by Azure AD. See more details here.

ganriver · ‎Mar 30 2021

@hspinto

That make sense now, and who should be better fit for the role the admin? Owner of the Azure subscription?

ganriver · ‎Mar 30 2021

and apparently, can only set one admin.

hspinto · ‎Mar 30 2021

@ganriver

Your DBAs should normally be the database admins. You can assign a Azure AD Group as admin. There is also the possibility of granting the db_owner role to other Azure AD users directly in the databases security model, but the recommended, much simpler way, should be using an Azure AD Group. See other additional considerations here.

Active Directory admin

Active Directory admin

Re: Active Directory admin

Re: Active Directory admin

Re: Active Directory admin

Re: Active Directory admin

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Active Directory admin