Active Directory admin

Copper Contributor

Hi Friends,


Risk assessment recommend to provision a 'Active Directory admin' for database, looked around, not exactly sure what is this for? and who should be better for this?


Can someone explain it?


Many thanks.

4 Replies



when using SQL Server-based users for managing your Azure SQL databases, you have additional identities/passwords to manage and you cannot leverage identity security features such as MFA. Your SQL Server-based database admin is, let's say, less secure.


If you enable Azure AD-based authentication in your SQL database and make one or (preferably) more Azure AD users (the ones that log in to the Azure Portal) as database admins, you will be able to enforce MFA on those users and leverage other identity security features provided by Azure AD. See more details here.



That make sense now, and who should be better fit for the role the admin? Owner of the Azure subscription? 

and apparently, can only set one admin.



Your DBAs should normally be the database admins. You can assign a Azure AD Group as admin. There is also the possibility of granting the db_owner role to other Azure AD users directly in the databases security model, but the recommended, much simpler way, should be using an Azure AD Group. See other additional considerations here.