azure active directory
18 Topics- Principle 'XYZ' could not be found or this principal type is not supported - Azure SQL DB and MIIn this blog article, we will be discussing the possible scenarios to get the error "Principle 'XYZ' could not be found or this principal type is not supported" while adding an AAD user or group to your Azure SQL database or Azure SQL managed instance.80KViews4likes8Comments
- Additional Endpoints Required for AAD Authentication and CRL Checks for Azure SQL DBYou may have attempts to connect to Azure SQL Database with an Azure Active Directory (AAD) account that are failing with a timeout error, but SQL Authentication works as expected. Alternatively you could be encountering generic connection errors with the inner exception being ‘Revocation of the SSL certificate failed’. If the following workarounds are not sufficient, you may have to whitelist specific endpoints on your Firewalls or network infrastructure: Disabling the Revocation of the SSL Certificate Check: Revocation of the SSL certificate failed for AAD authentication - Microsoft Tech Community Allowing all SSL traffic from that server on their firewall An example of the ‘Revocation of the SSL certificate failed’ error in SQL Server Management Studio (SSMS): You can take a network trace in order to see where traffic is being blocked, or to grab the certificate that is being passed back. Having the certificate will allow you to examine the CRL endpoints listed in the certificate itself. Instead of taking a network trace, you may want to watch blocked traffic on your Firewall and whitelist trusted endpoints that appear in order to expedite troubleshooting. You can test connectivity to ports via PowerShell using, for example, “tnc login.windows.net -port 443”. If you have an ADFS setup, then to authenticate you will need to whitelist your ADFS endpoint on port 443. If you have multiple ADFS endpoints you will need to whitelist the one that your DNS server is resolving you to. This is a non-exhaustive list of endpoints that may be required depending on the authentication type. Additional endpoints may be required to communicate with Active Directory Federation Services (ADFS), or depending on your networking path and if you are using a public Certification Authority (CA), endpoints for whoever has issued your certificate for ADFS. Please note not all Firewalls can be configured to accept wildcards, and while the below list has as many explicitly defined URLs as possible, you may need to see what traffic is being blocked on the Firewall to get definite URLs for those not fully defined here. This is also how you can determine if something not on this list is being blocked and is required for your particular networking setup (perhaps the ADFS endpoint your machine is reaching out to is not the one you expect, etc). URL Port Description mscrl.microsoft.com HTTP/80 Used to download CRL lists. *.verisign.com HTTP/80 Used to download CRL lists. *.entrust.net HTTP/80 Used to download CRL lists for MFA. *.management.core.windows.net (Azure Storage) *.graph.windows.net (Azure AD Graph) HTTPS/443 Used for the various Azure services secure.aadcdn.microsoftonline-p.com HTTPS/443 Used for MFA. *.microsoftonline.com HTTPS/443 Used to configure your Azure AD directory and import/export data. login.microsoftonline.us HTTPS/443 Used by US Gov for AD Login. login.microsoftonline.com HTTPS/443 Used by Public cloud for AD login for MFA. login.windows.net HTTPS/443 Used by Public cloud for AD login for Password and Integrated. http://crl.microsoft.com HTTP/80 Used to verify certificates. http://crl3.digicert.com HTTP/80 Used to verify certificates. http://crl4.digicert.com HTTP/80 Used to verify certificates. http://ocsp.digicert.com HTTP/80 Used to verify certificates. http://www.d-trust.net HTTP/80 Used to verify certificates. http://root-c3-ca2-2009.ocsp.d-trust.net HTTP/80 Used to verify certificates. http://crl.microsoft.com HTTP/80 Used to verify certificates. http://oneocsp.microsoft.com HTTP/80 Used to verify certificates. http://ocsp.msocsp.com HTTP/80 Used to verify certificates. http://www.microsoft.com/pkiops HTTP/80 Used to verify certificates. cacerts.digicert.com HTTP/80 Used to verify certificates. ctldl.windowsupdate.com HTTP/80 Used to verify certificates. References Azure Active Directory certificate authorities | Microsoft Docs Azure TLS Certificate Changes | Microsoft Docs Azure AD Connect: Troubleshoot Azure AD connectivity issues | Microsoft Docs Revocation of the SSL certificate failed for AAD authentication - Microsoft Tech Community Microsoft 365 endpoints - Microsoft 365 Enterprise | Microsoft Docs7.7KViews0likes1Comment
- SSIS & Azure SQL Managed Instance with MFAWe've been testing out Azure SQL Managed Instance and created SSIS packages to run against it. We set connections using the ADO.Net connection manager and all worked well. We recently had to apply MFA to all logins and this is causing issues within SSIS as there is no MFA option for logins like there is in SSMS. We can connect if we use SQL Server Authentication but we'd rather not do that. When using Active Directory Integrated Authentication, all of our test connections fail and the package will not run locally. In SSMS, there is an integrated authentication with MFA option and that works from within SSMS. How can we use SSIS and connect to the database using Windows Authentication when MFA is required?414Views0likes0Comments
- Azure Logic App: SQL trigger on When Row Is Update is not workingHello Experts, I'm using the "When a row is updated" SQL connector in my logic app workflow. I turned on change tracking on the Azure SQL DB and the table in question per requirements. The connector connects to the SQL instance okay, but never triggers when a row is updated. No errors or indications to troubleshoot. Has anyone been able to get this to work? Thanks, -Sri511Views0likes0Comments
- Create login from Entra ID Security Group rather than individualhttps://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-logins-tutorial?view=azuresql says I can create a Login in Azure SQL Server from a Microsoft EntraID Security Group. I can, and it works, and it appears in sys.server_principals as type_desc 'EXTERNAL_GROUP' and type 'X'. (I note that non-group EntraID logins appear as type_desc 'EXTERNAL_LOGIN' and type 'E'.) But when I try the next step in the article, which is to create a User from the Login, I get the error '<EntraIDGroupName> is not a valid login or you do not have permission'. I have successfully created Users from non-group Logins, so I don't think it's a permission problem. Is it the case that, despite the article, you can't actually create a group user this way - I have to create individual logins and users for each potential EntraID user I want to have access the database? Or am I missing a trick somewhere?Solved1.6KViews2likes2Comments
- Azure Active Directory connection issueHello Everyone, Every time i login to Azure Databases from my ssms it is asking for some type of authentication and i get this below screen pop up. Is there any way i can disable this bc it is asking for APPID/REDIRECTURL before my every single click on SSMS. How to turn this off?430Views1like0Comments
- Lesson Learned #380:Unable to load adalsql.dll (Authentication=XYZ).Error code:0x2Analyzing a support case that our customer got the following error faced: "Unable to load adalsql.dll (Authentication=ActiveDirectoryPassword). Error code: 0x2" using an older application to the Azure SQL database. Following I would like to share my lessons learned about it.
- Lesson Learned #374: Execution of class com.microsoft.aad.adal4j.AcquireTokenCallable failed.Today, we encountered an interesting case while obtaining the Azure Active Directory token using ActiveDirectoryPassword authentication using the latest version of MSAL in Java. Finally, the issue was resolved by opening the port 443 and the necessary endpoints to obtain the Azure Active Directory token. Following, I would like to share the lessons learned of this troubleshooting.3.5KViews0likes0Comments