Azure Active Directory Authentication In Azure SQL Database
advertisement
Azure Active Directory
Authentication
Public Preview Release for Azure SQL Database V12
Mirek Sztajno
SQL Server Security PM
mireks@microsoft.com
Agenda
• Value Proposition
• Azure AD authentication- main architecture and configuration steps
• Demo
• Features, limitations and additional considerations
• Appendix
• Q&A
Azure Active Directory Authentication
Central ID
Management
Provides an alternative to SQL
authentication.
Helps stop the proliferation of
user identities across database
servers.
Allows password rotation in a
single place.
Simplified
Permission
Management
Customers can manage
database permissions using
external (Azure AD) groups.
Can Eliminate
Storing Password
Enables integrated Windows
authentication and certificatebased authentication*
* - certificate is managed in
Azure Active Directory
Azure AD Authentication Methods
With username/password of an AAD Account
Works for Azure AD managed and federated domains
The easiest way to adopt Azure AD Authentication in existing applications
Integrated Windows Authentication
Works for Azure AD federated domains and clients on domain-joined machines
Eliminates storing password and enables single sign-on
Token-based Authentication (will be released later during public preview)
Gives application full control over access token acquisition
Enables authentication using secrets ( which can be certificates or keys)
Azure AD Authentication with SQL DB v12
ADALSQL
ADO
.NET 4.6
•
•
•
•
SSMS
SSDT
Connection string based authentication
SQL package
Subscription Alignment for Azure AD Authentication
Using Azure AD Authentication
Setup
User Provisioning
• Associate your
Azure AD
directory with
your subscription
• Provision Server
Admin based on
Azure AD
principal
• Tools: Portal,
PowerShell,
REST APIs
Usage
• Create contained
users for Azure
AD principals in
your database
• Tool: T-SQL
• VS2015
Prerequisite: Azure AD populated with organization’s users/groups
• Connect using
Azure AD
identities
• ADO .NET (other
drivers to be
supporter later)
• Tools: SSMS,
SSDT, VS2015
Demo
Demo:
Azure AD Authentication End-End Scenario
•
•
•
•
•
•
Go to Azure AD portal https://manage.windowsazure.com
•
•
•
Optional: associate subscription(s) with Azure Active Directory
Choose Azure AD administrator group for Azure SQL Server
Choose a user group to be provisioned in a user database
Go to Ibiza portal https://portal.azure.com
•
Provision Azure AD admin
Connect to the Azure SQL Server Database using Azure AD admin
•
SSMS version for SQL Server 2016 preview release
Create a contained Azure AD user in Azure SQL Server user database
Connect to the Azure SQL Server database as Azure AD user
Drop user from Azure AD and try to connect to the database
Azure AD Features and Limitations
• Azure AD authentication is only supported for Azure SQL Database V12
• Microsoft accounts are not supported
•
For example:
outlook.com, hotmail.com, live.com or other guest accounts like gmail.com or
yahoo.com
• Multi-factor authentication and other forms of interactive authentication are
not supported
Additional Considerations
•
•
•
•
•
•
•
•
•
Only one Azure AD admin (user/group) can be configured at any time
Only an Azure AD admin can initially connect to Azure SQL Database
Azure AD admin can configure subsequent Azure AD database users
We recommend provisioning a dedicated Azure AD group as an admin
We recommend setting the connection timeout to 30 seconds
Azure AD auth only supports .NET Framework (4.6 or higher) for SQL Server
SSMS and SSDT available with SQL Server 2016 preview are supported
•
SSDT is partially supported for Azure AD auth
Data-tier applications DAC and .bacpac are supported
Not supported are
•
•
Sqlcmd.exe since sqlcmd uses ODBC provider.
Some tools like BI and Excel
Appendix
Azure AD Administrator for SQL DB V12 Server
Provisioning Azure AD Administrator
Azure AD admin for Azure SQl DB can be provisioned using
•
•
•
Ibiza Portal
•
•
For existing V12 servers use server setting to provision Azure AD admin
For more details see the demo
PowerShell commands
•
•
Requires 0.9.8 (or higher) of Azure PowerShell
For more details on PowerShell step-by-step operations on Azure AD admin see the SQL Server
Security Blog on MSDN
Rest API
Configure Client Computers
•
To support Azure AD authentication the following software must be installed
•
.NET Framework 4.6 or later
•
•
Azure Active Directory Authentication Library for SQL Server (ADALSQL.DLL)
•
•
•
From https://msdn.microsoft.com/library/5a4x27ek.aspx
Contains multiple languages (both x86 and amd64)
From http://www.microsoft.com/download/details.aspx?id=48742
Install SQL Server 2016 Management Studio or
SQL Server Data Tools for Visual Studio 2015
•
•
•
It includes the .NET Framework 4.6 requirement
SSMS installs the x86 version of ADALSQL.DLL
SSDT installs the amd64 version of ADALSQL.DLL
•
•
Please note: Azure AD authentication is only partially supported by SSDT
Latest Visual Studio 2015 from Visual Studio Downloads
•
It includes .NET Framework 4.6 requirement, but does not install ADALSQL.DLL
Connect to User Database by using SSMS
•
Two new SSMS authentication options are available in the SSMS connect box
•
•
•
Active Directory Integrated authentication
Connect using Active Directory Password Authentication
•
•
•
Active Directory Password Authentication
Use this method when connecting with Azure AD principal name using Azure AD managed
domain.
Use it for federated account without access to the domain, for example when working remotely.
Connect using Active Directory Integrated Authentication
•
Use this method when logged into Windows using Azure AD credentials from a federated
domain.
Create Azure AD Contained User in User Database
• To log on with AAD identity, a contained database user must exist for the identity
or one of the Azure AD groups, the identity belongs to.
• Only users with AAD-based identities and at least ALTER ANY USER
permission can provision Azure AD-based contained users in a database
• User T-SQL syntax to create contained database user representing Azure AD
federated or managed domain:
•
•
CREATE USER [john@contoso.com] FROM EXTERNAL PROVIDER;
CREATE USER [mike@aadtest.onmicrosoft.com] FROM EXTERNAL PROVIDER;
• To create a contained database user representing Azure AD or federated domain
group use:
•
CREATE USER [Patients] FROM EXTERNAL PROVIDER;
• Imported users from other Azure AD domain can only be create using groups
Permissions and related info
•
•
•
Newly created user receives CONNECT permission to that database as member
of PUBLIC role
Only permissions available to the user are permissions granted to the PUBLIC role, or
any permissions granted to any Windows groups that they
are a member of
Additional permissions can be granted to Azure AD-based contained user the same
way as permission are granted to any other type of user
•
•
•
•
•
Typically grant permissions to database roles, and add users to roles
A federated domain user that is imported into a manage domain, must use the managed
domain identity (tenant ID and object ID)
Azure AD users are marked in the database metadata with type E (EXTERNAL_USER)
Azure AD groups are marked with type X (EXTERNAL_GROUPS)
For more information see sys.database_principals
Using Azure AD Authentication in .NET Apps
• Azure AD principal name and password
•
•
•
Connect to a database using Azure AD managed or federated domain authentication
Authentication keyword must be set to “Active Directory Password”
Connection string must contain User ID/UID and Password/PWD keywords and values
string ConnectionString = @"Data Source=Yourv12server.database.windows.net;Initial Catalog=YourDatabase;
Integrated Security=False; ConnectTimeout=30;Encrypt=True; Authentication=Active Directory Password;
UID=Bob@contoso.onmicrosoft.com; PWD=dr${12#$";
SqlConnection conn = new SqlConnection(ConnectionString); conn.Open();
Using Azure AD Authentication in .NET Apps
• Integrated Windows Authentication
•
•
•
Connect to a database using Azure AD federated domain authentication
Domain is federated with azure AD and the client app or service is running on a
domain-joined machine under user’s domain credentials.
Connection string must contain User ID/UID and Password/PWD keywords and values
string ConnectionString = @"Data Source=yourv12server.database.windows.net;Initial
Catalog=YourDatabase;
Integrated Security=False;ConnectTimeout=30;Encrypt=True;Authentication=Active Directory Integrated"
SqlConnection conn = new SqlConnection(ConnectionString); conn.Open();
• Check if
•
•
•
Required Azure AD client software is installed
Subscription is associated with Azure AD (tenant ID) and Azure SQL Server
Database is part of Azure SQL Database V12.0.v
•
•
Login to https://login.live.com must fail
Group is a security group
User or group is in the right Azure AD
Azure AD recognizes federated user or group
•
•
Most common mistake
User is supported for Azure AD authentication
•
•
•
•
From T-SQL run select @@version – the version should be 12
Database to connect is the right one with contained user or group created there
•
•
Troubleshooting Scenarios
Use Azure AD PowerShell commands
User and password is typed correctly when connecting to the database
Resources
• Azure AD authentication – main MSDN document
•
https://azure.microsoft.com/documentation/articles/sql-database-aad-authentication/
•
This document refers to many Azure AD documents relevant to this feature
• SQL Server Security Blog
•
Additional examples, PowerShell scripts and programs used see
http://blogs.msdn.com/b/sqlsecurity/
Questions
Thank you
Mirek Sztajno
mireks@microsoft.com
