Creating logins and users in Azure Database

Azure Database is the PaaS solution for SQL Server databases, on a previous post we have discussed how to create one.

On this post, I want to show you how you can secure your Azure SQL Database by creating users and segregating their permissions.

When you connect to your Azure Database using SSMS (or another tool), you can see the management options are very limited compared to an On-Premises instance.




If you want to create a login and database user, you must create them via T-SQL, on this post I will show you how to do it.

Types of logins


Azure SQL database support two types of logins: SQL Server login and Azure Active directory login.

In order to create Azure AD logins, you must set up an AD administrator first using the Azure portal, you configure it on the server dashboard, then accessing the Active Directory Admin, as follows:



Once you set up your AD Admin, you can connect to the Azure database using this account and you can then assign proper access to other AD accounts.

Creating logins and users


As we told you before, you must create users and assign permissions using T-SQL, the basic script for creating users will be as follows (this is for SQL logins):

Note that as PaaS, you connect only to one database, so, the USE <database> command is not supported on Azure databases, so you must run the T-SQL script connecting to the required database manually:

Script #1 for creating the login

/******* Run This code on the MASTER Database ******/

-- Create login,

CREATE LOGIN az_read
 WITH PASSWORD = 'YourStrongP@ssW0rd' 
GO


-- Create user in master database (so the user can connect using ssms or ADS)
CREATE USER az_read
 FOR LOGIN az_read
 WITH DEFAULT_SCHEMA = dbo
GO

Script #2 - For the user database you want to provide access:

/******* Run This code on the Database you want to give the access ******/

-- The user database where you want to give the access

CREATE USER az_read
 FOR LOGIN az_read
 WITH DEFAULT_SCHEMA = dbo
GO

-- Add user to the database roles you want
EXEC sp_addrolemember N'db_datareader', N'sqlreadusr'
GO

Explaining it:

You first need to create the login, and set up your password, following the Azure strong password requirements.
Then, if the user is planning to connect to the instance using SSMS or ADS or another tool where the default database to connect is not required,  you must create the user in the master database (without roles, unless required specific access).
Next step is to create the user on the database you want to provide the access.
Finally, you assign the roles you want for that particular user.

After that you can connect with the user to provide the respective access:



For creating logins from Azure Active Directory, the script changes a little, you must create the login connecting to the database using another AD account (the administrator we configurated earlier or another AD user with enough privileges), then you specify the AD account followed by FROM EXTERNAL PROVIDER.

Once you are connected you must only change the first script, as follows:


/******* Run This code on the MASTER Database ******/

-- Create login,

CREATE USER [epivaral@galileo.edu] FROM EXTERNAL PROVIDER;
GO

-- Create user in master database (so the user can connect using ssms or ADS)
CREATE USER [epivaral@galileo.edu]
 FOR LOGIN [epivaral@galileo.edu]
 WITH DEFAULT_SCHEMA = dbo
GO

There is no change in script 2 to provide access to the user on a specific database.

Contained User


For more secure environments, you can create contained database users, this approach provide you a more portable database, with no need to worry about the logins, this is the recommended way to grant users access to Azure databases.

In order to create a contained user, just connect to the database you want to provide the access, and run the create user script as follows:


/**** Run the script on the Azure database you want to grant access *****/

CREATE USER contained_user 
WITH PASSWORD = 'YourStrongP@ssW0rd';

GO

After creating the contained user, you can use it by specifying the database you want to connect in the connection options (for this example using Azure Data Studio):


You can see in the object explorer, we only have access to the database we connected, improving security and portability:



You can read more about this in the Microsoft official documentation here.

Comments

  1. AnonymousJune 18, 2019 at 9:20 AM

    For the external provider user piece at the end, you've got create user, then create user again (but with login)? When i run that it says 'not a valid login or you do not have permission', yet I'm the AD Admin?

    ReplyDelete
  2. AnonymousJune 19, 2019 at 2:51 AM

    I think for AD auth what I've found is, you mean to say in the comments, create user not login. AD doesn't create a login (the script itself is fine, it's just the comments that were a bit misleading). Also for the second bit you don't run it in master (despite the comments), you run it in any DB you want the account to have access to. You can't give that to master

    ReplyDelete

Post a Comment

Popular posts from this blog

Checking Azure SQL DB service tier via T-SQL

Image
If you have to manage or work with an Azure SQL database and want to know what service tier the database is currently operating, but you don't have access to the Azure subscription or CLI. Or you want to know the status of the service tier after a scale up or scale down, directly from the database; you can do it via T-SQL Just query the sys.database_service_objectives DMO to obtain this information, this will give information about the service tier, and also will tell you if the database is part of an elastic pool or not. Basic usage (in the context of the database you need the information): SELECT * FROM sys.database_service_objectives; This will return the following information for the current database: I am running on a General Purpose tier with 1 VCore What if you want the information for all the databases created? Just change the context to the master database and execute the following query: SELECT D.name AS DB , D.create_date , SO.edition , SO.service_o
Read more

Install Python on Windows

Image
Python is the most famous development language today. This is because is open-source, scalable and robust. It can run in almost any device with a processor (or microprocessor, we will see that in coming posts) and is very simple to use and learn, even if you don't have any programming backgroud or experience. Start using it is very simple and you can learn the basics in the official site .   Installing Python For windows systems, you can download the latest version here . Once downloaded, open the executable file as administrator. Then, for the uses we will give on the articles on this site, please install it this way: Make sure you have selected the add Pyton to PATH option - This will allow us to run the Python engine from multiple sources (As is intended for use on multiple applications) .   Make sure you install Python for all users - This will allow usto run the script commands .   Select PIP feature - This is used to install adittional libraries and functionalities, one of
Read more

Quick tip: Zoom in Azure Data Studio

Image
If you finally have given a try t o Azure Data Studio , and if you use it on a regular basis, maybe you want to customize it to suit your needs. Among the huge customization options it has, you can control the text size in form of zoom. To do change it, just use the following keyboard combinations: (Ctrl + = ) For Zoom in. (Ctrl + - ) For Zoom out. (Ctrl + 0) For Zoom reset.  You can see it in action: Also, as with everything on this tool, you can access this functionality from command palette (Ctrl + Shift + P) , and type "zoom" (you can fine-control the editor zoom from here): If you haven't tried it yet, you can download Azure Data Studio here .
Read more