Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mirek Sztajno SQL Server Security PM

Published byAngelica Garrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Mirek Sztajno SQL Server Security PM"— Presentation transcript:

1 Mirek Sztajno SQL Server Security PM mireks@microsoft.com
Azure Active Directory Authentication Public Preview Release for Azure SQL Database V12 Mirek Sztajno SQL Server Security PM

2 Agenda Value Proposition
Azure AD authentication- main architecture and configuration steps Demo Features, limitations and additional considerations Appendix Q&A

3 Azure Active Directory Authentication
4/25/2017 Central ID Management Provides an alternative to SQL authentication. Helps stop the proliferation of user identities across database servers. Allows password rotation in a single place. Simplified Permission Management Customers can manage database permissions using external (Azure AD) groups. Can Eliminate Storing Password Enables integrated Windows authentication and certificate-based authentication* * - certificate is managed in Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Azure AD Authentication Methods
With username/password of an AAD Account Works for Azure AD managed and federated domains The easiest way to adopt Azure AD Authentication in existing applications Integrated Windows Authentication Works for Azure AD federated domains and clients on domain-joined machines Eliminates storing password and enables single sign-on Token-based Authentication (will be released later during public preview) Gives application full control over access token acquisition Enables authentication using secrets ( which can be certificates or keys)

5 Azure AD Authentication with SQL DB v12
On-Premises Active Directory ADFS Azure Active Directory Azure SQL Database ADALSQL ADO .NET 4.6 SSMS SSDT Connection string based authentication SQL package

6 Subscription Alignment for Azure AD Authentication

7 Using Azure AD Authentication
Setup Associate your Azure AD directory with your subscription Provision Server Admin based on Azure AD principal Tools: Portal, PowerShell, REST APIs User Provisioning Create contained users for Azure AD principals in your database Tool: T-SQL VS2015 Usage Connect using Azure AD identities ADO .NET (other drivers to be supporter later) Tools: SSMS, SSDT, VS2015 Prerequisite: Azure AD populated with organization’s users/groups

8 Demo

9 Demo: Azure AD Authentication End-End Scenario
Go to Azure AD portal Optional: associate subscription(s) with Azure Active Directory Choose Azure AD administrator group for Azure SQL Server Choose a user group to be provisioned in a user database Go to Ibiza portal Provision Azure AD admin Connect to the Azure SQL Server Database using Azure AD admin SSMS version for SQL Server 2016 preview release Create a contained Azure AD user in Azure SQL Server user database Connect to the Azure SQL Server database as Azure AD user Drop user from Azure AD and try to connect to the database

10 Azure AD Features and Limitations
Azure AD authentication is only supported for Azure SQL Database V12 Microsoft accounts are not supported For example: outlook.com, hotmail.com, live.com or other guest accounts like gmail.com or yahoo.com Multi-factor authentication and other forms of interactive authentication are not supported

11 Additional Considerations
Only one Azure AD admin (user/group) can be configured at any time Only an Azure AD admin can initially connect to Azure SQL Database Azure AD admin can configure subsequent Azure AD database users We recommend provisioning a dedicated Azure AD group as an admin We recommend setting the connection timeout to 30 seconds Azure AD auth only supports .NET Framework (4.6 or higher) for SQL Server SSMS and SSDT available with SQL Server 2016 preview are supported SSDT is partially supported for Azure AD auth Data-tier applications DAC and .bacpac are supported Not supported are Sqlcmd.exe  since sqlcmd uses ODBC provider. Some tools like BI and Excel

12 Appendix

13 Azure AD Administrator for SQL DB V12 Server

14 Provisioning Azure AD Administrator
Azure AD admin for Azure SQl DB can be provisioned using Ibiza Portal For existing V12 servers use server setting to provision Azure AD admin For more details see the demo PowerShell commands Requires (or higher) of Azure PowerShell For more details on PowerShell step-by-step operations on Azure AD admin see the SQL Server Security Blog on MSDN Rest API

15 Configure Client Computers
To support Azure AD authentication the following software must be installed .NET Framework 4.6 or later From  Azure Active Directory Authentication Library for SQL Server (ADALSQL.DLL) Contains multiple languages (both x86 and amd64) From Install SQL Server 2016 Management Studio or SQL Server Data Tools for Visual Studio 2015  It includes the .NET Framework 4.6 requirement SSMS installs the x86 version of ADALSQL.DLL SSDT installs the amd64 version of ADALSQL.DLL Please note: Azure AD authentication is only partially supported by SSDT Latest Visual Studio 2015 from Visual Studio Downloads  It includes .NET Framework 4.6 requirement, but does not install ADALSQL.DLL

16 Connect to User Database by using SSMS
Two new SSMS authentication options are available in the SSMS connect box Active Directory Password Authentication Active Directory Integrated authentication Connect using Active Directory Password Authentication Use this method when connecting with Azure AD principal name using Azure AD managed domain. Use it for federated account without access to the domain, for example when working remotely. Connect using Active Directory Integrated Authentication Use this method when logged into Windows using Azure AD credentials from a federated domain.

17 Create Azure AD Contained User in User Database
To log on with AAD identity, a contained database user must exist for the identity or one of the Azure AD groups, the identity belongs to. Only users with AAD-based identities and at least ALTER ANY USER permission can provision Azure AD-based contained users in a database User T-SQL syntax to create contained database user representing Azure AD federated or managed domain: CREATE USER FROM EXTERNAL PROVIDER; CREATE USER FROM EXTERNAL PROVIDER; To create a contained database user representing Azure AD or federated domain group use: CREATE USER [Patients] FROM EXTERNAL PROVIDER; Imported users from other Azure AD domain can only be create using groups

18 Permissions and related info
Newly created user receives CONNECT permission to that database as member of PUBLIC role Only permissions available to the user are permissions granted to the PUBLIC role, or any permissions granted to any Windows groups that they are a member of Additional permissions can be granted to Azure AD-based contained user the same way as permission are granted to any other type of user Typically grant permissions to database roles, and add users to roles A federated domain user that is imported into a manage domain, must use the managed domain identity (tenant ID and object ID) Azure AD users are marked in the database metadata with type E (EXTERNAL_USER) Azure AD groups are marked with type X (EXTERNAL_GROUPS) For more information see sys.database_principals

19 Using Azure AD Authentication in .NET Apps
Azure AD principal name and password Connect to a database using Azure AD managed or federated domain authentication Authentication keyword must be set to “Active Directory Password” Connection string must contain User ID/UID and Password/PWD keywords and values string ConnectionString Source=Yourv12server.database.windows.net;Initial Catalog=YourDatabase; Integrated Security=False; ConnectTimeout=30;Encrypt=True; Authentication=Active Directory Password; PWD=dr${12#$"; SqlConnection conn = new SqlConnection(ConnectionString); conn.Open();

20 Using Azure AD Authentication in .NET Apps
Integrated Windows Authentication Connect to a database using Azure AD federated domain authentication Domain is federated with azure AD and the client app or service is running on a domain-joined machine under user’s domain credentials. Connection string must contain User ID/UID and Password/PWD keywords and values string ConnectionString Source=yourv12server.database.windows.net;Initial Catalog=YourDatabase; Integrated Security=False;ConnectTimeout=30;Encrypt=True;Authentication=Active Directory Integrated" SqlConnection conn = new SqlConnection(ConnectionString); conn.Open();

21 Troubleshooting Scenarios
Check if Required Azure AD client software is installed Subscription is associated with Azure AD (tenant ID) and Azure SQL Server Database is part of Azure SQL Database V12.0.v From T-SQL run select – the version should be 12 Database to connect is the right one with contained user or group created there Most common mistake User is supported for Azure AD authentication Login to must fail Group is a security group User or group is in the right Azure AD Azure AD recognizes federated user or group Use Azure AD PowerShell commands User and password is typed correctly when connecting to the database

22 Resources Azure AD authentication – main MSDN document
This document refers to many Azure AD documents relevant to this feature SQL Server Security Blog Additional examples, PowerShell scripts and programs used see

23 Questions

24 Thank you Mirek Sztajno mireks@microsoft.com

Download ppt "Mirek Sztajno SQL Server Security PM"

Similar presentations

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Identity management integration options for Office 365

Identity management integration options for Office 365
Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.

Federated sign-in WS-Federation WS-Trust SAML 2.0 Metadata Shibboleth Graph API Synchronize accounts Authentication.
Welcome to the Minnesota SharePoint User Group November 11 th, 2009 SharePoint 2010 Administration Wes Preston, Brian Caauwe.

Welcome to the Minnesota SharePoint User Group November 11 th, 2009 SharePoint 2010 Administration Wes Preston, Brian Caauwe.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
VMware vCenter Server Module 4.

VMware vCenter Server Module 4.
Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.

Enterprise Reporting with Reporting Services SQL Server 2005 Donald Farmer Group Program Manager Microsoft Corporation.
Esri UC 2014 | Demo Theater | Using ArcGIS for Server in the Microsoft Azure Cloud Nikhil Shampur.

Esri UC 2014 | Demo Theater | Using ArcGIS for Server in the Microsoft Azure Cloud Nikhil Shampur.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
© 2011 PLANET TECHNOLOGIES, INC. Augmenting User Profiles with Line of Business Data Patrick Curran, MCT APRIL 28, 2012.

© 2011 PLANET TECHNOLOGIES, INC. Augmenting User Profiles with Line of Business Data Patrick Curran, MCT APRIL 28, 2012.
OM. Brad Gall Senior Consultant

OM. Brad Gall Senior Consultant

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.

Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
© 2011 PLANET TECHNOLOGIES, INC. Extending User Profiles with Line of Business Data Patrick Curran, MCT FEBRUARY 24, 2013.

© 2011 PLANET TECHNOLOGIES, INC. Extending User Profiles with Line of Business Data Patrick Curran, MCT FEBRUARY 24, 2013.
Module 8 Configuring and Securing SharePoint Services and Service Applications.

Module 8 Configuring and Securing SharePoint Services and Service Applications.
Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.

Verify Hardware Requirements Install Windows Server 2008 R2 Configure Active Directory Install SQL Server 2008 Install SharePoint Server 2010 Configure.
TechEd 2013 4/22/2017 5:40 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /22/2017 5:40 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Single Sign-On with Microsoft Azure

Single Sign-On with Microsoft Azure

Similar presentations

Ads by Google