| title | Enable Azure Active Directory only authentication |
|---|---|
| titleSuffix | Azure SQL Database & Azure SQL Managed Instance |
| description | This article guides you through enabling the Azure Active Directory (Azure AD) only authentication feature with Azure SQL Database and Azure SQL Managed Instance |
| author | GithubMirek |
| ms.author | mireks |
| ms.reviewer | wiassaf, vanto, mathoma |
| ms.date | 11/02/2021 |
| ms.service | sql-db-mi |
| ms.subservice | security |
| ms.topic | tutorial |
| monikerRange | = azuresql || = azuresql-db || = azuresql-mi |
[!INCLUDEappliesto-sqldb-sqlmi]
This article guides you through enabling the Azure AD-only authentication feature within Azure SQL Database and Azure SQL Managed Instance. If you are looking to provision a SQL Database or SQL Managed Instance with Azure AD-only authentication enabled, see Create server with Azure AD-only authentication enabled in Azure SQL.
In this tutorial, you learn how to:
[!div class="checklist"]
- Assign role to enable Azure AD-only authentication
- Enable Azure AD-only authentication using the Azure portal, Azure CLI, or PowerShell
- Check whether Azure AD-only authentication is enabled
- Test connecting to Azure SQL
- Disable Azure AD-only authentication using the Azure portal, Azure CLI, or PowerShell
- An Azure AD instance. For more information, see Configure and manage Azure AD authentication with Azure SQL.
- A SQL Database or SQL Managed Instance with a database, and logins or users. See Quickstart: Create an Azure SQL Database single database if you haven't already created an Azure SQL Database, or Quickstart: Create an Azure SQL Managed Instance.
In order to enable or disable Azure AD-only authentication, selected built-in roles are required for the Azure AD users executing these operations in this tutorial. We're going to assign the SQL Security Manager role to the user in this tutorial.
For more information on how to assign a role to an Azure AD account, see Assign administrator and non-administrator roles to users with Azure Active Directory
For more information on the required permission to enable or disable Azure AD-only authentication, see the Permissions section of Azure AD-only authentication article.
-
In our example, we'll assign the SQL Security Manager role to the user
UserSqlSecurityManager@contoso.onmicrosoft.com. Using privileged user that can assign Azure AD roles, sign into the Azure portal. -
Go to your SQL server resource, and select Access control (IAM) in the menu. Select the Add button and then Add role assignment in the drop-down menu.
:::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-authentication-access-control.png" alt-text="Access control pane in the Azure portal":::
-
In the Add role assignment pane, select the Role SQL Security Manager, and select the user that you want to have the ability to enable or disable Azure AD-only authentication.
:::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-authentication-access-control-add-role.png" alt-text="Add role assignment pane in the Azure portal":::
-
Click Save.
To enable Azure AD-only authentication auth in the Azure portal, see the steps below.
-
Using the user with the SQL Security Manager role, go to the Azure portal.
-
Go to your SQL server resource, and select Azure Active Directory under the Settings menu.
:::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-authentication-portal.png" alt-text="Enable Azure AD only auth menu":::
-
If you haven't added an Azure Active Directory admin, you'll need to set this before you can enable Azure AD-only authentication.
-
Select the Support only Azure Active Directory authentication for this server checkbox.
-
The Enable Azure AD authentication only popup will show. Click Yes to enable the feature and Save the setting.
To enable Azure AD-only authentication auth in the Azure portal, see the steps below.
-
Using the user with the SQL Security Manager role, go to the Azure portal.
-
Go to your SQL managed instance resource, and select Active Directory admin under the Settings menu.
-
If you haven't added an Azure Active Directory admin, you'll need to set this before you can enable Azure AD-only authentication.
-
Select the Support only Azure Active Directory authentication for this managed instance checkbox.
-
The Enable Azure AD authentication only popup will show. Click Yes to enable the feature and Save the setting.
To enable Azure AD-only authentication in Azure SQL Database using Azure CLI, see the commands below. Install the latest version of Azure CLI. You must have Azure CLI version 2.14.2 or higher. For more information on these commands, see az sql server ad-only-auth.
For more information on managing Azure AD-only authentication using APIs, see Managing Azure AD-only authentication using APIs.
Note
The Azure AD admin must be set for the server before enabling Azure AD-only authentication. Otherwise, the Azure CLI command will fail.
For permissions and actions required of the user performing these commands to enable Azure AD-only authentication, see the Azure AD-only authentication article.
-
Sign into Azure using the account with the SQL Security Manager role.
az login -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.az sql server ad-only-auth enable --resource-group <myresource> --name <myserver>
To enable Azure AD-only authentication in Azure SQL Managed Instance using Azure CLI, see the commands below. Install the latest version of Azure CLI.
-
Sign into Azure using the account with the SQL Security Manager role.
az login -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.az sql mi ad-only-auth enable --resource-group <myresource> --name <myserver>
To enable Azure AD-only authentication in Azure SQL Database using PowerShell, see the commands below. Az.Sql 2.10.0 module or higher is required to execute these commands. For more information on these commands, see Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication.
For more information on managing Azure AD-only authentication using APIs, see Managing Azure AD-only authentication using APIs
Note
The Azure AD admin must be set for the server before enabling Azure AD-only authentication. Otherwise, the PowerShell command will fail.
For permissions and actions required of the user performing these commands to enable Azure AD-only authentication, see the Azure AD-only authentication article. If the user has insufficient permissions, you will get the following error:
Enable-AzSqlServerActiveDirectoryOnlyAuthentication : The client
'UserSqlServerContributor@contoso.onmicrosoft.com' with object id
'<guid>' does not have authorization to perform
action 'Microsoft.Sql/servers/azureADOnlyAuthentications/write' over scope
'/subscriptions/<guid>...'
-
Sign into Azure using the account with the SQL Security Manager role.
Connect-AzAccount -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.Enable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName <myserver> -ResourceGroupName <myresource>
To enable Azure AD-only authentication in Azure SQL Managed Instance using PowerShell, see the commands below. Az.Sql 2.10.0 module or higher is required to execute these commands.
For more information on managing Azure AD-only authentication using APIs, see Managing Azure AD-only authentication using APIs.
-
Sign into Azure using the account with the SQL Security Manager role.
Connect-AzAccount -
Run the following command, replacing
<myinstance>with your SQL Managed Instance name, and<myresource>with your Azure Resource that holds the SQL managed instance.Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>
Check whether Azure AD-only authentication is enabled for your server or instance.
Go to your SQL server resource in the Azure portal. Select Azure Active Directory under the Settings menu.
Go to your SQL managed instance resource in the Azure portal. Select Active Directory admin under the Settings menu.
These commands can be used to check whether Azure AD-only authentication is enabled for your logical server for Azure SQL Database, or SQL Managed Instance. Members of the SQL Server Contributor and SQL Managed Instance Contributor roles can use these commands to check the status of Azure AD-only authentication, but can't enable or disable the feature.
-
Sign into Azure using the account with the SQL Security Manager role. For more information on managing Azure AD-only authentication using APIs, see Managing Azure AD-only authentication using APIs
az login -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.az sql server ad-only-auth get --resource-group <myresource> --name <myserver> -
You should see the following output:
{ "azureAdOnlyAuthentication": true, "/subscriptions/<guid>/resourceGroups/mygroup/providers/Microsoft.Sql/servers/myserver/azureADOnlyAuthentications/Default", "name": "Default", "resourceGroup": "myresource", "type": "Microsoft.Sql/servers" }
-
Sign into Azure using the account with the SQL Security Manager role.
az login -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.az sql mi ad-only-auth get --resource-group <myresource> --name <myserver> -
You should see the following output:
{ "azureAdOnlyAuthentication": true, "id": "/subscriptions/<guid>/resourceGroups/myresource/providers/Microsoft.Sql/managedInstances/myinstance/azureADOnlyAuthentications/Default", "name": "Default", "resourceGroup": "myresource", "type": "Microsoft.Sql/managedInstances" }
These commands can be used to check whether Azure AD-only authentication is enabled for your logical server for Azure SQL Database, or SQL Managed Instance. Members of the SQL Server Contributor and SQL Managed Instance Contributor roles can use these commands to check the status of Azure AD-only authentication, but can't enable or disable the feature.
The status will return True if the feature is enabled, and False if disabled.
-
Sign into Azure using the account with the SQL Security Manager role. For more information on managing Azure AD-only authentication using APIs, see Managing Azure AD-only authentication using APIs
Connect-AzAccount -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.Get-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName <myserver> -ResourceGroupName <myresource>
-
Sign into Azure using the account with the SQL Security Manager role.
Connect-AzAccount -
Run the following command, replacing
<myinstance>with your SQL Managed Instance name, and<myresource>with your Azure Resource that holds the SQL managed instance.Get-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>
After enabling Azure AD-only authentication, test with SQL Server Management Studio (SSMS) to connect to your SQL Database or SQL Managed Instance. Use SQL authentication for the connection.
You should see a login failed message similar to the following output:
Cannot connect to <myserver>.database.windows.net.
Additional information:
Login failed for user 'username'. Reason: Azure Active Directory only authentication is enabled.
Please contact your system administrator. (Microsoft SQL Server, Error: 18456)
By disabling the Azure AD-only authentication feature, you allow both SQL authentication and Azure AD authentication for Azure SQL.
- Using the user with the SQL Security Manager role, go to the Azure portal.
- Go to your SQL server resource, and select Azure Active Directory under the Settings menu.
- To disable the Azure AD-only authentication feature, uncheck the Support only Azure Active Directory authentication for this server checkbox and Save the setting.
- Using the user with the SQL Security Manager role, go to the Azure portal.
- Go to your SQL managed instance resource, and select Active Directory admin under the Settings menu.
- To disable the Azure AD-only authentication feature, uncheck the Support only Azure Active Directory authentication for this managed instance checkbox and Save the setting.
To disable Azure AD-only authentication in Azure SQL Database using Azure CLI, see the commands below.
-
Sign into Azure using the account with the SQL Security Manager role.
az login -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.az sql server ad-only-auth disable --resource-group <myresource> --name <myserver> -
After disabling Azure AD-only authentication, you should see the following output when you check the status:
{ "azureAdOnlyAuthentication": false, "/subscriptions/<guid>/resourceGroups/mygroup/providers/Microsoft.Sql/servers/myserver/azureADOnlyAuthentications/Default", "name": "Default", "resourceGroup": "myresource", "type": "Microsoft.Sql/servers" }
To disable Azure AD-only authentication in Azure SQL Managed Instance using Azure CLI, see the commands below.
-
Sign into Azure using the account with the SQL Security Manager role.
az login -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.az sql mi ad-only-auth disable --resource-group <myresource> --name <myserver> -
After disabling Azure AD-only authentication, you should see the following output when you check the status:
{ "azureAdOnlyAuthentication": false, "id": "/subscriptions/<guid>/resourceGroups/myresource/providers/Microsoft.Sql/managedInstances/myinstance/azureADOnlyAuthentications/Default", "name": "Default", "resourceGroup": "myresource", "type": "Microsoft.Sql/managedInstances" }
To disable Azure AD-only authentication in Azure SQL Database using PowerShell, see the commands below.
-
Sign into Azure using the account with the SQL Security Manager role.
Connect-AzAccount -
Run the following command, replacing
<myserver>with your SQL server name, and<myresource>with your Azure Resource that holds the SQL server.Disable-AzSqlServerActiveDirectoryOnlyAuthentication -ServerName <myserver> -ResourceGroupName <myresource>
To disable Azure AD-only authentication in Azure SQL Managed Instance using PowerShell, see the commands below.
-
Sign into Azure using the account with the SQL Security Manager role.
Connect-AzAccount -
Run the following command, replacing
<myinstance>with your SQL Managed Instance name, and<myresource>with your Azure Resource that holds the managed instance.Disable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>
After disabling Azure AD-only authentication, test connecting using a SQL authentication login. You should now be able to connect to your server or instance.