如何保护Web API和应用程序使用的Azure SQL数据库（Azure AD）

Question

I am currently developing several applications, mostly hosted on Azure : an Excel add-in (Office Apps) that calls an API hosted on Azure, a web application hosted on Azure, and probably other applications later.

To authenticate users, I use Azure Active Directory (Azure AD), based on Token authentication for the web API, and OpenID for the web application. Every call to the API or web app is thus authenticated thanks to the Azure AD, so Role-Based Access Control can be implemented in the application layer.

These API/apps are often calling an Azure SQL database and my question is the following : is it possible to use the authenticated user (from Azure AD) to also authenticate the database access ?

Currently, database credentials are hardcoded in the connection string (the login is created for the application), but this does not allow strict DB access control rules.

Additional information : integrated authentication (using Windows user) is not possible, because Windows login and Azure login are different in my organization : Azure and Windows Active Directories are different.

Thanks a lot for your help.

Answer 1

Yes, Azure SQL Server supports Azure Active Directory authentication. This article describes how to set it up: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication

Your database needs to be V12 for this feature. If it is not you can upgrade it to V12.

You can then connect to your database with a connectionstring like:

    string ConnectionString = @"Data Source=n9lxnyuzhv.database.windows.net; Authentication=Active Directory Integrated; Initial Catalog=testdb;";
    SqlConnection conn = new SqlConnection(ConnectionString);
    conn.Open();