Azure AD for authentication with Data Warehouse

Question

I'm trying to set up an authentication using Azure AD to login to DWH.

Let's say i have an directory called target.onmicrosoft.com

I have 2 external user who was already invited to this directory (user1@gmail.com, user2@gmail.com)

For user1@gmail.com, i gave him Owner permission on subscription scope using RBAC.

For user2@gmail.com, i only gave Reader permission on subscription scope using RBAC.

From DWH AD admin portal, i set user1@gmail.com as admin. In other words, Active Directory admin of DWH is user1@gmail.com

Also, the real administrator user of DWH is another user, let's call it topmanager .

First of all, i login to DWH using topmanager and tried to create AAD user CREATE USER [user2@gmail.com] FROM EXTERNAL PROVIDER;

But it said: Only connections established with Active Directory accounts can create other Active Directory users.

So i had to login using user1@gmail.com credential (since user1 already added as AAD admin). Also I couldn't login with user2 credential.

Now i executed the same query

CREATE USER [user1@gmail.com] FROM EXTERNAL PROVIDER;

And got error: Principal 'user1@gmail.com' could not be found or this principal type is not supported.

My final intention is to give user1 full permission on DWH and schema-based full permission for user2.

Answer 1

Use GRANT permissions within the data warehouse. Here's a good overview:

https://docs.microsoft.com/en-us/sql/t-sql/statements/permissions-grant-deny-revoke-azure-sql-data-warehouse-parallel-data-warehouse?view=aps-pdw-2016-au7

This example does exactly what you ask:

https://docs.microsoft.com/en-us/sql/t-sql/statements/permissions-grant-deny-revoke-azure-sql-data-warehouse-parallel-data-warehouse?view=aps-pdw-2016-au7#d-granting-denying-and-revoking-a-schema-permission