stackoom
  简体   繁体   中英

Azure SQL Grant Access for AD User using PowerShell and ServicePrincipal

 原文  2020-07-01 13:02:01       azure/ powershell/ azure-sql-database/ powershell-core/ service-principal

Question

I try to create a User for an Azure SQL Server. I want to use the AzureAD users.

This is the code:

$accessToken = $(az account get-access-token --resource https://database.windows.net/ --query accessToken -o tsv --subscription ${data.azurerm_client_config.current.subscription_id})
$sqlConnection = New-Object System.Data.SqlClient.SqlConnection
$sqlConnection.ConnectionString = "Data Source = ${azurerm_sql_server.server.fully_qualified_domain_name}; Initial Catalog = ${azurerm_sql_database.sqldb.name}"
$sqlConnection.AccessToken = $accessToken
$sqlConnection.Open()
$sqlCmd = New-Object System.Data.SqlClient.SqlCommand
$sqlCmd.Connection = $sqlConnection
$sqlCmd.CommandText = "CREATE USER [someone.name_domain.com#EXT#@rootdomain.onmicrosoft.com] FROM EXTERNAL PROVIDER"
$sqlCmd.ExecuteNonQuery()

The azure commandline which is used to generate the token is authenticated using a service principal. The service principal is defined as the azurerm_sql_active_directory_administrator using an AAD-Group. I get the following Error

MethodInvocationException: 
Line |
  11 |  $sqlCmd.ExecuteNonQuery()
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "ExecuteNonQuery" with "0" argument(s): "Principal 'someone.name_domain.com#EXT#@rootdomain.onmicrosoft.com' could not be resolved. Error message: ''"

If I change the SqlCommand to: SELECT * FROM sys.database_principals . I can query the results. Therefore I assume the Authentication itself is not the Problem. On the other hand, when logged into the azure cli with my active directory user (which is part of the same AAD-Group) instead of the service principal, the CREATE USER... Command works and the user is created.

I want to run the code in automation therefore I need it to work with my service principal. Is there anything that can be done to make this work?

1 answers

solution1
 2 ACCPTED  2020-07-02 02:01:34

Azure SQL database doesn't allow service principal to create user for now.

But others have found some workaround to solve the issue: 在此处输入图像描述

Microsoft MSFT confirm that it's correct and the official tutorial will come soon:

  1. Assign a server identity to the Azure SQL logical server

    Set-AzSqlServer -ResourceGroupName -ServerName <Server name> -AssignIdentity

  2. Grant the Directory Readers permissions to the server identity.

Please reference this blogs:

  1. CREATE USER FROM EXTERNAL PROVIDER by Service Principal
  2. https://github.com/MicrosoftDocs/sql-docs/issues/4959

Hope this helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Grant Azure AD group to access SQL Server Grant access to login using Azure AD how to give grant Permissions for an app in azure ad using powershell Unable to grant VSTS project access using Azure AD Groups Why is my “access grant malformed” in Azure AD? Powershell - Do “Grant Permissions” action on Azure AD Application with Powershell Using powershell to connect to azure ad using access token How to unlock an Azure AD user account using powershell? Unable to get Application using ServicePrincipal Credentials in Azure pyodbc will support connecting to an Azure SQL DB using the AD access token instead of user/password?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM