PageRenderTime 62ms CodeModel.GetById 18ms RepoModel.GetById 0ms app.codeStats 0ms

/articles/sql-database/sql-database-aad-authentication.md

https://gitlab.com/yeah568/azure-content
Markdown | 374 lines | 238 code | 136 blank | 0 comment | 0 complexity | 1cf447dc74a6379ad023b72039d15f12 MD5 | raw file
  1. <properties
  2. pageTitle="Connect to SQL Database or SQL Data Warehouse By Using Azure Active Directory Authentication | Microsoft Azure"
  3. description="Learn how to connect to SQL Database by using Azure Active Directory Authentication."
  4. services="sql-database"
  5. documentationCenter=""
  6. authors="BYHAM"
  7. manager="jhubbard"
  8. editor=""
  9. tags=""/>
  10. <tags
  11. ms.service="sql-database"
  12. ms.devlang="na"
  13. ms.topic="article"
  14. ms.tgt_pltfrm="na"
  15. ms.workload="data-management"
  16. ms.date="05/05/2016"
  17. ms.author="rick.byham@microsoft.com"/>
  18. # Connecting to SQL Database or SQL Data Warehouse By Using Azure Active Directory Authentication
  19. Azure Active Directory authentication is a mechanism of connecting to Microsoft Azure SQL Database and [SQL Data Warehouse](../sql-data-warehouse/sql-data-warehouse-overview-what-is.md) by using identities in Azure Active Directory (Azure AD). With Azure Active Directory authentication you can centrally manage the identities of database users and other Microsoft services in one central location. Central ID management provides a single place to manage database users and simplifies permission management. Benefits include the following:
  20. - It provides an alternative to SQL Server authentication.
  21. - Helps stop the proliferation of user identities across database servers.
  22. - Allows password rotation in a single place
  23. - Customers can manage database permissions using external (AAD) groups.
  24. - It can eliminate storing passwords by enabling integrated Windows authentication and other forms of authentication supported by Azure Active Directory.
  25. - Azure Active Directory authentication uses contained database users to authenticate identities at the database level.
  26. - Azure Active Directory supports token-based authentication for applications connecting to SQL Database.
  27. - Azure Active Directory authentication supports ADFS (domain federation) or native user/password authentication for a local Azure Active Directory without domain synchronization.
  28. > [AZURE.IMPORTANT] Azure Active Directory authentication is a preview feature and is subject to the preview terms in the license agreement (e.g., the Enterprise Agreement, Microsoft Azure Agreement, or Microsoft Online Subscription Agreement), as well as any applicable [Supplemental Terms of Use for Microsoft Azure Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
  29. The configuration steps include the following procedures to configure and use Azure Active Directory authentication.
  30. 1. Create and populate an Azure Active Directory.
  31. 2. Ensure your database is in Azure SQL Database V12. (Not necessary for SQL Data Warehouse.)
  32. 3. Optional: Associate or change the active directory that is currently associated with your Azure Subscription.
  33. 4. Create an Azure Active Directory administrator for Azure SQL Server or [Azure SQL Data Warehouse](https://azure.microsoft.com/services/sql-data-warehouse/).
  34. 5. Configure your client computers.
  35. 6. Create contained database users in your database mapped to Azure AD identities.
  36. 7. Connect to your database by using Azure AD identities.
  37. ## Trust architecture
  38. The following high level diagram summarizes the solution architecture of using Azure AD authentication with Azure SQL Database. The same concepts apply to SQL Data Warehouse. To support Azure Active Directory native user password, only the Cloud portion and Azure AD/Azure SQL Database is considered. To support Federated authentication (or user/password for Windows credentials) the communication with ADFS block is required. The arrows indicate communication pathways.
  39. ![aad auth diagram][1]
  40. The following diagram indicates the federation, trust, and hosting relationships that allow a client to connect to a database by submitting a token that was authenticated by an Azure AD, and which is trusted by the database. Customer 1 can represent an Azure Active Directory with native users or an Azure Active Directory with federated users. Customer 2 represents a possible solution including imported users; in this example coming from a federated Azure Active Directory with ADFS being synchronized with Azure Active Directory. It's important to understand that access to a database using Azure AD authentication requires that the hosting subscription is associated to the Azure Active Directory and the same subscription is used to create Azure SQL Database or SQL Data Warehouse server.
  41. ![subscription relationship][2]
  42. ## Administrator structure
  43. When using Azure AD authentication there will be two Administrator accounts for the SQL Database server; the original SQL Server administrator and the Azure AD administrator. The same concepts apply to SQL Data Warehouse. Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. The Azure AD administrator login can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the SQL Server instance. Using group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in SQL Database. Only one Azure AD administrator (a user or group) can be configured at any time.
  44. ![admin structure][3]
  45. ## Permissions
  46. To create new users you must have the **ALTER ANY USER** permission in the database. The **ALTER ANY USER** permission can be granted to any database user. The **ALTER ANY USER** permission is also held by the server administrator accounts, and database users with the **CONTROL ON DATABASE** or **ALTER ON DATABASE** permission for that database, and by members of the **db_owner** database role.
  47. To create a contained database user in Azure SQL Database or SQL Data Warehouse you must connect to the database using an Azure AD identity. To create the first contained database user, you must connect to the database by using an Azure Active Directory administrator (who is the owner of the database). This is demonstrated in steps 4 and 5 below. Any Azure Active Directory authentication is only possible if the Azure Active Directory admin was created for Azure SQL Database or SQL Data Warehouse server. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously inside SQL Server cannot anymore to the database using their current Azure Active Directory credentials
  48. ## Azure AD features and limitations
  49. The following members of Azure Active Directory can be provisioned in Azure SQL Serve ror SQL Data Warehouse:
  50. - Native members: A member created in Azure AD in the managed domain or in a customer domain. For more information, see [Add your own domain name to Azure AD](../active-directory/active-directory-add-domain.md).
  51. - Federated domain members: A member created in Azure AD with a federated domain. For more information, see [Microsoft Azure now supports federation with Windows Server Active Directory](https://azure.microsoft.com/blog/2012/11/28/windows-azure-now-supports-federation-with-windows-server-active-directory/).
  52. - Imported members from other Azure Active Directories who are native or federated domain members.
  53. - Active Directory groups created as security groups.
  54. Microsoft accounts (for example outlook.com, hotmail.com, live.com) or other guest accounts (for example gmail.com, yahoo.com) are not supported. If you can login to [https://login.live.com](https://login.live.com) using the account and password, then you are using a Microsoft account which is not supported for Azure AD authentication for Azure SQL Database or Azure SQL Data Warehouse.
  55. ### Additional considerations
  56. - To enhance manageability we recommended you provision a dedicated Azure Active Directory group as an administrator.
  57. - Only one Azure AD administrator (a user or group) can be configured for an Azure SQL Server or Azure SQL Data Warehouse at any time.
  58. - Only an Azure Active Directory administrator can initially connect to the Azure SQL Server or Azure SQL Data Warehouse using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure Active Directory database users.
  59. - We recommend setting the connection timeout to 30 seconds.
  60. - SQL Server 2016 Management Studio and SQL Server Data Tools for Visual Studio 2015 (version 14.0.60311.1April 2016 or later) support Azure Active Directory authentication. (Azure Active Directory authentication is supported by the **.NET Framework Data Provider for SqlServer**; at least version .NET Framework 4.6). Therefore the newest versions of these tools and data-tier applications (DAC and .bacpac) can use Azure Active Directory authentication, but **sqlcmd.exe** and **bcp.exe** cannot connect because they use the ODBC provider.
  61. - SQL Server Data Tools for Visual Studio 2015 requires at least the April 2016 version of the Data Tools (version 14.0.60311.1). Currently Azure Active Directory users are not shown in SSDT Object Explorer. As a workaround, view the users in [sys.database_principals](https://msdn.microsoft.com/library/ms187328.aspx).
  62. - [Microsoft JDBC Driver 6.0 for SQL Server](https://blogs.technet.microsoft.com/dataplatforminsider/2016/04/04/preview-the-microsoft-jdbc-driver-6-0-for-sql-server/) supports Azure Active Directory authentication.
  63. - PolyBase cannot authenticate by using Azure Active Directory authentication.
  64. - SQL Server Management Studio is not supported for SQL Data Warehouse. Use SQL Server Data Tools.
  65. - Some tools like BI and Excel are not supported.
  66. - Two-factor authentication or other forms of interactive authentication are not supported.
  67. - Azure Active Directory authentication is supported for SQL Database by the Azure Portal **Import Database** and **Export Database** blades. Import and export using Azure Active Directory authentication is also supported from the PowerShell command.
  68. ## 1. Create and populate an Azure Active Directory
  69. Create an Azure Active directory and populate it with users and groups. This includes:
  70. - Create the initial domain Azure AD managed domain.
  71. - Federate an on-premises Active Directory Domain Services with Azure Active Directory.
  72. - Using the **AD FS** tool, in the **Service**, **Endpoints** section, enable **WS-Trust 1.3** for the URL path **/adfs/services/trust/13/windowstransport**.
  73. For more information, see [Integrating your on-premises identities with Azure Active Directory](../active-directory/active-directory-aadconnect.md), [Add your own domain name to Azure AD](../active-directory/active-directory-add-domain.md), [Microsoft Azure now supports federation with Windows Server Active Directory](https://azure.microsoft.com/blog/2012/11/28/windows-azure-now-supports-federation-with-windows-server-active-directory/), [Administering your Azure AD directory](https://msdn.microsoft.com/library/azure/hh967611.aspx), and [Manage Azure AD using Windows PowerShell](https://msdn.microsoft.com/library/azure/jj151815.aspx).
  74. ## 2. Ensure your SQL Database is in Azure SQL Database V12
  75. Azure Active Directory authentication is supported in the latest SQL Database V12. For information about SQL Database V12 and to learn whether it is available in your region, see [What's new in the Latest SQL Database Update V12](sql-database-v12-whats-new.md). This step is not necessary for Azure SQL Data Warehouse because SQL Data Warehouse is only available in V12.
  76. If you have an existing database, verify it is hosted in SQL Database V12 by connecting to the database (for example using SQL Server Management Studio) and executing `SELECT @@VERSION;` The expected output for a database in SQL Database V12 is at least **Microsoft SQL Azure (RTM) - 12.0**.
  77. If your database is not hosted in SQL Database V12, see [Plan and prepare to upgrade to SQL Database V12](sql-database-v12-plan-prepare-upgrade.md), and then visit the Azure Classic Portal to migrate the database to SQL Database V12.
  78. Alternatively, you can create a new database in SQL Database V12 by following the steps listed in [Create your first Azure SQL database](sql-database-get-started.md). **Tip**: Read the next step before you select a subscription for your new database.
  79. ## 3. Optional: Associate or change the active directory that is currently associated with your Azure Subscription
  80. To associate your database with the Azure AD directory for your organization, make the directory a trusted directory for the Azure subscription hosting the database. For more information, see [How Azure subscriptions are associated with Azure AD](https://msdn.microsoft.com/library/azure/dn629581.aspx).
  81. **Additional information:** Every Azure subscription has a trust relationship with an Azure AD instance. This means that it trusts that directory to authenticate users, services, and devices. Multiple subscriptions can trust the same directory, but a subscription trusts only one directory. You can see which directory is trusted by your subscription under the **Settings** tab at [https://manage.windowsazure.com/](https://manage.windowsazure.com/). This trust relationship that a subscription has with a directory is unlike the relationship that a subscription has with all other resources in Azure (websites, databases, and so on), which are more like child resources of a subscription. If a subscription expires, then access to those other resources associated with the subscription also stops. But the directory remains in Azure, and you can associate another subscription with that directory and continue to manage the directory users. For more information about resources, see [Understanding resource access in Azure](https://msdn.microsoft.com/library/azure/dn584083.aspx).
  82. The following procedures provide step by step instructions on how to change the associated directory for a given subscription.
  83. 1. Connect to your [Azure Classic Portal](https://manage.windowsazure.com/) by using an Azure subscription administrator.
  84. 2. On the left banner, select **SETTINGS**.
  85. 3. Your subscriptions appear in the settings screen. If the desired subscription does not appear, click **Subscriptions** at the top, drop down the **FILTER BY DIRECTORY** box and select the directory that contains your subscriptions, and then click **APPLY**.
  86. ![select subscription][4]
  87. 4. In the **settings** area, click your subscription, and then click **EDIT DIRECTORY** at the bottom of the page.
  88. ![ad-settings-portal][5]
  89. 5. In the **EDIT DIRECTORY** box, select the Azure Active Directory that is associated with your SQL Server or SQL Data Warehouse, and then click the arrow for next.
  90. ![edit-directory-select][6]
  91. 6. In the **CONFIRM** directory Mapping dialog box, confirm that "**All co-administrators will be removed.**"
  92. ![edit-directory-confirm][7]
  93. 7. Click the check to reload the portal.
  94. > [AZURE.NOTE] When you change the directory, access to all co-administrators, Azure AD users and groups, and directory-backed resource users will be removed and they will no longer have access to this subscription or its resources. Only you, as a service administrator, will be able to configure access for principals based on the new directory. This change might take a substantial amount of time to propagate to all resources. Changing the directory will also change the Azure AD administrator for SQL Database and SQL Data Warehouse and disallow database access for any existing Azure AD users. The Azure AD admin must be re-set (as described below) and new Azure AD users must be created.
  95. ## 4. Create an Azure Active Directory administrator for Azure SQL Server or Azure SQL Data Warehouse
  96. Each Azure SQL Server or SQL Data Warehouse starts with a single server administrator account which is the administrator of the entire Azure SQL Server. A second server administrator must be created, that is an Azure AD account. This principal is created as a contained database user in the master database. As administrators, the server administrator accounts are members of the **db_owner** role in every user database, and enter each user database as the **dbo** user. For more information about the server administrator accounts, see [Managing Databases and Logins in Azure SQL Database](sql-database-manage-logins.md) and the **Logins and Users** section of [Azure SQL Database Security Guidelines and Limitations](sql-database-security-guidelines.md).
  97. When using Azure Active Directory with Geo-Replication, the Azure Active Directory administrator must be configured for both the primary and the secondary servers. If a server does not have an Azure Active Directory administrator, then Azure Active Directory logins and users will receive a "Cannot connect" to server error.
  98. > [AZURE.NOTE] Users that are not based on an Azure AD account (including the Azure SQL Server administrator account) cannot create Azure AD based users because they do not have permission to validate proposed database users with the Azure AD.
  99. ### Provision an Azure Active Directory administrator for your Azure SQL Server or SQL Data Warehouse by using the Azure Portal
  100. 1. In the [Azure Portal](https://portal.azure.com/), in the upper-right corner, click your connection to drop down a list of possible Active Directories. Choose the correct Active Directory as the default Azure AD. This step links the subscription association with Active Directory with Azure SQL Database making sure that the same subscription is used for both Azure AD and SQL Server. (The following screenshots show Azure SQL Database, but the same concepts apply to Azure SQL Data Warehouse.)
  101. ![choose-ad][8]
  102. 2. In the left banner select **SQL servers**, select your **SQL server** or **SQL Data Warehouse**, and then in the **SQL Server** blade, at the top click **Settings**.
  103. ![ad settings][9]
  104. 3. In the **Settings** blade, click **Active Directory admin (preview)**, and accept the preview clause.
  105. 4. In the **Active Directory admin (preview)** blade, click to review, and then click **OK** to accept the preview terms.
  106. 5. In the **Active Directory admin (preview)** blade, click **Active Directory admin**, and then at the top, click **Set admin**.
  107. 6. In the **Add admin** blade, search for a user, select the user or group to be an administrator, and then click **Select**. (The Active Directory admin blade will show all members and groups of your Active Directory. Users or groups that are grayed out cannot be selected because they are not supported as Azure AD administrators. (See the list of supported admins in **Azure AD Features and Limitations** above.) Role-based access control (RBAC) applies only to the portal and is not propagated to SQL Server.
  108. 7. At the top of the **Active Directory admin** blade, click **SAVE**.
  109. ![choose admin][10]
  110. The process of changing the administrator may take several minutes. Then the new administrator will appear in the **Active Directory admin** box.
  111. > [AZURE.NOTE] When setting up the Azure AD admin the new admin name (user or group) cannot already be present in the master database as a SQL Server authentication login. If present, the Azure AD admin setup will fail; rolling back its creation and indicating that such an admin (name) already exists. Since such a SQL Server authentication login is not part of the Azure AD, any effort to connect to the server using Azure AD authentication will fail.
  112. To later remove an Admin, at the top of the **Active Directory admin** blade, click **Remove admin**, and then click **Save**.
  113. ### Provision an Azure AD administrator for Azure SQL Server or Azure SQL Data Warehouse by using PowerShell
  114. To run PowerShell cmdlets, you need to have Azure PowerShell installed and running. For detailed information, see [How to install and configure Azure PowerShell](../powershell-install-configure.md).
  115. To provision an Azure AD admin you must execute the following Azure PowerShell commands:
  116. - Add-AzureRmAccount
  117. - Select-AzureRmSubscription
  118. Cmdlets used to provision and manage Azure AD admin:
  119. | Cmdlet name | Description |
  120. |---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
  121. | [Set-AzureRmSqlServerActiveDirectoryAdministrator](https://msdn.microsoft.com/library/azure/mt603544.aspx) | Provisions an Azure Active Directory administrator for Azure SQL Server or Azure SQL Data Warehouse. (Must be from the current subscription.) |
  122. | [Remove-AzureRmSqlServerActiveDirectoryAdministrator](https://msdn.microsoft.com/library/azure/mt619340.aspx) | Removes an Azure Active Directory administrator for Azure SQL Server or Azure SQL Data Warehouse. |
  123. | [Get-AzureRmSqlServerActiveDirectoryAdministrator](https://msdn.microsoft.com/library/azure/mt603737.aspx) | Returns information about an Azure Active Directory administrator currently configured for the Azure SQL Server or Azure SQL Data Warehouse. |
  124. Use PowerShell command get-help to see more details for each of these commands, for example ``get-help Set-AzureRmSqlServerActiveDirectoryAdministrator``.
  125. The following script provisions an Azure AD administrator group named **DBA_Group** (object id `40b79501-b343-44ed-9ce7-da4c8cc7353f`) for the **demo_server** server in a resource group named **Group-23**:
  126. ```
  127. Set-AzureRmSqlServerActiveDirectoryAdministrator –ResourceGroupName "Group-23"
  128. –ServerName "demo_server" -DisplayName "DBA_Group"
  129. ```
  130. The **DisplayName** input parameter accepts either the Azure AD display name or the User Principal Name. For example ``DisplayName="John Smith"`` and ``DisplayName="johns@contoso.com"``. For Azure AD groups only the Azure AD display name is supported.
  131. > [AZURE.NOTE] The Azure PowerShell command ```Set-AzureRmSqlServerActiveDirectoryAdministrator``` will not prevent you from provisioning Azure AD admins for unsupported users. An unsupported user can be provisioned, but will not be able to connect to a database. (See the list of supported admins in **Azure AD Features and Limitations** above.)
  132. The following example uses the optional **ObjectID**:
  133. ```
  134. Set-AzureRmSqlServerActiveDirectoryAdministrator –ResourceGroupName "Group-23"
  135. –ServerName "demo_server" -DisplayName "DBA_Group" -ObjectId "40b79501-b343-44ed-9ce7-da4c8cc7353f"
  136. ```
  137. > [AZURE.NOTE] The Azure AD **ObjectID** is required when the **DisplayName** is not unique. To retrieve the **ObjectID** and **DisplayName** values, use the Active Directory section of Azure Classic Portal, and view the properties of a user or group.
  138. The following example returns information about the current Azure AD admin for Azure SQL Server:
  139. ```
  140. Get-AzureRmSqlServerActiveDirectoryAdministrator –ResourceGroupName "Group-23" –ServerName "demo_server" | Format-List
  141. ```
  142. The following example removes an Azure AD administrator:
  143. ```
  144. Remove-AzureRmSqlServerActiveDirectoryAdministrator -ResourceGroupName "Group-23" –ServerName "demo_server"
  145. ```
  146. You can also provision an Azure Active Directory Administrator by using the REST APIs. For more information, see [Service Management REST API Reference and Operations for Azure SQL Databases Operations for Azure SQL Databases](https://msdn.microsoft.com/library/azure/dn505719.aspx)
  147. ## 5. Configure your client computers
  148. On all client machines, from which your applications or users connect to Azure SQL Database or Azure SQL Data Warehouse using Azure AD identities, you must install the following software:
  149. - .NET Framework 4.6 or later from [https://msdn.microsoft.com/library/5a4x27ek.aspx](https://msdn.microsoft.com/library/5a4x27ek.aspx).
  150. - Azure Active Directory Authentication Library for SQL Server (**ADALSQL.DLL**) is available in multiple languages (both x86 and amd64) from the download center at [Microsoft Active Directory Authentication Library for Microsoft SQL Server](http://www.microsoft.com/download/details.aspx?id=48742).
  151. ### Tools
  152. - Installing either [SQL Server 2016 Management Studio](https://msdn.microsoft.com/library/mt238290.aspx) or [SQL Server Data Tools for Visual Studio 2015](https://msdn.microsoft.com/library/mt204009.aspx) meets the .NET Framework 4.6 requirement.
  153. - SSMS installs the x86 version of **ADALSQL.DLL**.
  154. - SSDT installs the amd64 version of **ADALSQL.DLL**.
  155. - The latest Visual Studio from [Visual Studio Downloads](https://www.visualstudio.com/downloads/download-visual-studio-vs) meets the .NET Framework 4.6 requirement, but does not install the required amd64 version of **ADALSQL.DLL**.
  156. ## 6. Create contained database users in your database mapped to Azure AD identities
  157. ### About contained database users
  158. Azure Active Directory authentication requires database users to be created as contained database users. A contained database user based on an Azure AD identity is a database user that does not have a login in the master database, and which maps to an identity in the Azure AD directory that is associated with the database. The Azure AD identity can be either an individual user account or a group. For more information about contained database users, see [Contained Database Users- Making Your Database Portable](https://msdn.microsoft.com/library/ff929188.aspx).
  159. > [AZURE.NOTE] Database users (with the exception of administrators) cannot be created using portal and RBAC roles are not propagated to SQL Server or SQL Data Warehouse. Azure RBAC roles are used for managing Azure Resources and do not apply to database permissions. For example the **SQL Server Contributor** role does not grant access to connect to the SQL Database or SQL Data Warehouse. The access permission must be granted directly in the database using Transact-SQL statements.
  160. ### Connect to the user database or data warehouse by using SQL Server Management Studio or SQL Server Data Tools
  161. To confirm the Azure AD administrator is properly set up, connect to the **master** database using the Azure AD administrator account.
  162. To provision an Azure AD based contained database user (other than the server administrator that owns the database), connect to the database with an Azure AD identity that has access to the database. (SSMS is not supported for SQL Data Warehouse. Use SSDT instead.)
  163. > [AZURE.IMPORTANT] Support for Azure Active Directory authentication is available with [SQL Server 2016 Management Studio](https://msdn.microsoft.com/library/mt238290.aspx) and [SQL Server Data Tools](https://msdn.microsoft.com/library/mt204009.aspx) in Visual Studio 2015.
  164. #### Connect using Active Directory integrated authentication
  165. Use this method if you are logged into Windows using your Azure Active Directory credentials from a federated domain.
  166. 1. Start Management Studio or Data Tools and in the **Connect to Server** (or **Connect to Database Engine**) dialog box, in the **Authentication** box, select **Active Directory Integrated Authentication**. No password is needed or can be entered because your existing credentials will be presented for the connection.
  167. ![Select AD Integrated Authentication][11]
  168. 2. Click the **Options** button, and on the **Connection Properties** page, in the **Connect to database** box, type the name of the user database you want to connect to.
  169. #### Connect using Active Directory password authentication
  170. Use this method when connecting with an Azure AD principal name using the Azure AD managed domain. You can also use it for federated account without access to the domain, for example when working remotely.
  171. Use this method if you are logged into Windows using credentials from a domain that is not federated with Azure, or when using Azure AD authentication using Azure AD based on the initial or the client domain.
  172. 1. Start Management Studio or Data Tools and in the **Connect to Server** (or **Connect to Database Engine**) dialog box, in the **Authentication** box, select **Active Directory Password Authentication**.
  173. 2. In the **User name** box, type your Azure Active Directory user name in the format **username@domain.com**. This must be an account from the Azure Active Directory or an account from a domain federate with the Azure Active Directory.
  174. 3. In the **Password** box, type your user password for the Azure Active Directory account or federated domain account.
  175. ![Select AD Password Authentication][12]
  176. 4. Click the **Options** button, and on the **Connection Properties** page, in the **Connect to database** box, type the name of the user database you want to connect to.
  177. ### Create an Azure AD contained database user in a user database
  178. To create an Azure AD based contained database user (other than the server administrator that owns the database), connect to the database with an Azure AD identity (as described in the previous procedure) as a user with at least the **ALTER ANY USER** permission. Then use the following Transact-SQL syntax:
  179. CREATE USER <Azure_AD_principal_name>
  180. FROM EXTERNAL PROVIDER;
  181. *Azure_AD_principal_name* can be the user principal name of an Azure AD user or the display name for an Azure AD group.
  182. **Examples:**
  183. To create a contained database user representing an Azure AD federated or managed domain user:
  184. CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER;
  185. CREATE USER [alice@fabrikam.onmicrosoft.com] FROM EXTERNAL PROVIDER;
  186. To create a contained database user representing an Azure AD or federated domain group, provide the display name of a security group:
  187. CREATE USER [ICU Nurses] FROM EXTERNAL PROVIDER;
  188. To create a contained database user representing an application that will connect using an Azure AD token:
  189. CREATE USER [appName] FROM EXTERNAL PROVIDER;
  190. For more information about creating contained database users based on Azure Active Directory identities, see [CREATE USER (Transact-SQL)](http://msdn.microsoft.com/library/ms173463.aspx).
  191. > [AZURE.NOTE] Removing the Azure Active Directory administrator for Azure SQL Server prevents any Azure AD authentication user from connecting to the server. If required, unusable Azure AD users can be dropped manually by a SQL Database administrator.
  192. When you create a database user, that user receives the **CONNECT** permission and can connect to that database as a member of the **PUBLIC** role. Initially the only permissions available to the user are any permissions granted to the **PUBLIC** role, or any permissions granted to any Windows groups that they are a member of. Once you provision an Azure AD-based contained database user, you can grant the user additional permissions, the same way as you grant permission to any other type of user. Typically grant permissions to database roles, and add users to roles. For more information, see [Database Engine Permission Basics](http://social.technet.microsoft.com/wiki/contents/articles/4433.database-engine-permission-basics.aspx). For more information about special SQL Database roles, see [Managing Databases and Logins in Azure SQL Database](sql-database-manage-logins.md).
  193. A federated domain user that is imported into a manage domain, must use the managed domain identity.
  194. > [AZURE.NOTE] Azure AD users are marked in the database metadata with type E (EXTERNAL_USER) and for groups with type X (EXTERNAL_GROUPS). For more information, see [sys.database_principals](https://msdn.microsoft.com/library/ms187328.aspx).
  195. ## 7. Connect to your database by using Azure Active Directory identities
  196. Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities:
  197. - Using integrated Windows authentication
  198. - Using an Azure AD principal name and a password
  199. - Using Application token authentication
  200. ### 7.1. Connecting using integrated (Windows) authentication
  201. To use integrated Windows authentication, your domains Active Directory must be federated with Azure Active Directory and your client application (or a service) connecting to the database must be running on a domain-joined machine under a users domain credentials.
  202. To connect to a database using integrated authentication and an Azure AD identity, the Authentication keyword in the database connection string must be set to Active Directory Integrated. The following C# code sample uses ADO .NET.
  203. string ConnectionString =
  204. @"Data Source=n9lxnyuzhv.database.windows.net; Authentication=Active Directory Integrated;";
  205. SqlConnection conn = new SqlConnection(ConnectionString);
  206. conn.Open();
  207. Note that the connection string keyword ``Integrated Security=True`` is not supported for connecting to Azure SQL Database.
  208. ### 7.2. Connecting with an Azure AD principal name and a password
  209. To connect to a database using integrated authentication and an Azure AD identity, the Authentication keyword must be set to Active Directory Password and the connection string must contain User ID/UID and Password/PWD keywords and values. The following C# code sample uses ADO .NET.
  210. string ConnectionString =
  211. @"Data Source=n9lxnyuzhv.database.windows.net; Authentication=Active Directory Password; UID=bob@contoso.onmicrosoft.com; PWD=MyPassWord!";
  212. SqlConnection conn = new SqlConnection(ConnectionString);
  213. conn.Open();
  214. For specific code examples related to Azure AD authentication see the [SQL Server Security Blog](http://blogs.msdn.com/b/sqlsecurity/) on MSDN.
  215. ### 7.3 Connecting with an Azure AD token
  216. This authentication method allows middle-tier services to connect to Azure SQL Database or Azure SQL Data Warehouse by obtaining a token from Azure Active Directory (AAD). It enables sophisticated scenarios including certificate-based authentication. You must complete four basic steps to use Azure AD token authentication:
  217. 1. Register your application with Azure Active Directory and get the client id for your code.
  218. 2. Create a database user representing the application. (Completed earlier in step 6.)
  219. 3. Create a certificate on the client computer that will run the application.
  220. 4. Add the certificate as a key for your application.
  221. For more information, see [SQL Server Security Blog](https://blogs.msdn.microsoft.com/sqlsecurity/2016/02/09/token-based-authentication-support-for-azure-sql-db-using-azure-ad-auth/).
  222. ## See also
  223. [Managing Databases and Logins in Azure SQL Database](sql-database-manage-logins.md)
  224. [Contained Database Users](https://msdn.microsoft.com/library/ff929071.aspx)
  225. [CREATE USER (Transact-SQL)](http://msdn.microsoft.com/library/ms173463.aspx)
  226. <!--Image references-->
  227. [1]: ./media/sql-database-aad-authentication/1aad-auth-diagram.png
  228. [2]: ./media/sql-database-aad-authentication/2subscription-relationship.png
  229. [3]: ./media/sql-database-aad-authentication/3admin-structure.png
  230. [4]: ./media/sql-database-aad-authentication/4select-subscription.png
  231. [5]: ./media/sql-database-aad-authentication/5ad-settings-portal.png
  232. [6]: ./media/sql-database-aad-authentication/6edit-directory-select.png
  233. [7]: ./media/sql-database-aad-authentication/7edit-directory-confirm.png
  234. [8]: ./media/sql-database-aad-authentication/8choose-ad.png
  235. [9]: ./media/sql-database-aad-authentication/9ad-settings.png
  236. [10]: ./media/sql-database-aad-authentication/10choose-admin.png
  237. [11]: ./media/sql-database-aad-authentication/11connect-using-int-auth.png
  238. [12]: ./media/sql-database-aad-authentication/12connect-using-pw-auth.png