-
Notifications
You must be signed in to change notification settings - Fork 371
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: rdheekonda <[email protected]>
- Loading branch information
1 parent
94f4227
commit b6828f9
Showing
1 changed file
with
10 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
|
|
||
| # Azure SQL Database Setup, Authentication and User Permissions | ||
|
|
||
| This document provides a comprehensive guide to setting up and managing Azure SQL Database with a focus on using Entra ID authentication. It covers the essential steps for creating an Azure SQL Database, configuring Azure SQL Server security controls such as enabling Entra ID-only authentication and restricting access to selected networks, mapping Entra ID users to specific Azure SQL DB roles like `db_owner`, `db_writer`, and `db_reader`, and verifying if corporate email users exist in the database while granting appropriate permissions to them. | ||
| This document provides a comprehensive guide to setting up and managing Azure SQL Database with a focus on using Entra ID authentication. It covers the essential steps for creating an Azure SQL Database, configuring Azure SQL Server security controls such as enabling Entra ID-only authentication and restricting access to selected networks, mapping Entra ID users to specific Azure SQL DB roles like `db_owner`, `db_datawriter`, and `db_datareader`, and verifying if corporate email users exist in the database while granting appropriate permissions to them. | ||
|
|
||
| If the Azure SQL Database is already set up, you can skip directly to Section 3 to manage user DB permissions. | ||
|
|
||
|
|
@@ -45,21 +45,21 @@ Even when users authenticate via Entra ID, they must be explicitly mapped to spe | |
| ### Key Database Roles: | ||
|
|
||
| 1. **db_owner**: Provides full control over the Azure SQL Database. Users with this role can create, modify, and delete database objects, manage security, and grant/revoke permissions to other users. | ||
| 2. **db_writer**: Allows users to insert, update, and delete data but does not permit modifying the database schema or managing users. | ||
| 3. **db_reader**: Grants read-only access to all tables and views in the database. | ||
| 2. **db_datawriter**: Allows users to insert, update, and delete data but does not permit modifying the database schema or managing users. | ||
| 3. **db_datareader**: Grants read-only access to all tables and views in the database. | ||
|
|
||
| ### Mapping Entra ID Users to Database Roles | ||
|
|
||
| To grant users access to the database, you must map them to the appropriate role. Developers/maintainers should be assigned the `db_owner` role, while operators can be assigned the `db_writer` role. | ||
| To grant users access to the database, you must map them to the appropriate role. Developers/maintainers should be assigned the `db_owner` role, while operators can be assigned the `db_datawriter` role. | ||
|
|
||
| ### Example: Mapping Entra ID Users | ||
|
|
||
| ```sql | ||
| -- Create a database user for the Entra ID user | ||
| CREATE USER [user@domain.com] FROM EXTERNAL PROVIDER; | ||
|
|
||
| -- Map the user to the db_writer role | ||
| ALTER ROLE db_writer ADD MEMBER [user@domain.com]; | ||
| -- Map the user to the db_datawriter role | ||
| ALTER ROLE db_datawriter ADD MEMBER [user@domain.com]; | ||
| ``` | ||
|
|
||
| `[email protected]` could be corporate email address, such as `[email protected]`, which is linked to Entra ID. | ||
|
|
@@ -85,14 +85,14 @@ ORDER BY UserName, RoleName; | |
|
|
||
| | UserName | UserType | RoleName | | ||
| |--------------------|---------------|-------------| | ||
| | [email protected] | EXTERNAL_USER | db_writer | | ||
| | [email protected] | EXTERNAL_USER | db_datawriter | | ||
| | [email protected] | EXTERNAL_USER | db_owner | | ||
|
|
||
| ## 5. Granting Permissions to a New User | ||
|
|
||
| 1. Determine whether the user needs the `db_owner` or `db_writer` role. | ||
| 1. Determine whether the user needs the `db_owner` or `db_datawriter` role. | ||
| - **db_owner** is recommended for developers and maintainers. | ||
| - **db_writer** is recommended for operators interacting with the database. | ||
| - **db_datawriter** is recommended for operators interacting with the database. | ||
|
|
||
| 2. Run the following commands from the query editor: | ||
|
|
||
|
|
@@ -101,7 +101,7 @@ ORDER BY UserName, RoleName; | |
| CREATE USER [user@domain.com] FROM EXTERNAL PROVIDER; | ||
|
|
||
| -- Map the user to the required role | ||
| ALTER ROLE db_writer ADD MEMBER [user@domain.com]; | ||
| ALTER ROLE db_datawriter ADD MEMBER [user@domain.com]; | ||
| ``` | ||
|
|
||
| 3. Verify the permissions by running the above **Checking If a Corporate Email Address Exists** query again in the Query Editor. | ||
|
|
||