Azure AD (AD) authentication with Azure SQL DB using Multi-Factor Authentication (MFA) enabled by Azure AD Conditional Accessmireks@microsoft.com 05/03/2018

Please noteTo execute the steps described below, the following permissions are required

Subscription admin or co-admin Azure AD Global Admin permissions Azure AD Conditional Access being enabled

Overview – main steps

1. Portal login2. AAD setup

o Create in AAD different users and groups using different credentials o Native and guest users (B2B) and MFA users

3. Azure SQL Server setupo Enable AAD admin for Azure SQL Server

4. SQL DB authentication using AADo Connect to Azure SQL DB using AAD admin for SQL o Create an AAD user in SQL DBo Connect to SQL DB using different authentication methods including MFA

5. AAD Conditional Access (optional)o Enable AAD Conditional Access (CA) free trial (you may logout and in again)o Create MFA conditiono Connect to SQL DB using CA user

AAD Workshop- detailed outline

1. Portal login o Login to Azure portal ( https://portal.azure.com ) using your MSA account associated with

your Azure Pass subscription. Do not user your corporate account @ microsoft.com or a subscription associated with your MS tenant

o Your Azure AD is created and setup by default (AAD setup)

1

AAD: <your AAD name> (Default Directory) User: <Your MSA Azure pass account> Custom domain name: <your AAD name.onmicrosoft.com>

To see thy initial setup – move your mouse around your login account(see a screenshot below)

2. AAD setupo Go to Azure Active Directory (left-hand menu bar) o Review existing AAD users - your default MSA user (e.g. aadsqlready@outlook.com)o Create AAD user Go to >>Users and groups - All users; + New user

Create native AAD user e.g. alice@<your AAD name>.onmicrosoft.com

2

To check the domain, go to Azure Active Directory - Custom domain names

Reset password (logout from portal and login as newly created user Login as subscription admin again

Create a guest user using your own microsoft.com account e.g. <your alias>@microsoft.com and type a welcome message

Type a welcome message and click Invite

3

Important: go to your MS user’s e-mail inboxand confirm your guest invitation clicking on “Get Started” ( see below)

4

o Create two AAD groups Go to >> Users and groups - All groups; create a new group AAD SQL admin group e.g. AADSQLadmin

Add your MSA account e.g. <Your MSA Azure pass account>

AAD SQL user group e.g. AADUser Add native and guest user

o Enable MFA for a specific AAD user Please note that your Azure pass subscription allows to enable MFA only for native usersGo to >>Users and groups - All users- Multi-Factor auth

5

Enable MFA for your native user Checkbox for the native user and enable MFA

3. Azure SQL Server setupo Use your Azure SQL server and your Clinic database created during initial workshop setupo Create Active Directory Admin for Azure SQL Server ( see a screenshot below)

6

e.g. choose AADSQLAdmin group as an admin and save it Check the AADSQLAdmin is in green

7

4. SQL DB authentication using AADo Use the SSMS 17.4 versiono Login to Azure SQL server master db using your MSA account (Azure your pass account)

Use “Active Directory - Universal with MFA support” mode

8

Click on Options and Connection Properties Check the “AAD domain name or tenant ID” and add your AAD domain and click

Connect

View the SSMS connection

o Go to your database <Clinic> still login as AAD/SQL admin Create a user using your AAD (non-admin) group CREATE USER [AADUSER] from external provider

9

o Open new SSMS connection Connect to your server and the database using Active Directory- Integrated

authentication Please note that this authentication methods ( so called Single Sign-on) is only

possible for domain joint machine)

Alternatively, for non-joined domain machines please use Active Directory – Universal with MFA support authentication

10

Indicate the database you want to connect to. In this case Clinic Please note: Failing to specify the right database allowing such user or group to

connect into, will cause connection failure

View the SSMS connection

11

o Open new SSMS connection Connect to the database using native user account Use “Active Directory - Universal with MFA support” mode

Setup the MFA and follow the MFA steps

12

View the SSMS connection

13

5. AAD Conditional Access (optional)o Enable Azure AD Premium

Go to Azure AD, click on Conditional access and enable free trial Premium version It may take a minute and you may logoff and logon again

o Create a new policy ( e.g. MFA)

Assign a user (select a group i.e. AADUser)

14

Assign an app (select Azure SQL DB)

Select access control (grant access to multi-factor auth)

15

Enable the policy

o Connect to SSMS database using your Microsoft domain credential Use SSMS “Active Directory -Universal with MFA support” auth option Type your Microsoft credential ( e.g. <your alias>@Microsoft.com) You will be asked to step the MFA (similar to MFA setup in Step #4) Check the connection

o Go Back to portal MFA policy and disable it (set to OFF)o Restart SSMS and connect again with your MS login

16

This time no MFA is enforced

17