msdnshared.blob.core.windows.net€¦ · web viewuse your azure sql server and your clinic database...
TRANSCRIPT
Azure AD (AD) authentication with Azure SQL DB using Multi-Factor Authentication (MFA) enabled by Azure AD Conditional [email protected] 05/03/2018
Please noteTo execute the steps described below, the following permissions are required
Subscription admin or co-admin Azure AD Global Admin permissions Azure AD Conditional Access being enabled
Overview – main steps
1. Portal login2. AAD setup
o Create in AAD different users and groups using different credentials o Native and guest users (B2B) and MFA users
3. Azure SQL Server setupo Enable AAD admin for Azure SQL Server
4. SQL DB authentication using AADo Connect to Azure SQL DB using AAD admin for SQL o Create an AAD user in SQL DBo Connect to SQL DB using different authentication methods including MFA
5. AAD Conditional Access (optional)o Enable AAD Conditional Access (CA) free trial (you may logout and in again)o Create MFA conditiono Connect to SQL DB using CA user
AAD Workshop- detailed outline
1. Portal login o Login to Azure portal ( https://portal.azure.com ) using your MSA account associated with
your Azure Pass subscription. Do not user your corporate account @ microsoft.com or a subscription associated with your MS tenant
o Your Azure AD is created and setup by default (AAD setup)
1
AAD: <your AAD name> (Default Directory) User: <Your MSA Azure pass account> Custom domain name: <your AAD name.onmicrosoft.com>
To see thy initial setup – move your mouse around your login account(see a screenshot below)
2. AAD setupo Go to Azure Active Directory (left-hand menu bar) o Review existing AAD users - your default MSA user (e.g. [email protected])o Create AAD user Go to >>Users and groups - All users; + New user
Create native AAD user e.g. alice@<your AAD name>.onmicrosoft.com
2
To check the domain, go to Azure Active Directory - Custom domain names
Reset password (logout from portal and login as newly created user Login as subscription admin again
Create a guest user using your own microsoft.com account e.g. <your alias>@microsoft.com and type a welcome message
Type a welcome message and click Invite
3
Important: go to your MS user’s e-mail inboxand confirm your guest invitation clicking on “Get Started” ( see below)
4
o Create two AAD groups Go to >> Users and groups - All groups; create a new group AAD SQL admin group e.g. AADSQLadmin
Add your MSA account e.g. <Your MSA Azure pass account>
AAD SQL user group e.g. AADUser Add native and guest user
o Enable MFA for a specific AAD user Please note that your Azure pass subscription allows to enable MFA only for native usersGo to >>Users and groups - All users- Multi-Factor auth
5
Enable MFA for your native user Checkbox for the native user and enable MFA
3. Azure SQL Server setupo Use your Azure SQL server and your Clinic database created during initial workshop setupo Create Active Directory Admin for Azure SQL Server ( see a screenshot below)
6
4. SQL DB authentication using AADo Use the SSMS 17.4 versiono Login to Azure SQL server master db using your MSA account (Azure your pass account)
Use “Active Directory - Universal with MFA support” mode
8
Click on Options and Connection Properties Check the “AAD domain name or tenant ID” and add your AAD domain and click
Connect
View the SSMS connection
o Go to your database <Clinic> still login as AAD/SQL admin Create a user using your AAD (non-admin) group CREATE USER [AADUSER] from external provider
9
o Open new SSMS connection Connect to your server and the database using Active Directory- Integrated
authentication Please note that this authentication methods ( so called Single Sign-on) is only
possible for domain joint machine)
Alternatively, for non-joined domain machines please use Active Directory – Universal with MFA support authentication
10
Indicate the database you want to connect to. In this case Clinic Please note: Failing to specify the right database allowing such user or group to
connect into, will cause connection failure
View the SSMS connection
11
o Open new SSMS connection Connect to the database using native user account Use “Active Directory - Universal with MFA support” mode
Setup the MFA and follow the MFA steps
12
5. AAD Conditional Access (optional)o Enable Azure AD Premium
Go to Azure AD, click on Conditional access and enable free trial Premium version It may take a minute and you may logoff and logon again
o Create a new policy ( e.g. MFA)
Assign a user (select a group i.e. AADUser)
14
Enable the policy
o Connect to SSMS database using your Microsoft domain credential Use SSMS “Active Directory -Universal with MFA support” auth option Type your Microsoft credential ( e.g. <your alias>@Microsoft.com) You will be asked to step the MFA (similar to MFA setup in Step #4) Check the connection
o Go Back to portal MFA policy and disable it (set to OFF)o Restart SSMS and connect again with your MS login
16