how to login to Azure Database for MySQL flexible server using aad user

Question

how to login to Azure Database for MySQL flexible server using aad user

Rakesh Negi 20

i have created a Azure Database for MySQL flexible server and assigned a umi to it and assign access to mode is mysql and microsoft entra authentication. The microsoft entra admin group is able to login to MySQL flexible server using entra group name as user and token as password but the users added under entra group are not able to login to the sql server with their email id getting error as :

MySQL Workbench

X Cannot Connect to Database Server

Your connection attempt failed for user '******@domain.com' to the MySQL server at

cd-usw-sql.mysql.database.azure.com:3306:

Access denied for user (using password: YES)

Please:

1 Check that MySQL is running on address cd-usw-sql.mysql.database.azure.com

2 Check that MySQL is reachable on port 3306 (note: 3306 is the default, but this can be changed)

Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2025-01-29T20:43:26.0033333+00:00

Hi @Rakesh Negi,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

As I understand, you've set up Microsoft Entra authentication correctly for the admin group, but individual users are encountering issues. Here are a few steps to help troubleshoot this problem:

1.Ensure that the users have been granted the necessary permissions in Microsoft Entra ID to access the MySQL server. They should be part of the group that has been assigned as the Microsoft Entra admin.

2.Confirm that the authentication mode is set to "MySQL and Microsoft Entra authentication" on your MySQL flexible server. This allows both MySQL native and Microsoft Entra authentication.

3.Make sure the users are retrieving the correct token for authentication. They should use the Azure CLI or another method to get a valid token and use it as the password when logging in.

4.Ensure that the server parameter aad_auth_only is set to OFF if you want to allow both MySQL native and Microsoft Entra authentication.

For more information, please refer the document: https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-azure-ad-authentication

5.Verify that the MySQL server is accessible on the specified address and port (3306). Ensure there are no network issues or firewall rules blocking the connection.

6.Ensure that the users are correctly mapped in the MySQL database. They should have corresponding entries in the MySQL user table that map to their Microsoft Entra identities.

If the above steps don't resolve the issue, you may want to check the detailed setup and troubleshooting guide on the Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server.

I hope this information helps. Please do let us know if you have any further queries.
Rakesh Negi 20 Reputation points

2025-01-30T05:29:53.0066667+00:00

Thanks Mahesh ,i checked all points are covered, as user is unable to login to sql server with email id which is already part of entra group so i doubt below points will be valid :

"Ensure that the users are correctly mapped in the MySQL database. They should have corresponding entries in the MySQL user table that map to their Microsoft Entra identities."

what could be the reason for
Access denied for user (using password: YES)
Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2025-01-31T22:36:16.97+00:00

Hi @Rakesh Negi,

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Accepted answer

0 additional answers

Your answer

Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2025-01-29T20:43:26.0033333+00:00

Hi @Rakesh Negi,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

As I understand, you've set up Microsoft Entra authentication correctly for the admin group, but individual users are encountering issues. Here are a few steps to help troubleshoot this problem:

1.Ensure that the users have been granted the necessary permissions in Microsoft Entra ID to access the MySQL server. They should be part of the group that has been assigned as the Microsoft Entra admin.

2.Confirm that the authentication mode is set to "MySQL and Microsoft Entra authentication" on your MySQL flexible server. This allows both MySQL native and Microsoft Entra authentication.

3.Make sure the users are retrieving the correct token for authentication. They should use the Azure CLI or another method to get a valid token and use it as the password when logging in.

4.Ensure that the server parameter aad_auth_only is set to OFF if you want to allow both MySQL native and Microsoft Entra authentication.

For more information, please refer the document: https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-azure-ad-authentication

5.Verify that the MySQL server is accessible on the specified address and port (3306). Ensure there are no network issues or firewall rules blocking the connection.

6.Ensure that the users are correctly mapped in the MySQL database. They should have corresponding entries in the MySQL user table that map to their Microsoft Entra identities.

If the above steps don't resolve the issue, you may want to check the detailed setup and troubleshooting guide on the Set up Microsoft Entra authentication for Azure Database for MySQL - Flexible Server.

I hope this information helps. Please do let us know if you have any further queries.
Rakesh Negi 20 Reputation points

2025-01-30T05:29:53.0066667+00:00

Thanks Mahesh ,i checked all points are covered, as user is unable to login to sql server with email id which is already part of entra group so i doubt below points will be valid :

"Ensure that the users are correctly mapped in the MySQL database. They should have corresponding entries in the MySQL user table that map to their Microsoft Entra identities."

what could be the reason for
Access denied for user (using password: YES)
Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2025-01-31T22:36:16.97+00:00

Hi @Rakesh Negi,

Just checking in to see if the below answer helped. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Mahesh Kurva 5,025 Microsoft External Staff Moderator

Hi @Rakesh Negi,

Thanks for the response.Given that you've already verified the key points, let's delve deeper into potential causes for the "Access denied for user (using password: YES)" error:

Ensure that the token being used by the users is not expired. Tokens have a limited lifespan, and an expired token will result in an access denied error.
Verify that the token has the correct scope. The token should include the necessary permissions to access the MySQL server. Users can obtain the token using the Azure CLI with the appropriate scope.
Confirm that the users are using the correct format for their User Principal Name (UPN). It should match the format expected by the MySQL server, typically ******@domain.com.
Double-check the server configuration to ensure that it is set to allow Microsoft Entra authentication. The aad_auth_only parameter should be set correctly based on your authentication mode.
Ensure that there are no firewall rules blocking the connection from the users' IP addresses. The MySQL server should be accessible from the users' network.
Verify that MySQL Workbench is configured correctly to use the token as the password. Sometimes, configuration issues in the client tool can lead to authentication errors. For more information, please refer the documents:

https://learn.microsoft.com/en-us/azure/mysql/flexible-server/how-to-azure-ad

https://learn.microsoft.com/en-us/azure/mysql/flexible-server/concepts-azure-ad-authentication

Hope this helps. Do let us know if you any further queries.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Rakesh Negi 20 Reputation points

2025-01-30T18:07:20.5633333+00:00

Thanks again Mahesh . We connect with Microsoft support and they suggest only entra group can login to sql with that entra group name as user name for login and token as password it will not support user email id the user which are already added under entra group . Need your opinion if user login is allowed or not
Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2025-01-30T23:34:55.3366667+00:00

Hi @Rakesh Negi,

Thanks for getting back to me.

Based on the information from Microsoft support, it seems that the current setup only allows the Entra group to log in using the group name as the username and a token as the password. Individual users within the group cannot log in using their email IDs.

This means that user-specific logins with their email IDs are not supported in this configuration. Only the group as a whole can authenticate using the group name and token.

If you need individual user logins, you might need to explore alternative authentication methods or configurations that support user-specific access. For now, it appears that the group-based login is the only supported method for Microsoft Entra authentication with your MySQL flexible server.

I hope this information helps. Please do let us know if you have any further queries.
Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2025-02-03T08:58:12.73+00:00

Hi @Rakesh Negi,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Share via

how to login to Azure Database for MySQL flexible server using aad user

0 additional answers

Your answer