How to add the Azure Active Directory Administrator on a SQL Server to an Azure group once the SQL server deploys

Dimeji Olayinka 37 Reputation points
2021-02-09T03:36:49.423+00:00

I am trying to create an automated process that adds the Azure Active Directory on a SQL Server to an Azure group once the SQL server deploys. The group I want to add too is a security group. I am thinking about using Azure policy to implement this. What would the policy rule look like? If there is a better Azure service/feature to implement my task what is it?

Azure SQL Database
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
932 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,437 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Swathi Dhanwada 18,781 Reputation points Microsoft Employee
    2021-02-12T20:48:04.033+00:00

    @Dimeji Olayinka Here is sample policy definition that has worked for me which evaluates and provides the complaint and non-complaint resources on the existing resources. Also kindly note, during an evaluation cycle, policy definitions with a "DeployIfNotExists" effect that match resources are marked as non-compliant, but no action is taken on that resource. Existing non-compliant resources can be remediated with a remediation task.

    {  
      "mode": "All",  
      "policyRule": {  
        "if": {  
          "allOf": [  
            {  
              "field": "type",  
              "equals": "Microsoft.Sql/servers"  
            }  
          ]  
        },  
        "then": {  
          "effect": "deployIfNotExists",  
          "details": {  
            "type": "Microsoft.Sql/servers/administrators",  
            "existenceCondition": {  
              "allOf": [  
                {  
                  "field": "Microsoft.Sql/servers/administrators/administratorType",  
                  "equals": "ActiveDirectory"  
                },  
                {  
                  "field": "Microsoft.Sql/servers/administrators/login",  
                  "equals": "xxxx@xxxxxx.com"  
                },  
                {  
                  "field": "Microsoft.Sql/servers/administrators/sid",  
                  "equals": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"  
                },  
                {  
                  "field": "Microsoft.Sql/servers/administrators/tenantId",  
                  "equals": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"  
                }  
              ]  
            },  
            "deployment": {  
              "properties": {  
                "mode": "incremental",  
                "template": {  
                  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",  
                  "contentVersion": "1.0.0.0",  
                  "parameters": {  
                    "location": {  
                      "type": "string"  
                    },  
                    "sqlServerName": {  
                      "type": "string"  
                    }  
                  },  
                  "variables": {},  
                  "resources": [  
                    {  
                      "name": "[parameters('sqlServerName')]",  
                      "type": "Microsoft.Sql/servers",  
                      "apiVersion": "2019-06-01-preview",  
                      "location": "[parameters('location')]",  
                      "resources": [  
                        {  
                          "type": "Microsoft.Sql/servers/administrators",  
                          "apiVersion": "2019-06-01-preview",  
                          "name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",  
                          "dependsOn": [  
                            "[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"  
                          ],  
                          "properties": {  
                            "administratorType": "ActiveDirectory",  
                            "login": "xxxx@xxxxxx.com",  
                            "sid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",  
                            "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx"  
                          }  
                        }  
                      ]  
                    }  
                  ]  
                },  
                "parameters": {  
                  "sqlServerName": {  
                    "value": "[field('Name')]"  
                  },  
                  "location": {  
                    "value": "[field('Location')]"  
                  }  
                }  
              }  
            },  
            "roleDefinitionIds": [  
              "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",  
              "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635"  
            ]  
          }  
        }  
      },  
      "parameters": {}  
    }  
    
    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.