Integrated Authentication to Azure SQL from Azure Linux VM

Simon Harrison 6 Reputation points
2022-04-06T01:34:54.757+00:00

Scenario:
1 Azure SQL database with AAD authentication with permissions based on AAD Group and row-level security based on user name.
2 Linux VM in the same resource group as the SQL server running python and R code accessing the database
3 User connects to the VM and is authenticated via AAD
4 What is then required to connect to the database as that user?

The user is already authenticated with AAD
We can't use MFA as the VM is executing in server mode
We can't use MSI as this masks the user for database security
Clearly we don't want to use UID/PWD as this requires a complete parallel security scheme to AAD
So that appears to leave Authentication = ActiveDirectoryIntegrated
So far we have been unable to find guidance on how this might work in this scenario.

This is essentially the scenario represented by the Query Editor in the Azure portal for SQL Database.

Question 1: Is ActiveDirectoryIntegrated the right answer for this?
Question 2: If yes - what is required to enable this on Linux VM?
Question 3: If no - what is the alternative?

Azure SQL Database
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,563 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GeethaThatipatri-MSFT 27,642 Reputation points Microsoft Employee
    2022-04-07T12:14:35.723+00:00

    Hi, @Simon Harrison Welcome to Microsoft Q&A Thanks for reaching out.

    We can't use MFA as the VM is executing in server mode
    Not sure why you cannot use the interactive mode called also in SSMS “Universal with MFA”
    First of all, there is no MFA if not enabled at the AAD level. For SSMS when you indicate the AAD user, this mode will ask you interactively to type a password and with this information, it will authenticate to the Azure SQL database. For application, the type of this mode is “Interactive”
    Coming to Azure AD Integrated mode.
    Not much can be done at SQL lever. You need to federate your domain with the Azure Active directory.

    I am not a Linux expert, however, I am checking with the Internal product team to provide you with more details. but for Windows OS that uses Active Directory (AD), the Windows domain must be federated with AAD (in this example an AD is synchronized/federated with AAD). That allows using Windows authentication.

    See more here Azure AD Connect: Supported topologies | Microsoft Learn and Azure AD Connect sync

    Regards
    Geetha