Conditional Access with Azure SQL Database and Azure Synapse Analytics

Applies to: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics support Microsoft Conditional Access.

The following steps show how to configure Azure SQL Database, SQL Managed Instance, or Azure Synapse to enforce a Conditional Access policy.

Prerequisites

Configure conditional access

Note

The below example uses Azure SQL Database, but you should select the appropriate product that you want to configure conditional access.

  1. Sign in to the Azure portal, select Azure Active Directory, and then select Conditional Access. For more information, see Azure Active Directory Conditional Access technical reference.
    Conditional Access blade

  2. In the Conditional Access-Policies blade, click New policy, provide a name, and then click Configure rules.

  3. Under Assignments, select Users and groups, check Select users and groups, and then select the user or group for Conditional Access. Click Select, and then click Done to accept your selection.
    select users and groups

  4. Select Cloud apps, click Select apps. You see all apps available for Conditional Access. Select Azure SQL Database, at the bottom click Select, and then click Done.
    select SQL Database
    If you can't find Azure SQL Database listed in the following third screenshot, complete the following steps:

    • Connect to your database in Azure SQL Database by using SSMS with an Azure AD admin account.
    • Execute CREATE USER [user@yourtenant.com] FROM EXTERNAL PROVIDER.
    • Sign into Azure AD and verify that Azure SQL Database, SQL Managed Instance, or Azure Synapse are listed in the applications in your Azure AD instance.
  5. Select Access controls, select Grant, and then check the policy you want to apply. For this example, we select Require multi-factor authentication.
    select grant access

Summary

The selected application (Azure SQL Database) using Azure AD Premium, now enforces the selected Conditional Access policy, Required multi-factor authentication.

For questions about Azure SQL Database and Azure Synapse regarding multi-factor authentication, contact MFAforSQLDB@microsoft.com.

Next steps

For a tutorial, see Secure your database in SQL Database.