Conditional Access with Azure SQL Database and Azure Synapse Analytics

Applies to: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics support Microsoft Conditional Access.

The following steps show how to configure Azure SQL Database, Azure SQL Managed Instance, or Azure Synapse to enforce a Conditional Access policy.

Prerequisites

• You must configure Azure SQL Database, Azure SQL Managed Instance, or dedicated SQL pool in Azure Synapse to support Azure Active Directory (Azure AD) authentication. For specific steps, see Configure and manage Azure Active Directory authentication with SQL Database or Azure Synapse.
• When Multi-Factor Authentication is enabled, you must connect with a supported tool, such as the latest SQL Server Management Studio (SSMS). For more information, see Configure Azure SQL Database multi-factor authentication for SQL Server Management Studio.

Configure conditional access

Note

The below example uses Azure SQL Database, but you should select the appropriate product that you want to configure conditional access.

1. Sign in to the Azure portal, select Azure Active Directory, and then select Conditional Access. For more information, see Azure Active Directory Conditional Access technical reference.
   

2. In the Conditional Access-Policies blade, click New policy, provide a name, and then click Configure rules.

3. Under Assignments, select Users and groups, check Select users and groups, and then select the user or group for Conditional Access. Click Select, and then click Done to accept your selection.
   

4. Select Cloud apps, click Select apps. You see all apps available for Conditional Access. Select Azure SQL Database, at the bottom click Select, and then click Done.
   
   If you can't find Azure SQL Database listed in the following third screenshot, complete the following steps:

   • Connect to your database in Azure SQL Database by using SSMS with an Azure AD admin account.
   • Execute CREATE USER [user@yourtenant.com] FROM EXTERNAL PROVIDER.
   • Sign into Azure AD and verify that Azure SQL Database, Azure SQL Managed Instance, or Azure Synapse are listed in the applications in your Azure AD instance.

5. Select Access controls, select Grant, and then check the policy you want to apply. For this example, we select Require multi-factor authentication.
   

Summary

The selected application (Azure SQL Database) using Azure AD Premium, now enforces the selected Conditional Access policy, Required multi-factor authentication.

For questions about Azure SQL Database and Azure Synapse regarding multi-factor authentication, contact MFAforSQLDB@microsoft.com.

Next steps

For a tutorial, see Secure your database in SQL Database.