Set up an Azure AD app to use with migration from Single Server to Flexible Server
APPLIES TO: Azure Database for PostgreSQL - Single Server Azure Database for PostgreSQL - Flexible Server
This article shows you how to set up an Azure Active Directory (Azure AD) app to use with a migration from Azure Database for PostgreSQL Single Server to Flexible Server.
An Azure AD app helps with role-based access control (RBAC). The migration infrastructure requires access to both the source and target servers, and it's restricted by the roles assigned to the Azure AD app. After you create the Azure AD app, you can use it to manage multiple migrations.
Create an Azure AD app
If you're new to Microsoft Azure, create an account to evaluate the offerings.
In the Azure portal, enter Azure Active Directory in the search box.
On the page for Azure Active Directory, under Manage on the left, select App registrations.
Select New registration.
Give the app registration a name, choose an option that suits your needs for account types, and then select Register.
After the app is created, copy the client ID and tenant ID and store them. You'll need them for later steps in the migration. Then, select Add a certificate or secret.
For Certificates & Secrets, on the Client secrets tab, select New client secret.
On the fan-out pane, add a description, and then use the drop-down list to select the life span of your Azure AD app.
After all the migrations are complete, you can delete the Azure AD app that you created for RBAC. The default option is 6 months. If you don't need the Azure AD app for six months, select 3 months. Then select Add.
In the Value column, copy the Azure AD app secret. You can copy the secret only during creation. If you miss this step, you'll need to delete the secret and create another one for future tries.
Add contributor privileges to an Azure resource
After you create the Azure AD app, you need to add contributor privileges for it to the following resources.
|Single Server||Required||Single Server source that you're migrating from.|
|Flexible Server||Required||Flexible Server target that you're migrating into.|
|Azure resource group||Required||Resource group for the migration. By default, this is the resource group for the Flexible Server target. If you're using a temporary resource group to create the migration infrastructure, the Azure AD app will require contributor privileges to this resource group.|
|Virtual network||Required (if used)||If the source or the target has private access, the Azure AD app will require contributor privileges to the corresponding virtual network. If you're using public access, you can skip this step.|
The following steps add contributor privileges to a Flexible Server target. Repeat the steps for the Single Server source, resource group, and virtual network (if used).
In the Azure portal, select the Flexible Server target. Then select Access Control (IAM) on the upper left.
Select Add > Add role assignment.
The Add role assignment capability is enabled only for users in the subscription who have a role type of Owners. Users who have other roles don't have permission to add role assignments.
On the Role tab, select Contributor > Next.
On the Members tab, keep the default option of User, group, or service principal for Assign access to. Click Select Members, search for your Azure AD app, and then click Select.