Secure with Microsoft Entra authentication
Managing database security can become complex as the size and complexity of the database environment grows, making it challenging to maintain a consistent security posture across all databases and systems.
Microsoft Entra ID provides a cloud-based centralized authentication authority that employs advanced authentication methods. SQL Server 2022 has introduced support for logins and users that are based on Microsoft Entra accounts.
Architecture
Let's review how Microsoft Entra authentication works for SQL Server 2022:
- The Azure extension for SQL Server retrieves data from Microsoft Entra ID and stores it in the Windows registry.
- The user logs in to SQL Server 2022 using Microsoft Entra ID.
- SQL Server searches the registry for the metadata containing the necessary information to connect to Microsoft Entra ID and establish a connection.
Like Azure SQL Managed Instance and Azure SQL Database, SQL Server 2022 supports a new syntax for CREATE LOGIN
and CREATE USER
to support EXTERNAL PROVIDER
. Use the CREATE USER
T-SQL statement with a Microsoft Entra account to provide authentication to users in a database without the need for a login.
As we can see, SQL Server 2022 uses Microsoft Entra ID to provide secure and simplified access management for users.
To see the Microsoft Entra authentication methods available on SQL Server 2022, see Microsoft Entra authentication for SQL Server
Exercise: Configure Microsoft Entra authentication for SQL Server 2022
To run this exercise, make sure you meet these requirements before you start:
- SQL Server 2022 (16.x) or later is installed.
- SQL Server is connected to Azure.
- Azure Key Vault. The user setting up Microsoft Entra admin should have the Contributor role on Azure Key Vault.
- SQL Server – Azure Arc resource should have the Contributor role for the server.
Configure Microsoft Entra admin for SQL Server using the Azure portal
Navigate to SQL Server – Azure Arc on Azure portal, and select the instance for your SQL Server host. Make sure it's connected by going to the Properties menu.
Select Microsoft Entra ID on the left-hand column, and then select Set Admin. Select an account to be added as an admin for SQL Server.
Select Service-managed cert, then select Change key vault and select your existing Azure Key vault resource.
Select Service-managed app registration, then Save.
Note
Wait until the process completes before proceeding to the next step.
Grant permission to the Microsoft Entra application
Navigate to Microsoft Entra ID on Azure portal.
Select App registrations.
Select the newly created application. The application should have a name in the format of
<hostname>-<instanceName><uniqueNumber>
.Select the API permissions menu, then select Grant admin consent.
Connect to SQL Server using Microsoft Entra authentication
You can now connect to SQL Server using Microsoft Entra authentication:
As we've seen SQL Server 2022 provides simplified access management for SQL Server users authenticating using Microsoft Entra ID.