sql msi and synapse output

Author: mamccrea

articles/stream-analytics/TOC.yml

@@ -127,14 +127,18 @@
       href: copy-job.md
     - name: Pair jobs for reliability
       href: stream-analytics-job-reliability.md
-    - name: Authenticate with managed identity - ADLS Gen 1 output
-      href: stream-analytics-managed-identities-adls.md
     - name: Use SQL reference data
       href: sql-reference-data.md
-    - name: Authenticate with managed identity - Blob output
-      href: blob-output-managed-identity.md
-    - name: Authenticate with managed identity - Power BI
-      href: powerbi-output-managed-identity.md
+    - name: Authenticate with managed identity
+      items:
+      - name: ADLS Gen 1
+        href: stream-analytics-managed-identities-adls.md
+      - name: Blob storage
+        href: blob-output-managed-identity.md
+      - name: Power BI
+        href: powerbi-output-managed-identity.md
+      - name: Azure SQL DB
+        href: sql-db-output-managed-identity.md
     - name: Encrypt your data
       href: data-protection.md
   - name: Build solutions

articles/stream-analytics/media/sql-db-output-managed-identity/active-directory-admin-page.png

@@ -0,0 +1,109 @@
+---
+title: Use managed identities to access Azure SQL Database - Azure Stream Analytics
+description: This article describes how to use managed identities to authenticate your Azure Stream Analytics job to Azure SQL DB output.
+author: mamccrea
+ms.author: mamccrea
+ms.service: stream-analytics
+ms.topic: conceptual
+ms.date: 05/08/2020
+---
+
+# Use managed identities to access Azure SQL Database from an Azure Stream Analytics job (Preview)
+
+Azure Stream Analytics supports [Managed Identity authentication](../active-directory/managed-identities-azure-resources/overview.md) for Azure SQL Database output sinks. Managed identities eliminate the limitations of user-based authentication methods, like the need to reauthenticate due to password changes or user token expirations that occur every 90 days. When you remove the need to manually authenticate, your Stream Analytics deployments can be fully automated.
+
+A managed identity is a managed application registered in Azure Active Directory that represents a given Stream Analytics job. The managed application is used to authenticate to a targeted resource. This article shows you how to enable Managed Identity for an Azure SQL Database output(s) of a Stream Analytics job through the Azure portal.
+
+## Prerequisites
+
+The following are required to this feature:
+
+- An Azure Stream Analytics job.
+
+- An Azure SQL Database resource.
+
+## Create a managed identity
+
+First, you create a managed identity for your Azure Stream Analytics job.
+
+1. In the [Azure portal](https://portal.azure.com), open your Azure Stream Analytics job.
+
+1. From the left navigation menu, select **Managed Identity** located under **Configure**. Then, check the box next to **Use System-assigned Managed Identity** and select **Save**.
+
+   ![Select system-assigned managed identity](./media/sql-db-output-managed-identity/system-assigned-managed-identity.png)
+
+
+   A service principal for the Stream Analytics job's identity is created in Azure Active Directory. The life cycle of the newly created identity is managed by Azure. When the Stream Analytics job is deleted, the associated identity (that is, the service principal) is automatically deleted by Azure. 
+
+1. When you save the configuration, the Object ID (OID) of the service principal is listed as the Principal ID as shown below: 
+
+   ![Object ID shown as Principal ID](./media/sql-db-output-managed-identity/principal-id.png)
+
+   The service principal has the same name as the Stream Analytics job. For example, if the name of your job is *MyASAJob*, the name of the service principal is also *MyASAJob*.
+
+## Select an Active Directory admin
+
+After you've created a managed identity, you select an Active Directory admin.
+
+1. Navigate to your Azure SQL Database resource and select the SQL Server that the database is under. You can find the SQL Server name next to *Server name* on the resource overview page. 
+
+1. Select **Active Directory Admin** under **Settings**. Then, select **Set admin**. 
+
+   ![Active Directory admin page](./media/sql-db-output-managed-identity/active-directory-admin-page.png)
+ 
+1. On the Active Directory admin page, search for a user or group to be an administrator for the SQL Server and click **Select**.  
+
+   ![Add Active Directory admin](./media/sql-db-output-managed-identity/add-admin.png)
+
+1. Select **Save** on the **Active Directory admin** page. The process for changing admin takes a few minutes.  
+
+## Create a database user
+
+Next, you create a contained database user in your SQL Database that is mapped to the Azure Active Directory identity. The contained database user doesn't have a login for the master database, but it maps to an identity in the directory that is associated with the database. The Azure Active Directory identity can be an individual user account or a group. In this case, you want to create a contained database user for your Stream Analytics job. 
+
+1. Connect to the SQL database using SQL Server Management Studio. The **User name** is an Azure Active Directory user with the **ALTER ANY USER** permission. The admin you set on the SQL Server is an example. Use **Azure Active Directory – Universal with MFA** authentication. 
+
+   ![Connect to SQL Server](./media/sql-db-output-managed-identity/connect-sql-server.png)
+
+   The server name `<SQL Server name>.database.windows.net` may be different in different regions. For example, the China region should use `<SQL Server name>.database.chinacloudapi.cn`.
+ 
+   You can specify a specific SQL Database by going to **Options > Connection Properties > Connect to Database**.  
+
+   ![SQL Server connection properties](./media/sql-db-output-managed-identity/sql-server-connection-properties.png)
+
+1. When you connect for the first time, you may encounter the following window:
+
+   ![New firewall rule window](./media/sql-db-output-managed-identity/new-firewall-rule.png)
+
+   1. If so, go to your SQL Server resource on the Azure portal. Under the **Security** section, open the **Firewalls and virtual network** page. 
+   1. Add a new rule with any rule name.
+   1. Use the *From* IP address from the **New Firewall Rule** window for the *Start IP*.
+   1. Use the *To* IP address from the **New Firewall Rule** window for *End IP*. 
+   1. Select **Save** and attempt to connect from SQL Server Management Studio again. 
+
+1. Once you are connected, create the contained database user. The following SQL command creates a contained database user that has the same name as your Stream Analytics job. Be sure to include the brackets around the *ASA_JOB_NAME*. Use the following T-SQL syntax and run the query. 
+
+   ```sql
+   CREATE USER [ASA_JOB_NAME] FROM EXTERNAL PROVIDER; 
+   ```
+
+## Grant Stream Analytics job permissions
+
+The Stream Analytics job has permission from Managed Identity to **CONNECT** to your SQL Database resource. Most likely, it would be efficient to allow the Stream Analytics job to run commands such as **SELECT**. You can grant those permissions to the Stream Analytics job using SQL Server Management Studio. For more information, see the [GRANT (Transact-SQL)](https://docs.microsoft.com/sql/t-sql/statements/grant-transact-sql?view=sql-server-ver15) reference.
+
+Alternatively, you can right-click on your SQL database in SQL Server Management Studio and select **Properties > Permissions**. From the permissions menu, you can see the Stream Analytics job you added previously, and you can manually grant or deny permissions as you see fit.
+
+## Create an Azure SQL Database output
+
+Now that your managed identity is configured, you're ready to add the Azure SQL Database as output to your Stream Analytics job.
+
+1. Go back to your Stream Analytics job, and navigate to the **Outputs** page under **Job Topology**. 
+
+1. Select **Add > SQL Database**. In the output properties window of the SQL Database output sink, select **Managed Identity** from the Authentication mode drop-down.
+
+1. Fill out the rest of the properties. To learn more about creating an SQL Database output, see [Create a SQL Database output with Stream Analytics](stream-analytics-define-outputs.md#sql-database). When you are finished, select **Save**. 
+
+## Next steps
+
+* [Understand outputs from Azure Stream Analytics](stream-analytics-define-outputs.md)
+* [Azure Stream Analytics output to Azure SQL Database](stream-analytics-sql-output-perf.md)

articles/stream-analytics/media/sql-db-output-managed-identity/add-admin.png

@@ -6,7 +6,7 @@ ms.author: mamccrea
 ms.reviewer: mamccrea
 ms.service: stream-analytics
 ms.topic: conceptual
-ms.date: 02/14/2020
+ms.date: 05/8/2020
 ---
 
 # Understand outputs from Azure Stream Analytics
@@ -61,6 +61,33 @@ The following table lists the property names and their description for creating
 |Inherit partition scheme| An option for inheriting the partitioning scheme of your previous query step, to enable fully parallel topology with multiple writers to the table. For more information, see [Azure Stream Analytics output to Azure SQL Database](stream-analytics-sql-output-perf.md).|
 |Max batch count| The recommended upper limit on the number of records sent with every bulk insert transaction.|
 
+There are two adapters that enable output from Azure Stream Analytics to Azure Synapse Analytics (formerly SQL Data Warehouse): SQL Database and Azure Synapse. We recommend that you choose the Azure Synapse Analytics adapter instead of the SQL Database adapter if any of the following conditions hold true:
+
+* **Throughput**: If your expected throughput now or in the future is greater than 10MB/sec, use the Azure Synapse output option for better performance.
+
+* **Input Partitions**: If you have eight or more input partitions, use the Azure Synapse output option for better scale-out.
+
+## Azure Synapse Analytics (Preview)
+
+[Azure Synapse Analytics](https://azure.microsoft.com/services/synapse-analytics) (formerly SQL Data Warehouse) is a limitless analytics service that brings together enterprise data warehousing and Big Data analytics. 
+
+Azure Stream Analytics jobs can output to a SQL pool table in Azure Synapse Analytics and can process throughput rates up to 200MB/sec. This supports the most demanding real-time analytics and hot-path data processing needs for workloads such as reporting and dashboarding.  
+
+The SQL pool table must exist before you can add it as output to your Stream Analytics job. The table's schema must match the fields and their types in your job's output. 
+
+To use Azure Synapse as output, you need to ensure that you have the storage account configured. Navigate to Storage account settings to configure the storage account. Only the storage account types that support tables are permitted: General-purpose V2 and General-purpose V1.   
+
+The following table lists the property names and their descriptions for creating am Azure Synapse Analytics output.
+
+|Property name|Description|
+|-|-|
+|Output alias |A friendly name used in queries to direct the query output to this database. |
+|Database |SQL pool name where you're sending your output. |
+|Server name |Azure Synapse server name.  |
+|Username |The username that has write access to the database. Stream Analytics supports only SQL authentication. |
+|Password |The password to connect to the database. |
+|Table  | The table name where the output is written. The table name is case-sensitive. The schema of this table should exactly match the number of fields and their types that your job output generates.|
+
 ## Blob storage and Azure Data Lake Gen2
 
 Data Lake Storage Gen2 makes Azure Storage the foundation for building enterprise data lakes on Azure. Designed from the start to service multiple petabytes of information while sustaining hundreds of gigabits of throughput, Data Lake Storage Gen2 allows you to easily manage massive amounts of data.A fundamental part of Data Lake Storage Gen2 is the addition of a hierarchical namespace to Blob storage.