|
| 1 | +--- |
| 2 | +title: Enable Azure Active Directory Authentication for the Azure-SSIS integration runtime | Microsoft Docs |
| 3 | +description: This article describes how to configure the Azure-SSIS integration runtime to enable connections that use Azure Active Directory authentication. |
| 4 | +services: data-factory |
| 5 | +documentationcenter: '' |
| 6 | +author: douglaslMS |
| 7 | +manager: craigg |
| 8 | + |
| 9 | +ms.service: data-factory |
| 10 | +ms.workload: data-services |
| 11 | +ms.tgt_pltfrm: |
| 12 | +ms.devlang: powershell |
| 13 | +ms.topic: conceptual |
| 14 | +ms.date: 05/31/2018 |
| 15 | +ms.author: douglasl |
| 16 | +--- |
| 17 | +# Enable Azure Active Directory authentication for the Azure-SSIS integration runtime |
| 18 | + |
| 19 | +This article shows you how to create an Azure-SSIS IR with Azure Data Factory service identity. Azure Active Directory (Azure AD) authentication with the Managed Service Identity (MSI) for the Azure-SSIS integration runtime lets you use the Data Factory MSI instead of SQL authentication to create an Azure-SSIS integration runtime. |
| 20 | + |
| 21 | +For more info about the Data Factory MSI, see [Azure Data Factory service identity](https://docs.microsoft.com/en-us/azure/data-factory/data-factory-service-identity). |
| 22 | + |
| 23 | +> [!NOTE] |
| 24 | +> If you have already created an Azure-SSIS integration runtime with SQL authentication, you can't reconfigure the IR to use Azure AD authentication with PowerShell at this time. |
| 25 | +
|
| 26 | +## Create a group in Azure AD and make the Data Factory MSI a member of the group |
| 27 | + |
| 28 | +You can use an existing Azure AD group, or create a new one using Azure AD PowerShell. |
| 29 | + |
| 30 | +1. Install the [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/install-adv2) module. |
| 31 | + |
| 32 | +2. Sign in using `Connect-AzureAD`, and run the following command to create the group, and save it in a variable: |
| 33 | + |
| 34 | + ```powershell |
| 35 | + $Group = New-AzureADGroup -DisplayName "SSISIrGroup" ` |
| 36 | + -MailEnabled $false ` |
| 37 | + -SecurityEnabled $true ` |
| 38 | + -MailNickName "NotSet" |
| 39 | + ``` |
| 40 | +
|
| 41 | + The output looks like the following example, which also examines the value of the variable: |
| 42 | +
|
| 43 | + ```powershell |
| 44 | + $Group |
| 45 | +
|
| 46 | + ObjectId DisplayName Description |
| 47 | + -------- ----------- ----------- |
| 48 | + 6de75f3c-8b2f-4bf4-b9f8-78cc60a18050 SSISIr Group |
| 49 | + ``` |
| 50 | +
|
| 51 | +3. Add the Data Factory MSI to the group. You can follow [Azure Data Factory service identity](https://docs.microsoft.com/en-us/azure/data-factory/data-factory-service-identity) to get the service identity ID (for example, 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc). |
| 52 | +
|
| 53 | + ```powershell |
| 54 | + Add-AzureAdGroupMember -ObjectId $Group.ObjectId -RefObjectId 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc |
| 55 | + ``` |
| 56 | +
|
| 57 | + You also can examine the group membership afterward. |
| 58 | +
|
| 59 | + ```powershell |
| 60 | + Get-AzureAdGroupMember -ObjectId $Group.ObjectId |
| 61 | + ``` |
| 62 | +
|
| 63 | +## Enable Azure AD on Azure SQL Database |
| 64 | +
|
| 65 | +Azure SQL Database supports creating a database with an Azure AD user. As a result, you can set an Azure AD user as the Active Directory admin, and then log in to SSMS using the Azure AD user. Then you can create a contained user for the Azure AD group to enable the IR to create the SQL Server Integration Services (SSIS) catalog on the server. |
| 66 | +
|
| 67 | +### Enable Azure AD authentication for the Azure SQL Database |
| 68 | +
|
| 69 | +You can [configure Azure AD authentication for the SQL Database](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure) |
| 70 | +using the following steps: |
| 71 | +
|
| 72 | +1. In the Azure portal, select **All services** -> **SQL servers** from the left-hand navigation. |
| 73 | +
|
| 74 | +2. Select the SQL Database to be enabled for Azure AD authentication. |
| 75 | +
|
| 76 | +3. In the **Settings** section of the blade, select **Active Directory admin**. |
| 77 | +
|
| 78 | +4. In the command bar, select **Set admin**. |
| 79 | +
|
| 80 | +5. Select an Azure AD user account to be made an administrator of the server, and then select **Select.** |
| 81 | +
|
| 82 | +6. In the command bar, select **Save.** |
| 83 | +
|
| 84 | +### Create a contained user in the database that represents the Azure AD group |
| 85 | +
|
| 86 | +For this next step, you need [Microsoft SQL Server Management Studio](https://docs.microsoft.com/sql/ssms/download-sql-server-management-studio-ssms) (SSMS). |
| 87 | +
|
| 88 | +1. Start SQL Server Management Studio. |
| 89 | +
|
| 90 | +2. In the **Connect to Server** dialog, enter your SQL server name in |
| 91 | + the **Server name** field. |
| 92 | +
|
| 93 | +3. In the **Authentication** field, select **Active Directory - Universal with MFA support**. (You can also use other two Active Directory authentication types. See [Configure and manage Azure Active Directory authentication with SQL Database, Managed Instance](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure).) |
| 94 | +
|
| 95 | +4. In the **User name** field, enter the name of the Azure AD account that you set as the server administrator - for example, [email protected]. |
| 96 | +
|
| 97 | +5. select **Connect**. Complete the sign-in process. |
| 98 | +
|
| 99 | +6. In the **Object Explorer**, expand the **Databases** -> System Databases folder. |
| 100 | +
|
| 101 | +7. Right-Select on **master** database and select **New query**. |
| 102 | +
|
| 103 | +8. In the query window, enter the following line, and select **Execute** in the toolbar: |
| 104 | +
|
| 105 | + ```sql |
| 106 | + CREATE USER [SSISIrGroup] FROM EXTERNAL PROVIDER |
| 107 | + ``` |
| 108 | +
|
| 109 | + The command should complete successfully, creating the contained user for the group. |
| 110 | +
|
| 111 | +9. Clear the query window, enter the following line, and Select **Execute** in the toolbar: |
| 112 | +
|
| 113 | + ```sql |
| 114 | + ALTER ROLE dbmanager ADD MEMBER [SSISIrGroup] |
| 115 | + ``` |
| 116 | +
|
| 117 | + The command should complete successfully, granting the contained user the ability to create database. |
| 118 | +
|
| 119 | +## Enable Azure AD on Azure SQL Database Managed Instance |
| 120 | +
|
| 121 | +Azure SQL Database Managed Instance doesn't support creating a database with any Azure AD user other than AD admin. As a result, you have to set the Azure AD Group as the Active Directory admin. You don't need to create the contained user. |
| 122 | +
|
| 123 | +You can [configure Azure AD authentication for the SQL Database Managed Instance server](https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure) using the following steps: |
| 124 | +
|
| 125 | +7. In the Azure portal, select **All services** -> **SQL servers** from the left-hand navigation. |
| 126 | +
|
| 127 | +8. Select the SQL server to be enabled for Azure AD authentication. |
| 128 | +
|
| 129 | +9. In the **Settings** section of the blade, select **Active Directory admin**. |
| 130 | +
|
| 131 | +10. In the command bar, select **Set admin**. |
| 132 | +
|
| 133 | +11. Search and select the Azure AD Group (for example, SSISIrGroup), and select **Select.** |
| 134 | +
|
| 135 | +12. In the command bar, select **Save.** |
| 136 | +
|
| 137 | +## Provision the Azure-SSIS IR in the portal |
| 138 | +
|
| 139 | +When you provision your Azure-SSIS IR with the Azure portal, on the **SQL Settings** page, check the "Use AAD authentication with your ADF MSI" option. (The following screenshot shows the settings for IR with Azure SQL Database. For the IR with Managed Instance, the "Catalog Database Service Tier" property is not available; other settings are the same.) |
| 140 | +
|
| 141 | +For more info about how to create an Azure-SSIS integration runtime, see [Create an Azure-SSIS integration runtime in Azure Data Factory](https://docs.microsoft.com/en-us/azure/data-factory/create-azure-ssis-integration-runtime). |
| 142 | +
|
| 143 | + |
| 144 | +
|
| 145 | +## Provision the Azure-SSIS IR with PowerShell |
| 146 | +
|
| 147 | +To provision your Azure-SSIS IR with PowerShell, do the following things: |
| 148 | +
|
| 149 | +1. Install the [Azure PowerShell](https://github.com/Azure/azure-powershell/releases/tag/v5.5.0-March2018) module. |
| 150 | +
|
| 151 | +2. In your script, do not set the *CatalogAdminCredential* parameter. For example: |
| 152 | +
|
| 153 | + ```powershell |
| 154 | + Set-AzureRmDataFactoryV2IntegrationRuntime -ResourceGroupName $ResourceGroupName ` |
| 155 | + -DataFactoryName $DataFactoryName ` |
| 156 | + -Name $AzureSSISName ` |
| 157 | + -Type Managed ` |
| 158 | + -CatalogServerEndpoint $SSISDBServerEndpoint ` |
| 159 | + -CatalogPricingTier $SSISDBPricingTier ` |
| 160 | + -Description $AzureSSISDescription ` |
| 161 | + -Edition $AzureSSISEdition ` |
| 162 | + -Location $AzureSSISLocation ` |
| 163 | + -NodeSize $AzureSSISNodeSize ` |
| 164 | + -NodeCount $AzureSSISNodeNumber ` |
| 165 | + -MaxParallelExecutionsPerNode $AzureSSISMaxParallelExecutionsPerNode ` |
| 166 | + -SetupScriptContainerSasUri $SetupScriptContainerSasUri |
| 167 | +
|
| 168 | + Start-AzureRmDataFactoryV2IntegrationRuntime -ResourceGroupName $ResourceGroupName ` |
| 169 | + -DataFactoryName $DataFactoryName ` |
| 170 | + -Name $AzureSSISName |
| 171 | + ``` |
0 commit comments