MicrosoftDocs
diff --git a/‎articles/azure-sql/database/authentication-azure-ad-logins-tutorial.md
Lines changed: 222 additions & 0 deletions b/‎articles/azure-sql/database/authentication-azure-ad-logins-tutorial.md
Lines changed: 222 additions & 0 deletions
diff --git a/‎articles/azure-sql/database/authentication-azure-ad-logins.md
Lines changed: 130 additions & 0 deletions b/‎articles/azure-sql/database/authentication-azure-ad-logins.md
Lines changed: 130 additions & 0 deletions
@@ -0,0 +1,222 @@
+---
+title: Create and utilize Azure Active Directory server logins
+description: This article guides you through creating and utilizing Azure Active Directory logins in the virtual master database of Azure SQL
+ms.service: sql-db-mi
+ms.subservice: security
+ms.topic: tutorial
+author: GithubMirek
+ms.author: mireks
+ms.reviewer: vanto
+ms.date: 03/14/2022
+---
+
+# Tutorial: Create and utilize Azure Active Directory server logins
+
+[!INCLUDE[appliesto-sqldb-sqlmi-asa-dedicated-only](../includes/appliesto-sqldb-sqlmi-asa-dedicated-only.md)]
+
+> [!NOTE]
+> Azure Active Directory (Azure AD) server principals (logins) are currently in public preview for Azure SQL Database. Azure SQL Managed Instance can already utilize Azure AD logins.
+
+This article guides you through creating and utilizing [Azure Active Directory (Azure AD) principals (logins)](authentication-azure-ad-logins.md) in the virtual master database of Azure SQL.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> - Create an Azure AD login in the virtual master database with the new syntax extension for Azure SQL Database
+> - Create a user mapped to an Azure AD login in the virtual master database
+> - Grant server roles to an Azure AD user
+> - Disable an Azure AD login
+
+## Prerequisites
+
+- A SQL Database or SQL Managed Instance with a database. See [Quickstart: Create an Azure SQL Database single database](single-database-create-quickstart.md) if you haven't already created an Azure SQL Database, or [Quickstart: Create an Azure SQL Managed Instance](../managed-instance/instance-create-quickstart.md).
+- Azure AD authentication set up for SQL Database or Managed Instance. For more information, see [Configure and manage Azure AD authentication with Azure SQL](authentication-aad-configure.md).
+- This article instructs you on creating an Azure AD login and user within the virtual master database. Only an Azure AD admin can create a user within the virtual master database, so we recommend you use the Azure AD admin account when going through this tutorial. An Azure AD principal with the `loginmanager` role can create a login, but not a user within the virtual master database.
+
+## Create Azure AD login
+
+1. Create an Azure SQL Database login for an Azure AD account. In our example, we'll use `[email protected]` that exists in our Azure AD domain called `contoso`. A login can also be created from an Azure AD group or [service principal (applications)](authentication-aad-service-principal.md). For example, `mygroup` that is an Azure AD group consisting of Azure AD accounts that are a member of that group. For more information, see [CREATE LOGIN (Transact-SQL)](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-current&preserve-view=true).
+
+   > [!NOTE]
+   > The first Azure AD login must be created by the Azure Active Directory admin. A SQL login cannot create Azure AD logins.
+
+1. Using [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms), log into your SQL Database with the Azure AD admin account set up for the server.
+1. Run the following query:
+
+   ```sql
+   Use master
+   CREATE LOGIN [bob@contoso.com] FROM EXTERNAL PROVIDER
+   GO
+   ```
+
+1. Check the created login in `sys.server_principals`. Execute the following query:
+
+   ```sql
+   SELECT name, type_desc, type, is_disabled 
+   FROM sys.server_principals
+   WHERE type_desc like 'external%'  
+   ```
+
+   You would see a similar output to the following:
+
+   ```output
+   Name                            type_desc       type   is_disabled 
+   [email protected]                 EXTERNAL_LOGIN  E      0 
+   ```
+
+1. The login `[email protected]` has been created in the virtual master database.
+
+## Create user from an Azure AD login
+
+1. Now that we've created an Azure AD login, we can create a database-level Azure AD user that is mapped to the Azure AD login in the virtual master database. We'll continue to use our example, `[email protected]` to create a user in the virtual master database, as we want to demonstrate adding the user to special roles. Only an Azure AD admin or SQL server admin can create users in the virtual master database.
+
+1. We're using the virtual master database, but you can switch to a database of your choice if you want to create users in other databases. Run the following query.
+
+   ```sql
+   Use master
+   CREATE USER [bob@contoso.com] FROM LOGIN [bob@contoso.com]
+   ```
+
+   > [!TIP]
+   > Although it is not required to use Azure AD user aliases (for example, `[email protected]`), it is a recommended best practice to use the same alias for Azure AD users and Azure AD logins. 
+
+1. Check the created user in `sys.database_principals`. Execute the following query:
+
+   ```sql
+   SELECT name, type_desc, type 
+   FROM sys.database_principals 
+   WHERE type_desc like 'external%'
+   ```
+
+   You would see a similar output to the following:
+
+   ```output
+   Name                            type_desc       type
+   [email protected]                 EXTERNAL_USER   E
+   ```
+
+> [!NOTE]
+> The existing syntax to create an Azure AD user without an Azure AD login is still supported, and requires the creation of a contained user inside SQL Database (without login).
+>
+> For example, `CREATE USER [[email protected]] FROM EXTERNAL PROVIDER`.
+
+## Grant server-level roles to Azure AD logins
+
+You can add logins to the [built-in server-level roles](security-server-roles.md#built-in-server-level-roles), such as the **##MS_DefinitionReader##**, **##MS_ServerStateReader##**, or **##MS_ServerStateManager##** role.
+
+> [!NOTE]
+> The server-level roles mentioned here are not supported for Azure AD groups.
+
+```sql
+ALTER SERVER ROLE ##MS_DefinitionReader## ADD MEMBER [AzureAD_object];
+```
+
+```sql
+ALTER SERVER ROLE ##MS_ServerStateReader## ADD MEMBER [AzureAD_object];
+```
+
+```sql
+ALTER SERVER ROLE ##MS_ServerStateManager## ADD MEMBER [AzureAD_object];
+```
+
+Permissions aren't effective until the user reconnects. Flush the DBCC cache as well:
+
+```sql
+DBCC FLUSHAUTHCACHE
+DBCC FREESYSTEMCACHE('TokenAndPermUserStore') WITH NO_INFOMSGS 
+```
+
+To check which Azure AD logins are part of server-level roles, run the following query:
+
+```sql
+SELECT roles.principal_id AS RolePID,roles.name AS RolePName,
+       server_role_members.member_principal_id AS MemberPID, members.name AS MemberPName
+       FROM sys.server_role_members AS server_role_members
+       INNER JOIN sys.server_principals AS roles
+       ON server_role_members.role_principal_id = roles.principal_id
+       INNER JOIN sys.server_principals AS members 
+       ON server_role_members.member_principal_id = members.principal_id;
+```
+
+## Grant special roles for Azure AD users
+
+[Special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse) can be assigned to users in the virtual master database.
+
+In order to grant one of the special database roles to a user, the user must exist in the virtual master database. 
+
+To add a user to a role, you can run the following query:
+
+```sql
+ALTER ROLE [dbamanger] ADD MEMBER [AzureAD_object] 
+```
+
+To remove a user from a role, run the following query:
+
+```sql
+ALTER ROLE [dbamanger] DROP MEMBER [AzureAD_object] 
+```
+
+`AzureAD_object` can be an Azure AD user, group, or service principal in Azure AD.
+
+In our example, we created the user `[email protected]`. Let's give the user the **dbmanager** and **loginmanager** roles.
+
+1. Run the following query:
+
+   ```sql
+   ALTER ROLE [dbamanger] ADD MEMBER [bob@contoso.com] 
+   ALTER ROLE [loginmanager] ADD MEMBER [bob@contoso.com] 
+   ```
+
+1. Check the database role assignment by running the following query:
+
+   ```sql
+   SELECT DP1.name AS DatabaseRoleName,    
+     isnull (DP2.name, 'No members') AS DatabaseUserName    
+   FROM sys.database_role_members AS DRM   
+   RIGHT OUTER JOIN sys.database_principals AS DP1   
+     ON DRM.role_principal_id = DP1.principal_id   
+   LEFT OUTER JOIN sys.database_principals AS DP2   
+     ON DRM.member_principal_id = DP2.principal_id   
+   WHERE DP1.type = 'R'and DP2.name like 'bob%' 
+   ```
+
+   You would see a similar output to the following:
+
+   ```output
+   DatabaseRoleName	   DatabaseUserName 
+   dbmanager              [email protected]
+   loginmanager	       [email protected]
+   ```
+
+## Optional - Disable a login
+
+The [ALTER LOGIN (Transact-SQL)](/sql/t-sql/statements/alter-login-transact-sql?view=azuresqldb-current&preserve-view=true) DDL syntax can be used to enable or disable an Azure AD login in Azure SQL Database.
+
+```sql
+ALTER LOGIN [bob@contoso.com] DISABLE
+```
+
+For the `DISABLE` or `ENABLE` changes to take immediate effect, the authentication cache and the **TokenAndPermUserStore** cache must be cleared using the following T-SQL commands:
+
+```sql
+DBCC FLUSHAUTHCACHE
+DBCC FREESYSTEMCACHE('TokenAndPermUserStore') WITH NO_INFOMSGS 
+```
+
+Check that the login has been disabled by executing the following query:
+
+```sql
+SELECT name, type_desc, type 
+FROM sys.server_principals 
+WHERE is_disabled = 1
+```
+
+A use case for this would be to allow read-only on [geo-replicas](active-geo-replication-overview.md), but deny connection on a primary server.
+
+## See also
+
+For more information and examples, see:
+
+- [Azure Active Directory server principals](authentication-azure-ad-logins.md)
+- [CREATE LOGIN (Transact-SQL)](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-current&preserve-view=true)
+- [CREATE USER (Transact-SQL)](/sql/t-sql/statements/create-user-transact-sql)
@@ -0,0 +1,130 @@
+---
+title: Azure Active Directory server principals
+description: Using Azure Active Directory server principals (logins) in Azure SQL
+ms.service: sql-db-mi
+ms.subservice: security
+ms.topic: conceptual
+author: GithubMirek
+ms.author: mireks
+ms.reviewer: vanto
+ms.date: 03/14/2022
+---
+
+# Azure Active Directory server principals
+
+[!INCLUDE[appliesto-sqldb-sqlmi-asa-dedicated-only](../includes/appliesto-sqldb-sqlmi-asa-dedicated-only.md)]
+
+> [!NOTE]
+> Azure Active Directory (Azure AD) server principals (logins) are currently in public preview for Azure SQL Database. Azure SQL Managed Instance can already utilize Azure AD logins.
+
+You can now create and utilize Azure AD server principals, which are logins in the virtual master database of a SQL Database. There are several benefits of using Azure AD server principals for SQL Database:
+
+- Support [Azure SQL Database server roles for permission management](security-server-roles.md).
+- Support multiple Azure AD users with [special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse), such as the `loginmanager` and `dbmanager` roles.
+- Functional parity between SQL logins and Azure AD logins.
+- Increase functional improvement support, such as utilizing [Azure AD-only authentication](authentication-azure-ad-only-authentication.md). Azure AD-only authentication allows SQL authentication to be disabled, which includes the SQL server admin, SQL logins and users.
+- Allows Azure AD principals to support geo-replicas. Azure AD principals will be able to connect to the geo-replica of a user database, with a *read-only* permission and *deny* permission to the primary server.
+- Ability to use Azure AD service principal logins with special roles to execute a full automation of user and database creation, as well as maintenance provided by Azure AD applications.
+- Closer functionality between Managed Instance and SQL Database, as Managed Instance already supports Azure AD logins in the master database.
+
+For more information on Azure AD authentication in Azure SQL, see [Use Azure Active Directory authentication](authentication-aad-overview.md)
+
+## Permissions
+
+The following permissions are required to utilize or create Azure AD logins in the virtual master database.
+
+- Azure AD admin permission or membership in the `loginmanager` server role. The first Azure AD login can only be created by the Azure AD admin.
+- Must be a member of Azure AD within the same directory used for Azure SQL Database 
+
+By default, the standard permission granted to newly created Azure AD login in the `master` database is **VIEW ANY DATABASE**. 
+
+## Azure AD logins syntax
+
+New syntax for Azure SQL Database to use Azure AD server principals has been introduced with this feature release.
+
+### Create login syntax
+
+```syntaxsql
+CREATE LOGIN login_name { FROM EXTERNAL PROVIDER | WITH <option_list> [,..] }  
+
+<option_list> ::=      
+    PASSWORD = {'password'}   
+    | , SID = sid, ] 
+```
+
+The *login_name* specifies the Azure AD principal, which is an Azure AD user, group, or application.
+
+For more information, see [CREATE LOGIN (Transact-SQL)](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-current&preserve-view=true).
+
+### Create user syntax
+
+The below T-SQL syntax is already available in SQL Database, and can be used for creating database-level Azure AD principals mapped to Azure AD logins in the virtual master database.
+
+To create an Azure AD user from an Azure AD login, use the following syntax. Only the Azure AD admin can execute this command in the virtual master database.
+
+```syntaxsql
+CREATE USER user_name FROM LOGIN login_name
+```
+
+For more information, see [CREATE USER (Transact-SQL)](/sql/t-sql/statements/create-user-transact-sql).
+
+### Disable or enable a login using ALTER LOGIN syntax
+
+The [ALTER LOGIN (Transact-SQL)](/sql/t-sql/statements/alter-login-transact-sql?view=azuresqldb-current&preserve-view=true) DDL syntax can be used to enable or disable an Azure AD login in Azure SQL Database.
+
+```syntaxsql
+ALTER LOGIN login_name DISABLE 
+```
+
+The Azure AD principal `login_name` won't be able to log into any user database in the SQL Database logical server where an Azure AD user principal, `user_name` mapped to login `login_name` was created.
+
+> [!NOTE]
+> - `ALTER LOGIN login_name DISABLE` is not supported for contained users.
+> - `ALTER LOGIN login_name DISABLE` is not supported for Azure AD groups.
+> - An individual disabled login cannot belong to a user who is part of a login group created in the master database (for example, an Azure AD admin group). 
+> - For the `DISABLE` or `ENABLE` changes to take immediate effect, the authentication cache and the **TokenAndPermUserStore** cache must be cleared using the T-SQL commands.
+>
+>   ```sql
+>   DBCC FLUSHAUTHCACHE
+>   DBCC FREESYSTEMCACHE('TokenAndPermUserStore') WITH NO_INFOMSGS 
+>   ```
+
+## Roles for Azure AD principals
+
+[Special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse) can be assigned to *users* in the virtual master database for Azure AD principals, including **dbmanager** and **loginmanager**. 
+
+[Azure SQL Database server roles](security-server-roles.md) can be assigned to *logins* in the virtual master database.
+
+For a tutorial on how to grant these roles, see [Tutorial: Create and utilize Azure Active Directory server logins](authentication-azure-ad-logins-tutorial.md).
+
+
+## Limitations and remarks
+
+- The SQL server admin can’t create Azure AD logins or users in any databases.
+- Changing a database ownership to an Azure AD group as database owner isn't supported.
+  - `ALTER AUTHORIZATION ON database::<mydb> TO [my_aad_group]` fails with an error message:
+    ```output
+    Msg 33181, Level 16, State 1, Line 4
+    The new owner cannot be Azure Active Directory group.
+    ```
+  - Changing a database ownership to an individual user is supported.
+- A SQL admin or SQL user can’t execute the following Azure AD operations: 
+  - `CREATE LOGIN [[email protected]] FROM EXTERNAL PROVIDER` 
+  - `CREATE USER [[email protected]] FROM EXTERNAL PROVIDER` 
+  - `EXECUTE AS USER [[email protected]]`
+  - `ALTER AUTHORIZATION ON securable::name TO [[email protected]]`
+- Impersonation of Azure AD server-level principals (logins) isn't supported: 
+  - [EXECUTE AS Clause (Transact-SQL)](/sql/t-sql/statements/execute-as-clause-transact-sql)
+  - [EXECUTE AS (Transact-SQL)](/sql/t-sql/statements/execute-as-transact-sql)
+  - Impersonation of Azure AD database-level principals (users) at a user database-level is still supported.
+- Azure AD logins overlapping with Azure AD administrator aren't supported. Azure AD admin takes precedence over any login. If an Azure AD account already has access to the server as an Azure AD admin, either directly or as a member of the admin group, the login created for this user won't have any effect. The login creation isn't blocked through T-SQL. After the account authenticates to the server, the login will have the effective permissions of an Azure AD admin, and not of a newly created login.
+- Changing permissions on specific Azure AD login object isn't supported:
+  - `GRANT <PERMISSION> ON LOGIN :: <Azure AD account> TO <Any other login> `
+- When permissions are altered for an Azure AD login with existing open connections to an Azure SQL Database, permissions aren't effective until the user reconnects. Also [flush the authentication cache and the TokenAndPermUserStore cache](#disable-or-enable-a-login-using-alter-login-syntax). This applies to server role membership change using the [ALTER SERVER ROLE](/sql/t-sql/statements/alter-server-role-transact-sql) statement. 
+- Setting an Azure AD login mapped to an Azure AD group as the database owner isn't supported.
+- [Azure SQL Database server roles](security-server-roles.md) aren't supported for Azure AD groups.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Create and utilize Azure Active Directory server logins](authentication-azure-ad-logins-tutorial.md)