Azure AD server logins release

VanMSFT · VanMSFT · commit 8eed82ceb7d3 · 2022-03-10T08:23:46.000-08:00
diff --git a/articles/azure-sql/database/authentication-azure-ad-logins-tutorial.md b/articles/azure-sql/database/authentication-azure-ad-logins-tutorial.md
@@ -0,0 +1,169 @@
+---
+title: Create and utilize Azure Active Directory server logins
+description: This article guides you through creating and utilizing Azure Active Directory logins in the virtual master database of Azure SQL
+ms.service: sql-db-mi
+ms.subservice: security
+ms.topic: tutorial
+author: GithubMirek
+ms.author: mireks
+ms.reviewer: vanto
+ms.date: 03/11/2022
+---
+
+# Tutorial: Create and utilize Azure Active Directory server logins
+
+[!INCLUDE[appliesto-sqldb-sqlmi-asa-dedicated-only](../includes/appliesto-sqldb-sqlmi-asa-dedicated-only.md)]
+
+> [!NOTE]
+> Azure Active Directory (Azure AD) server principals (logins) are currently in public preview for Azure SQL Database. Azure SQL Managed Instance can already utilize Azure AD logins.
+
+This article guides you through creating and utilizing [Azure Active Directory (Azure AD) principals (logins)](authentication-azure-ad-logins.md) in the virtual master database of Azure SQL.
+
+In this tutorial, you learn how to:
+
+> [!div class="checklist"]
+> - Create an Azure AD login in the virtual master database with the new syntax extension for Azure SQL Database
+> - Create a user mapped to an Azure AD login in the virtual master database
+> - Grant server roles to an Azure AD user
+> - Disable a login
+
+## Prerequisites
+
+- A SQL Database or SQL Managed Instance with a database. See [Quickstart: Create an Azure SQL Database single database](single-database-create-quickstart.md) if you haven't already created an Azure SQL Database, or [Quickstart: Create an Azure SQL Managed Instance](../managed-instance/instance-create-quickstart.md).
+- Azure AD authentication set up for SQL Database or Managed Instance. For more information, see [Configure and manage Azure AD authentication with Azure SQL](authentication-aad-configure.md).
+- The user creating the login must have Azure Active Directory admin permissions, or have membership in the `loginmanager` server role.
+
+## Create Azure AD login
+
+1. Create an Azure SQL Database login for an Azure AD account. In our example, we'll use `bob@contoso.com` that exists in our Azure AD domain called `contoso`. A login can also be created from an Azure AD group or [service principal (applications)](authentication-aad-service-principal.md). For example, `mygroup` that is an Azure AD group consisting of Azure AD accounts that are a member of that group. For more information, see [CREATE LOGIN (Transact-SQL)](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-current&preserve-view=true).
+
+   > [!NOTE]
+   > The first Azure AD login must be created by the Azure Active Directory admin. A SQL login cannot create Azure AD logins.
+
+1. Using [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms), log into your SQL Database with the Azure AD admin account set up for the server.
+1. Run the following query:
+
+   ```sql
+   Use master
+   CREATE LOGIN [bob@contoso.com] FROM EXTERNAL PROVIDER
+   GO
+   ```
+
+1. Check the created login in `sys.server_principals`. Execute the following query:
+
+   ```sql
+   SELECT name, type_desc, type, is_disabled 
+   FROM sys.server_principals
+   WHERE type_desc like 'external%'  
+   ```
+
+   You would see a similar output to the following:
+
+   ```output
+   Name                            type_desc       type   is_disabled 
+   bob@contoso.com                 EXTERNAL_LOGIN  E      0 
+   ```
+
+1. The login `bob@contoso.com` has been created in the virtual master database.
+
+## Create user from an Azure AD login
+
+1. Now that we've created an Azure AD login, we can create a database-level Azure AD user that is mapped to the Azure AD login in the virtual master database. We'll continue to use our example, `bob@contoso.com` to create a user in the virtual master database, as we want to demonstrate adding the user to special roles.
+
+1. We're using the virtual master database, but you can switch to a database of your choice. Run the following query.
+
+   ```sql
+   Use master
+   CREATE USER [bob@contoso.com] FROM LOGIN [bob@contoso.com]
+   ```
+
+   > [!TIP]
+   > Although it is not required to use Azure AD user aliases (for example, `bob@contoso.com`), it is a recommended best practice to use the same alias for Azure AD users and Azure AD logins. 
+
+1. Check the created user in `sys.database_principals`. Execute the following query:
+
+   ```sql
+   SELECT name, type_desc, type 
+   FROM sys.database_principals 
+   WHERE type_desc like 'external%'
+   ```
+
+   You would see a similar output to the following:
+
+   ```output
+   Name                            type_desc       type
+   bob@contoso.com                 EXTERNAL_USER   E
+   ```
+
+> [!NOTE]
+> The existing syntax to create an Azure AD user without an Azure AD login is still supported, and requires the creation of a contained user inside SQL Database (without login).
+>
+> For example, `CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER`.
+
+## Grant server roles to the Azure AD user
+
+[Special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse) can be assigned to users in the virtual master database, including **dbmanager** and **loginmanager**. For more server roles, see [Azure SQL Database server roles for permission management](security-server-roles.md).
+
+In order to grant one of the server roles, an Azure AD user with a login must be created in the virtual master database. 
+
+To add a user to a role, you can run the following query:
+
+```sql
+ALTER SERVER ROLE [dbamanger] ADD MEMBER [AzureAD_object] 
+```
+
+To remove a user from a role, run the following query:
+
+```sql
+ALTER SERVER ROLE [dbamanger] DROP MEMBER [AzureAD_object] 
+```
+
+`AzureAD_object` can be an Azure AD user, group, or service principal create in Azure SQL.
+
+In our example, we created the user `bob@contoso.com`. Let's give the user the **dbmanager** and **loginmanager** roles.
+
+1. Run the following query:
+
+   ```sql
+   ALTER SERVER ROLE [dbamanger] ADD MEMBER [AAD_object] 
+   ALTER SERVER ROLE [loginmanager] ADD MEMBER [AAD_object] 
+   ```
+
+1. Check the server role assignment by running the following query:
+
+   ```sql
+   SELECT DP1.name AS DatabaseRoleName,    
+     isnull (DP2.name, 'No members') AS DatabaseUserName    
+   FROM sys.database_role_members AS DRM   
+   RIGHT OUTER JOIN sys.database_principals AS DP1   
+     ON DRM.role_principal_id = DP1.principal_id   
+   LEFT OUTER JOIN sys.database_principals AS DP2   
+     ON DRM.member_principal_id = DP2.principal_id   
+   WHERE DP1.type = 'R'and DP2.name like 'bob%' 
+   ```
+
+   You would see a similar output to the following:
+
+   ```output
+   DatabaseRoleName	   DatabaseUserName 
+   dbmanager              bob@contoso.com
+   loginmanager	       bob@contoso.com
+   ```
+
+## Optional - Disable a login
+
+The [ALTER LOGIN (Transact-SQL)](/sql/t-sql/statements/alter-login-transact-sql?view=azuresqldb-current&preserve-view=true) DDL syntax can be used to enable or disable an Azure AD login in Azure SQL Database.
+
+```sql
+ALTER LOGIN [bob@contoso.com] DISABLE
+```
+
+A use case for this would be to allow read-only on [geo-replicas](active-geo-replication-overview.md), but deny connection on a primary server.
+
+## See also
+
+For more information and examples, see:
+
+- [Azure Active Directory server principals](authentication-azure-ad-logins.md)
+- [CREATE LOGIN (Transact-SQL)](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-current&preserve-view=true)
+- [CREATE USER (Transact-SQL)](/sql/t-sql/statements/create-user-transact-sq)
diff --git a/articles/azure-sql/database/authentication-azure-ad-logins.md b/articles/azure-sql/database/authentication-azure-ad-logins.md
@@ -0,0 +1,153 @@
+---
+title: Azure Active Directory server principals
+description: Using Azure Active Directory server principals (logins) in Azure SQL
+ms.service: sql-db-mi
+ms.subservice: security
+ms.topic: conceptual
+author: GithubMirek
+ms.author: mireks
+ms.reviewer: vanto
+ms.date: 03/11/2022
+---
+
+# Azure Active Directory server principals
+
+[!INCLUDE[appliesto-sqldb-sqlmi-asa-dedicated-only](../includes/appliesto-sqldb-sqlmi-asa-dedicated-only.md)]
+
+> [!NOTE]
+> Azure Active Directory (Azure AD) server principals (logins) are currently in public preview for Azure SQL Database. Azure SQL Managed Instance can already utilize Azure AD logins.
+
+You can now create and utilize Azure AD server principals, which are logins in the master database of a SQL Database. There are several benefits of using Azure AD server principals for SQL Database:
+
+- Support multiple Azure AD login accounts with high privileged server roles for SQL Database, such as the `loginmanager` and `dbmanager` roles.
+- Increase functional improvement support, such as utilizing [Azure AD-only authentication](authentication-azure-ad-only-authentication.md). Azure AD-only authentication allows SQL authentication to be disabled, which includes the SQL server admin, SQL logins, and users.
+- Allows Azure AD principals to support geo-replicas. Azure AD principals will be able to connect to the geo-replica of a user database, with a *read-only* permission and *deny* permission to the primary server.
+- Ability to use Azure AD service principal logins with high privilege server roles to execute a full automation of user and database creation, as well as maintenance provided by Azure AD applications.
+- Closer functionality between Managed Instance and SQL Database, as Managed Instance already supports Azure AD logins in the master database.
+
+For more information on Azure AD authentication in Azure SQL, see [Use Azure Active Directory authentication](authentication-aad-overview.md)
+
+## Permissions
+
+The following permissions are required to utilize or create Azure AD logins in the master database.
+
+- Azure AD admin permission or membership in the `loginmanager` server role.  
+- Must be a member of Azure AD within the same directory used for Azure SQL Database 
+
+By default, the standard permission granted to newly created Azure AD login in the `master` database is **VIEW ANY DATABASE**. 
+
+## Azure AD logins syntax
+
+New syntax for Azure SQL Database to use Azure AD server principals has been introduced with this feature release.
+
+### Create login syntax
+
+```syntaxsql
+CREATE LOGIN login_name { FROM EXTERNAL PROVIDER [WITH OBJECT_ID = 'objectid'] | WITH <option_list> [,..] }  
+
+<option_list> ::=      
+    PASSWORD = {'password'}   
+    | , SID = sid, ] 
+```
+
+For more information, see [CREATE LOGIN (Transact-SQL)](/sql/t-sql/statements/create-login-transact-sql?view=azuresqldb-current&preserve-view=true).
+
+### Create user syntax
+
+The below T-SQL syntax is already available in SQL Database, and can be used for creating database-level Azure AD principals mapped to Azure AD logins in the master database. 
+
+To create an Azure AD user from an Azure AD login, use the following syntax:
+
+```syntaxsql
+CREATE USER user_name FROM LOGIN login_name
+```
+
+For more information, see [CREATE USER (Transact-SQL)](/sql/t-sql/statements/create-user-transact-sql).
+
+### Disable or enable a login using ALTER LOGIN syntax
+
+The [ALTER LOGIN (Transact-SQL)](/sql/t-sql/statements/alter-login-transact-sql?view=azuresqldb-current&preserve-view=true) DDL syntax can be used to enable or disable an Azure AD login in Azure SQL Database.
+
+```syntaxsql
+ALTER LOGIN login_name DISABLE 
+```
+
+The Azure AD principal `login_name` won't be able to log into any user database in the SQL Database server where an Azure AD user principal, `user_name` mapped to login `login_name` was created.
+
+> [!NOTE]
+> - `ALTER LOGIN login_name DISABLE` is not supported for contained users.
+> - `ALTER LOGIN login_name DISABLE` is not supported for Azure AD groups.
+> - An individual disabled login cannot belong to a user who is part of a login group created in the master database (for example, an Azure AD admin group). 
+> - For the `DISABLE` or `ENABLE` changes to take immediate effect, the authentication cache and the **TokenAndPermUserStore** cache must be cleared using the T-SQL commands.
+>
+>   ```sql
+>   DBCC FLUSHAUTHCACHE
+>   DBCC FREESYSTEMCACHE('TokenAndPermUserStore') WITH NO_INFOMSGS 
+>   ```
+
+## Azure AD logins and users with non-unique display names
+
+It's possible to create Azure AD resources with the same display names. For example, creating an [Azure AD application (service principal)](authentication-aad-service-principal.md) with the same name. In this release, we're also introducing the ability to create logins and users using the **Object ID**. 
+
+```sql
+CREATE LOGIN login_name FROM EXTERNAL PROVIDER WITH OBJECT_ID = 'objectid'
+```
+
+- To execute the above query, the specified Object ID must exist in Azure AD where the Azure SQL resides.
+- Most non-unique display names in Azure AD are related to service principals. Group names can also be non-unique as well. All Azure AD user display names are unique. 
+
+Using the display name of a service principal that isn't unique in Azure AD could lead to errors when creating the login or user in Azure SQL. For example, if `myapp` isn't unique, you may run into the following error when executing the following query:
+
+```sql
+CREATE USER [myapp] FROM EXTERNAL PROVIDER 
+```
+
+```output
+Msg 33131, Level 16, State 1, Line 4 
+Principal 'myapp' has a duplicate display name. Make the display name unique in Azure Active Directory and execute this statement again. 
+```
+
+With the T-SQL DDL extension to create logins or users with the Object ID, you can avoid this error and also specify an alias for the login or user created with the Object ID. For example, the following will create a user `myapp4466e` using the application Object ID `4466e2f8-0fea-4c61-a470-xxxxxxxxxxxx`.
+
+```sql
+CREATE USER [myapp4466e] FROM EXTERNAL PROVIDER 
+  WITH OBJECT_ID='4466e2f8-0fea-4c61-a470-xxxxxxxxxxxx' 
+```
+
+For more information on obtaining the Object ID of a service principal, see [Service principal object](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object.)
+
+To get the Object ID of the application, you can execute the following query:
+
+```sql
+SELECT CAST(sid as uniqueidentifier) ApplicationID from sys.database_principals WHERE NAME = 'myapp4466e'
+```
+
+## Limitations and remarks
+
+- The SQL server admin can’t create Azure AD logins in the master database
+- Changing a database ownership to an Azure AD group as database owner isn't supported.
+  - `ALTER AUTHORIZATION ON database::<mydb> TO [my_aad_group]` fails with an error message:
+    ```output
+    Msg 33181, Level 16, State 1, Line 4
+    The new owner cannot be Azure Active Directory group.
+    ```
+  - Changing a database ownership to an individual user is supported.
+- A SQL admin or SQL user can’t execute the following Azure AD operations: 
+  - `CREATE LOGIN [bob@contoso.com] FROM EXTERNAL PROVIDER` 
+  - `CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER` 
+  - `EXECUTE AS USER [bob@contoso.com]`
+  - `ALTER AUTHORIZATION ON securable::name TO [bob@contoso.com]`
+- Impersonation of Azure AD server-level principals (logins) isn't supported: 
+  - [EXECUTE AS Clause (Transact-SQL)](/sql/t-sql/statements/execute-as-clause-transact-sql)
+  - [EXECUTE AS (Transact-SQL)](/sql/t-sql/statements/execute-as-transact-sql)
+  - Impersonation of Azure AD database-level principals (users) at a user database-level is still supported.
+- Azure AD logins overlapping with Azure AD administrator aren't supported. Azure AD admin takes precedence over any login. If an Azure AD account already has access to the server as an Azure AD admin, either directly or as a member of the admin group, the login created for this user won't have any effect. The login creation isn't blocked through T-SQL. After the account authenticates to the server, the login will have the effective permissions of an Azure AD admin, and not of a newly created login.
+- Changing permissions on specific Azure AD login object isn't supported:
+  - `GRANT <PERMISSION> ON LOGIN :: <Azure AD account> TO <Any other login> `
+- When permissions are altered for an Azure AD login with existing open connections to an Azure SQL Database, permissions aren't effective until the user reconnects. This applies to server role membership change using the [ALTER SERVER ROLE](/sql/t-sql/statements/alter-server-role-transact-sql) statement. 
+- [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) doesn't display the login names in **Object Explorer**.
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Tutorial: Create and utilize Azure Active Directory server logins](authentication-azure-ad-logins-tutorial.md)
diff --git a/articles/azure-sql/database/security-server-roles.md b/articles/azure-sql/database/security-server-roles.md
@@ -7,7 +7,7 @@ ms.subservice: security
 author: AndreasWolter
 ms.author: anwolter
 ms.topic: conceptual
-ms.date: 09/02/2021
+ms.date: 03/11/2022
 ms.reviewer: kendralittle, vanto, mathoma
 ---
 
@@ -29,7 +29,7 @@ For example, the server-level role **##MS_ServerStateReader##** holds the permis
 > [!NOTE]
 > Any permission can be denied within user databases, in effect, overriding the server-wide grant via role membership. However, in the system database *master*, permissions cannot be granted or denied.
 
-Azure SQL Database currently provides three fixed server roles. The permissions that are granted to the fixed server roles cannot be changed and these roles can't have other fixed roles as members. You can add server-level SQL logins as members to server-level roles.
+Azure SQL Database currently provides three fixed server roles. The permissions that are granted to the fixed server roles cannot be changed and these roles can't have other fixed roles as members. You can add server-level logins as members to server-level roles.
 
 > [!IMPORTANT]
 > Each member of a fixed server role can add other logins to that same role.
@@ -100,7 +100,8 @@ INNER JOIN sys.sql_logins AS sql_logins
     ON server_role_members.member_principal_id = sql_logins.principal_id
 ;  
 GO  
-```  
+```
+
 ### C. Complete example: Adding a login to a server-level role, retrieving metadata for role membership and permissions, and running a test query
 
 #### Part 1: Preparing role membership and user account
@@ -174,6 +175,32 @@ SELECT * FROM sys.dm_exec_query_stats
 
 ``` 
 
+### D. Check server-level roles for Azure AD logins
+
+Run this command in the virtual master database to see all Azure AD logins that are part of server-level roles in SQL Database. For more information on Azure AD server logins, see [Azure Active Directory server principals](authentication-azure-ad-logins.md).
+
+```sql
+SELECT roles.principal_id AS RolePID,roles.name AS RolePName,
+       server_role_members.member_principal_id AS MemberPID, members.name AS MemberPName
+       FROM sys.server_role_members AS server_role_members
+       INNER JOIN sys.server_principals AS roles
+       ON server_role_members.role_principal_id = roles.principal_id
+       INNER JOIN sys.server_principals AS members 
+      ON server_role_members.member_principal_id = members.principal_id;
+```
+
+### E. Check the virtual master database roles for specific user
+
+Run this command in the virtual master database to check with roles `bob` has, or change the value to match your principal.
+
+```sql
+SELECT DR1.name AS DbRoleName, isnull (DR2.name, 'No members')  AS DbUserName
+   FROM sys.database_role_members AS DbRMem RIGHT OUTER JOIN sys.database_principals AS DR1
+    ON DbRMem.role_principal_id = DR1.principal_id LEFT OUTER JOIN sys.database_principals AS DR2
+     ON DbRMem.member_principal_id = DR2.principal_id
+      WHERE DR1.type = 'R' and DR2.name like 'bob%'
+```
+
 ## Limitations of server-level roles
 
 - Role assignments may take up to 5 minutes to become effective. Also for existing sessions, changes to server role assignments don't take effect until the connection is closed and reopened. This is due to the distributed architecture between the *master* database and other databases on the same logical server.
