You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/active-directory-app-provisioning-sql.md
+31-17Lines changed: 31 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,11 +9,11 @@ For important details on what this service does, how it works, and frequently as
9
9
10
10
### On-premises prerequisites
11
11
12
-
-A target system, such as a SQL database, in which users can be created, updated, and deleted.
13
-
-A Windows Server 2016 or later computer with an internet-accessible TCP/IP address, connectivity to the target system, and with outbound connectivity to login.microsoftonline.com. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy. The server should have at least 3 GB of RAM.
14
-
- A computer with .NET Framework 4.7.1.
12
+
-The application relies upon a SQL database, in which records for users can be created, updated, and deleted.
13
+
- An ODBC driver for that SQL database.
14
+
- A Windows Server 2016 or later computer with an internet-accessible TCP/IP address, connectivity to the target system, and with outbound connectivity to login.microsoftonline.com. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy. The server should have at least 3 GB of RAM and .NET Framework 4.7.1.
15
15
16
-
Depending on the options you select, some of the wizard screens might not be available and the information might be slightly different. For purposes of this configuration, the user object type is used. Use the following information to guide you in your configuration.
16
+
Configuration of the connection to the application's database is done via a wizard. Depending on the options you select, some of the wizard screens might not be available and the information might be slightly different. Use the following information to guide you in your configuration.
17
17
18
18
#### Supported systems
19
19
* Microsoft SQL Server and Azure SQL
@@ -23,7 +23,7 @@ Depending on the options you select, some of the wizard screens might not be ava
23
23
* Oracle 12c and 18c
24
24
* MySQL 5.x
25
25
26
-
Note: The generic SQL connector requires that column names are case-insensitive. MySQL is case-sensitive on Linux and Postgres is case-sensitive across platforms. As a result, they are not currently supported.
26
+
Note: The table-based strategy of the generic SQL connector requires that column names are case-insensitive. MySQL is case-sensitive on Linux and Postgres is case-sensitive across platforms. As a result, they are not currently supported with table-based strategy and configuring provisioning users into those databases is outside the scope of this article.
27
27
28
28
### Cloud requirements
29
29
@@ -33,27 +33,41 @@ Note: The generic SQL connector requires that column names are case-insensitive.
33
33
- The Hybrid identity administrator role for configuring the provisioning agent and the Application Administrator or Cloud Administrator roles for configuring provisioning in the Azure portal.
34
34
35
35
## Prepare the sample database
36
-
On a server running SQL Server, run the SQL script found in [Appendix A](#appendix-a). This script creates a sample database with the name CONTOSO. This is the database that you'll be provisioning users into.
37
36
37
+
Typically, applications manage access with a table in the a SQL database, with one row per user. (More complex configurations could have multiple tables or rely upon stored procedures.) For demonstration purposes, if you do not already have a database with a suitable table, then you should create one which Azure AD can be permitted to use. If you're using SQL Server, then run the SQL script found in [Appendix A](#appendix-a). This script creates a sample database with the name CONTOSO, containing a single table `Employees`. This is the database table that you'll be provisioning users into.
38
+
39
+
|Table Column|Source|
40
+
|-----|-----|
41
+
|ContosoLogin|Azure AD user principal name|
42
+
|FirstName|Azure AD given name|
43
+
|LastName|Azure AD surname|
44
+
|Email|Exchange Online email address|
45
+
|InternalGUID|Generated by the database itself|
46
+
|AzureID|Azure AD object ID|
47
+
|textID|Azure AD mail nickname|
48
+
49
+
## Install the ODBC driver
50
+
51
+
The Windows Server where you'll be installing the provisioning agent requires an ODBC driver for your target database. If you're planning to connect to SQL Server or Azure SQL database, then you should download the [ODBC driver for SQL Server (x64)](/sql/connect/odbc/download-odbc-driver-for-sql-server) and install that on the Windows Server.
38
52
39
53
## Create the DSN connection file
40
-
The generic SQL connector is a DSN file to connect to the SQL server. First, you need to create a file with the ODBC connection information.
54
+
The generic SQL connector requires a Data Source Name (DSN) file to connect to the SQL endpoint. First, you need to create a file with the ODBC connection information.
41
55
42
56
1. Start the ODBC management utility on your server. Use the 64-bit version.
43
57
</br>
44
58
2. Select the **File DSN** tab, and select **Add**.
45
59
</br>
46
-
3.Select **SQL Server Native Client 11.0** and select **Next**.
60
+
3.If you're using SQL Server or Azure SQL, select **SQL Server Native Client 11.0** and select **Next**. If you're using another database, select its ODBC driver.
47
61
</br>
48
62
4. Give the file a name, such as **GenericSQL**, and select **Next**.
49
63
</br>
50
64
5. Select **Finish**.
51
65
</br>
52
-
6. Now configure the connection. Enter **APP1** for the name of the server and select **Next**.
66
+
6. Now configure the connection. Enter **APP1** for the name of the server and select **Next**. Note that the following steps will differ depending upon which ODBC driver you're using. These assume you're using the driver to connect to SQL Server.
53
67
</br>
54
68
7. Keep Windows authentication and select **Next**.
55
69
</br>
56
-
8. Enter the name of the sample database, which is **CONTOSO**.
70
+
8. Enter the name of the database, which in this sample is **CONTOSO**.
57
71
58
72
9. Keep everything default on this screen, and select **Finish**.
59
73
</br>
@@ -67,7 +81,7 @@ The generic SQL connector is a DSN file to connect to the SQL server. First, you
67
81
68
82
## Download, install and configure the Azure AD Connect Provisioning Agent Package
69
83
70
-
1.[Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that has connectivity to your SQL server.
84
+
1.[Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the Windows Server that has connectivity to your SQL server.
71
85
>[!NOTE]
72
86
>Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
73
87
1. Open the provisioning agent installer, agree to the terms of service, and select **next**.
@@ -102,14 +116,14 @@ The generic SQL connector is a DSN file to connect to the SQL server. First, you
102
116
|Name|SQL|
103
117
|Autosync timer (minutes)|120|
104
118
|Secret Token|Enter your own key here. It should be 12 characters minimum.|
105
-
|Extension DLL|For a generic SQL connector, select **Microsoft.IAM.Connector.GenericSql.dll**.|
119
+
|Extension DLL|For the generic SQL connector, select **Microsoft.IAM.Connector.GenericSql.dll**.|
106
120
4. On the **Connectivity** page, fill in the boxes with the values specified in the table that follows the image and select **Next**.
107
121
</br>
108
122
109
123
|Property|Description|
110
124
|-----|-----|
111
-
|DSN File|The Data Source Name file used to connect to the SQL Server instance.|
112
-
|User Name|The username of an individual with rights to the SQL Server instance. It must be in the form of hostname\sqladminaccount for standalone servers or domain\sqladminaccount for domain member servers.|
125
+
|DSN File|The Data Source Name file you created in the previous step, which is used to connect to the SQL instance.|
126
+
|User Name|The username of an account with rights to make updates to the table in the SQL instance. If the target database is SQL Server, the user name must be in the form of hostname\sqladminaccount for standalone servers or domain\sqladminaccount for domain member servers.|
113
127
|Password|The password of the username just provided.|
114
128
|DN is Anchor|Unless your environment is known to require these settings, don't select the **DN is Anchor** and **Export Type:Object Replace** checkboxes.|
115
129
5. On the **Schema 1** page, fill in the boxes with the values specified in the table that follows the image and select **Next**.
@@ -119,7 +133,7 @@ The generic SQL connector is a DSN file to connect to the SQL server. First, you
119
133
|-----|-----|
120
134
|Object type detection method|Fixed Value|
121
135
|Fixed value list/Table/View/SP|User|
122
-
6. On the **Schema 2** page, fill in the boxes with the values specified in the table that follows the image and select **Next**.
136
+
6. On the **Schema 2** page, you'll indicate how users are represented in your database. In this sample, it's a table named `Employees`. Fill in the boxes with the values specified in the table that follows the image and select **Next**.
123
137
</br>
124
138
125
139
|Property|Value|
@@ -230,7 +244,7 @@ Now that you have the Azure AD ECMA Connector Host talking with Azure AD, you ca
230
244
231
245
232
246
## Configure attribute mappings
233
-
Now you need to map attributes between the on-premises application and your SQL server.
247
+
Now you need to map attributes between the representation of the user in Azure AD and the representation of a user in the on-premises application's SQL database.
234
248
235
249
#### Configure attribute mapping
236
250
1. In the Azure AD portal, under **Enterprise applications**, select the **Provisioning** page.
@@ -275,7 +289,7 @@ After waiting, check the SQL database to ensure users are being provisioned.
275
289
276
290
277
291
## Appendix A
278
-
Use the following SQL script to create the sample database.
292
+
If you're using SQL Server, you can use the following SQL script to create the sample database.
0 commit comments