|
| 1 | +--- |
| 2 | +title: Active Directory authentication - Azure Database for MySQL - Flexible Server Preview |
| 3 | +description: Learn about the concepts of Azure Active Directory for authentication with Azure Database for MySQL flexible server |
| 4 | +author: vivgk |
| 5 | +ms.author: vivgk |
| 6 | +ms.reviewer: maghan |
| 7 | +ms.date: 09/21/2022 |
| 8 | +ms.service: mysql |
| 9 | +ms.subservice: flexible-server |
| 10 | +ms.topic: conceptual |
| 11 | +--- |
| 12 | + |
| 13 | +# Active Directory authentication - Azure Database for MySQL - Flexible Server Preview |
| 14 | + |
| 15 | +[!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)] |
| 16 | + |
| 17 | +Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of connecting to Azure Database for MySQL Flexible server using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. |
| 18 | + |
| 19 | +## Benefits |
| 20 | + |
| 21 | +- Authentication of users across Azure Services in a uniform way |
| 22 | +- Management of password policies and password rotation in a single place |
| 23 | +- Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords |
| 24 | +- Customers can manage database permissions using external (Azure AD) groups. |
| 25 | +- Azure AD authentication uses MySQL database users to authenticate identities at the database level |
| 26 | +- Support of token-based authentication for applications connecting to Azure Database for MySQL Flexible server |
| 27 | + |
| 28 | +## Use the steps below to configure and use Azure AD authentication |
| 29 | + |
| 30 | +1. Select your preferred authentication method for accessing the MySQL flexible server. By default, the authentication selected will be MySQL authentication only. Select Azure Active Directory authentication only or MySQL and Azure Active Directory authentication to enabled Azure AD authentication. |
| 31 | +2. Select the user managed identity (UMI) with the following privileges: _User.Read.All, GroupMember.Read.All_ and _Application.Read.ALL_, which can be used to configure Azure AD authentication. |
| 32 | +3. Add Azure AD Admin. It can be Azure AD Users, Groups or security principles, which will have access to Azure Database for MySQL flexible server. |
| 33 | +4. Create database users in your database mapped to Azure AD identities. |
| 34 | +5. Connect to your database by retrieving a token for an Azure AD identity and logging in. |
| 35 | + |
| 36 | +> [!Note] |
| 37 | +> For detailed, step-by-step instructions about how to configure Azure AD authentication with Azure Database for MySQL flexible server, see [Learn how to set up Azure Active Directory authentication for Azure Database for MySQL flexible Server](how-to-azure-ad.md) |
| 38 | +
|
| 39 | +## Architecture |
| 40 | + |
| 41 | +User-managed identities are required for Azure Active Directory authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity, and when the managed identity is deleted, the corresponding service principal is automatically removed. The service then uses the managed identity to request access tokens for services that support Azure AD authentication. Only a User-assigned Managed Identity (UMI) is currently supported by Azure Database for MySQL-Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure. Azure takes care of rolling the credentials that are used by the service instance. |
| 42 | + |
| 43 | +The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for MySQL. The arrows indicate communication pathways. |
| 44 | + |
| 45 | +:::image type="content" source="media/concepts-azure-ad-authentication/azure-ad-authentication-flow.jpg" alt-text="Diagram of how Azure ad authentication works."::: |
| 46 | + |
| 47 | +1. Your application can request a token from the Azure Instance Metadata Service identity endpoint. |
| 48 | +2. Using the client ID and certificate, a call is made to Azure AD to request an access token. |
| 49 | +3. A JSON Web Token (JWT) access token is returned by Azure AD. |
| 50 | +4. Your application sends the access token on a call to Azure Database for MySQL flexible server. |
| 51 | + |
| 52 | +## Administrator structure |
| 53 | + |
| 54 | +When using Azure AD authentication, there are two Administrator accounts for the MySQL server; the original MySQL administrator and the Azure AD administrator. Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. The Azure AD administrator login can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL Flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL Flexible server. Only one Azure AD administrator (a user or group) can be configured at a time. |
| 55 | + |
| 56 | +:::image type="content" source="media/concepts-azure-ad-authentication/azure-ad-admin-structure.jpg" alt-text="Diagram of Azure ad admin structure."::: |
| 57 | + |
| 58 | +Methods of authentication for accessing the MySQL flexible server include: |
| 59 | +- MySQL Authentication only - Create a MySQL admin login and password to access your MySQL server with MySQL authentication. |
| 60 | +- Only Azure AD authentication - Authenticate as an Azure AD admin using an existing Azure AD user or group; the server parameter **aad_auth_only** will be _enabled_. |
| 61 | +- Authentication with MySQL and Azure AD - Authenticate using MySQL admin credentials or as an Azure AD admin using an existing Azure AD user or group; the server parameter **aad_auth_only** will be _disabled_. |
| 62 | + |
| 63 | +## Permissions |
| 64 | + |
| 65 | +To allow the UMI to read from Microsoft Graph as the server identity, the following permissions are required. Alternatively, give the UMI the [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) role. |
| 66 | + |
| 67 | +These permissions should be granted before you provision a logical server or managed instance. After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity. |
| 68 | + |
| 69 | +> [!IMPORTANT] |
| 70 | +> Only a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) or [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) can grant these permissions. |
| 71 | +
|
| 72 | +- [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information. |
| 73 | +- [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information. |
| 74 | +- [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information. |
| 75 | + |
| 76 | +To create a new Azure AD database user, you must connect as the Azure AD administrator. This is demonstrated in Configure and Login with Azure AD for Azure Database for MySQL. |
| 77 | + |
| 78 | +Any Azure AD authentication is only possible if the Azure AD admin was created for Azure Database for MySQL Flexible server. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously can no longer connect to the database using their Azure Active Directory credentials. |
| 79 | + |
| 80 | +## Token Validation |
| 81 | + |
| 82 | +Azure AD authentication in Azure Database for MySQL flexible server ensures that the user exists in the MySQL server, and it checks the validity of the token by validating the contents of the token. The following token validation steps are performed: |
| 83 | + |
| 84 | +- Token is signed by Azure AD and has not been tampered with. |
| 85 | +- Token was issued by Azure AD for the tenant associated with the server. |
| 86 | +- Token has not expired. |
| 87 | +- Token is for the Azure Database for MySQL flexible server resource (and not another Azure resource). |
| 88 | + |
| 89 | +## Connecting using Azure AD identities |
| 90 | + |
| 91 | +Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities: |
| 92 | + |
| 93 | +- Azure Active Directory Password |
| 94 | +- Azure Active Directory Integrated |
| 95 | +- Azure Active Directory Universal with MFA |
| 96 | +- Using Active Directory Application certificates or client secrets |
| 97 | +- Managed Identity |
| 98 | + |
| 99 | +Once you have authenticated against the Active Directory, you then retrieve a token. This token is your password for logging in. |
| 100 | + |
| 101 | +Please note that management operations, such as adding new users, are only supported for Azure AD user roles at this point. |
| 102 | + |
| 103 | +> [!NOTE] |
| 104 | +> For more details on how to connect with an Active Directory token, see [Configure and sign in with Azure AD for Azure Database for MySQL flexible server](how-to-azure-ad.md). |
| 105 | +
|
| 106 | +## Additional considerations |
| 107 | + |
| 108 | +- Only one Azure AD administrator can be configured for an Azure Database for MySQL Flexible server at any time. |
| 109 | +- Only an Azure AD administrator for MySQL can initially connect to the Azure Database for MySQL Flexible server using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL Flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL Flexible server. |
| 110 | +- If a user is deleted from Azure AD, that user will no longer be able to authenticate with Azure AD, and therefore it will no longer be possible to acquire an access token for that user. In this case, although the matching user will still be in the database, it will not be possible to connect to the server with that user. |
| 111 | + |
| 112 | +> [!NOTE] |
| 113 | +> Login with the deleted Azure AD user can still be done till the token expires (up to 60 minutes from token issuing). If you also remove the user from Azure Database for MySQL this access will be revoked immediately. |
| 114 | +
|
| 115 | +- If the Azure AD admin is removed from the server, the server will no longer be associated with an Azure AD tenant, and therefore all Azure AD logins will be disabled for the server. Adding a new Azure AD admin from the same tenant will re-enable Azure AD logins. |
| 116 | +- Azure Database for MySQL Flexible server matches access tokens to the Azure Database for MySQL user using the user’s unique Azure AD user ID, as opposed to using the username. This means that if an Azure AD user is deleted in Azure AD and a new user created with the same name, Azure Database for MySQL considers that a different user. Therefore, if a user is deleted from Azure AD and then a new user with the same name added, the new user will not be able to connect with the existing user. |
| 117 | + |
| 118 | +## Next steps |
| 119 | + |
| 120 | +- To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for MySQL, see [Set up Azure Active Directory authentication for Azure Database for MySQL flexible server](how-to-azure-ad.md) |
0 commit comments