patternMinor
Add Active Directory User For Azure-SQL-DB
Viewed 0 times
directoryactivesqluserazureforadd
Problem
I have an active directory user LDomain\LUser and I want that user to be able to connect to Azure-Sql-DB. The syntax MS uses is throwing an error.
T-SQL:
Error:
Principal 'LDomain\LUser' could not be found or this principal type is
not supported.
I'm only looking for the script to add an AD user - no interface. I know that the AD user exists in Azure and have confirmed, but the Azure-Sql-DB isn't recognizing it, or this T-SQL is invalid - though this is from their documentation.
T-SQL:
CREATE USER [LDomain\LUser] FROM EXTERNAL PROVIDERError:
Principal 'LDomain\LUser' could not be found or this principal type is
not supported.
I'm only looking for the script to add an AD user - no interface. I know that the AD user exists in Azure and have confirmed, but the Azure-Sql-DB isn't recognizing it, or this T-SQL is invalid - though this is from their documentation.
Solution
When provisioning users from external Azure Active Directory instances that are federated with your Azure subscription, you need to use the underlying "guest" email address created for the Azure subscription, not the "actual" email address.
i.e. The Microsoft scenario mentioned here as "Imported members from other Azure AD’s who are native or federated domain members".
So, instead of:
One needs to use the following convention. This is Microsoft's way of storing a guest / federated user from another Azure active Directory.
Alternatively, using groups makes this far more intuitive and manageable.
This works fine, the external users can then sign in, admins can GRANT permissions etc, etc.
i.e. The Microsoft scenario mentioned here as "Imported members from other Azure AD’s who are native or federated domain members".
So, instead of:
CREATE USER [your.user@example.com] FROM EXTERNAL PROVIDEROne needs to use the following convention. This is Microsoft's way of storing a guest / federated user from another Azure active Directory.
CREATE USER [your.user_example.com#EXT#@.onmicrosoft.com] FROM EXTERNAL PROVIDERAlternatively, using groups makes this far more intuitive and manageable.
- Create a group (say
SqlUsersFromExternalDirectory) in the Azure subscription's default Azure Active Directory.
- Add the external users you want to access the SQL Warehouse or DB to to the group.
- Add the group as an external user in the target database
CREATE USER [SqlUsersFromExternalDirectory] FROM EXTERNAL PROVIDERThis works fine, the external users can then sign in, admins can GRANT permissions etc, etc.
Code Snippets
CREATE USER [your.user@example.com] FROM EXTERNAL PROVIDERCREATE USER [your.user_example.com#EXT#@<yourAzureSubscriptionPrefix>.onmicrosoft.com] FROM EXTERNAL PROVIDERContext
StackExchange Database Administrators Q#148325, answer score: 4
Revisions (0)
No revisions yet.