Configure database authentication and authorization

Estimated Time: 20 minutes

The students will take the information gained in the lessons to configure and subsequently implement security in the Azure Portal and within the AdventureWorks database.

You’ve been hired as a Senior Database Administrator to help ensure the security of the database environment.

Note: These exercises ask you to copy and paste T-SQL code and makes use of existing SQL resources. Please verify that the code has been copied correctly, before executing the code.

Authorize access to Azure SQL Database with Azure Active Directory

  1. From the lab virtual machine, start a browser session and navigate to https://portal.azure.com. Connect to the Portal using the Azure Username and Password provided on the Resources tab for this lab virtual machine.

    Picture 1

  2. On the Azure portal home page select All resources.

    Screenshot of the Azure portal home page, selecting All resources

  3. Select the Azure SQL Database server dp300-lab-xxxxxx, where xxxxxx is a random string, and select Not Configured next to Active Directory Admin.

    Screenshot selecting Not Configured

  4. On the next screen, select Set admin.

    Screenshot selecting Set admin

  5. In the Azure Active Directory sidebar, search for the Azure username you logged into the Azure portal with, then click on Select.

  6. Select Save to complete the process. This will make your username the Azure Active Directory admin for the server as shown below.

    Screenshot of the Active Directory admin page

  7. On the left select Overview, then copy the Server name.

    Screenshot showing where to copy the server name from

  8. Open SQL Server Management Studio and select Connect > Database Engine. In the Server name paste the name of your server. Change the authentication type to Azure Active Directory Universal with MFA.

    Screenshot of the Connect to server dialog

    For the User name field, select the Azure Username from the Resources tab.

  9. Select Connect.

[!NOTE] When you first try to sign in to an Azure SQL database your client IP address needs to be added to the firewall. SQL Server Management Studio can do this for you. Use the Azure Portal password from the Resources tab, then select Sign in, choose your Azure credentials and then select OK. Screenshot of adding the client IP address

Manage access to database objects

In this task you will manage access to the database and its objects. The first thing you will do is create two users in the AdventureWorksLT database.

  1. Use the Object Explorer and expand Databases.

  2. Right-click on AdventureWorksLT, and select New Query.

    Screenshot of the new query menu option

  3. In the new query window, copy and paste the below T-SQL into it. Execute the query to create the two users.

     CREATE USER [DP300User1] WITH PASSWORD = 'Azur3Pa$$';
 GO

 CREATE USER [DP300User2] WITH PASSWORD = 'Azur3Pa$$';
 GO

    Note: These users are created in the scope of the AdventureWorksLT database. Next you will create a custom role and add the users to it.

  4. Execute the following T-SQL in the same query window.

     CREATE ROLE [SalesReader];
 GO

 ALTER ROLE [SalesReader] ADD MEMBER [DP300User1];
 GO

 ALTER ROLE [SalesReader] ADD MEMBER [DP300User2];
 GO

    Next create a new stored procedure in the SalesLT schema.

  5. Execute the below T-SQL in your query window.

     CREATE OR ALTER PROCEDURE SalesLT.DemoProc
 AS
 SELECT P.Name, Sum(SOD.LineTotal) as TotalSales ,SOH.OrderDate
 FROM SalesLT.Product P
 INNER JOIN SalesLT.SalesOrderDetail SOD on SOD.ProductID = P.ProductID
 INNER JOIN SalesLT.SalesOrderHeader SOH on SOH.SalesOrderID = SOD.SalesOrderID
 GROUP BY P.Name, SOH.OrderDate
 ORDER BY TotalSales DESC
 GO

    Next use the EXECUTE AS USER syntax to test out the security. This allows the database engine to execute a query in the context of your user.

  6. Execute the following T-SQL.

     EXECUTE AS USER = 'DP300User1'
 EXECUTE SalesLT.DemoProc

    This will fail with the message:

    Screenshot of the error message, The EXECUTE permission was denied on the object DemoProc

  7. Next grant permissions to the role to allow it to execute the store procedure. Execute the below T-SQL.

     REVERT;
 GRANT EXECUTE ON SCHEMA::SalesLT TO [SalesReader];
 GO

    The first command reverts the execution context back to the database owner.

  8. Rerun the previous T-SQL.

     EXECUTE AS USER = 'DP300User1'
 EXECUTE SalesLT.DemoProc

    Screenshot showing the returned rows of data from the stored procedure

In this exercise, you’ve seen how you can use Azure Active Directory to grant Azure credentials access to a SQL Server hosted in Azure. You’ve also used T-SQL statement to create new database users and granted them permissions to run stored procedures.