Azure SQL Server

Fernando Gutierrez 180 Reputation points
2024-08-22T18:13:19.2233333+00:00

Please

Could you help me with the following question:

In Azure SQL Servers

With which script(s) should a login be created using MFA authentication with T-SQL?

Then with which script should the users be created within the databases of said SQL engine and what are the available roles?

Thank you!

Azure SQL Database
0 comments
Accepted answer
  1. Oury Ba-MSFT 19,426 Reputation points Microsoft Employee
    2024-08-22T19:55:19.44+00:00

    @Fernando Gutierrez Thank you for reaching out.

    Specifies the Microsoft Entra principal for which the database user is being created. The Microsoft_Entra_principal can be a Microsoft Entra user, a Microsoft Entra group, or a Microsoft Entra application. (Microsoft Entra users can't have Windows Authentication logins in SQL Database; only database users.) The connection string must specify the contained database as the initial catalog.

    For Microsoft Entra principals, the CREATE USER syntax requires:

    UserPrincipalName of the Microsoft Entra object for Microsoft Entra Users.

    • CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER;
      • CREATE USER [alice@fabrikam.onmicrosoft.com] FROM EXTERNAL PROVIDER;
      Microsoft Entra server principals (logins) introduces creating users that are mapped to Microsoft Entra logins in the virtual master database. CREATE USER [bob@contoso.com] FROM LOGIN [bob@contoso.com]

    https://video2.skills-academy.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa

    https://video2.skills-academy.com/en-us/sql/t-sql/statements/create-user-transact-sql?view=sql-server-ver16

    Use the syntax extension FROM EXTERNAL PROVIDER to create server-level Microsoft Entra logins in Azure SQL Database and Azure SQL Managed Instance. Microsoft Entra logins allow database-level Microsoft Entra principals to be mapped to server-level Microsoft Entra logins. To create a Microsoft Entra user from a Microsoft Entra login use the following syntax:

    CREATE USER [Microsoft_Entra_principal] FROM LOGIN [Microsoft Entra login]

    When creating the user in the Azure SQL database, the login_name must correspond to an existing Microsoft Entra login, or else using the FROM EXTERNAL PROVIDER clause will only create a Microsoft Entra user without a login in the master database. For example, this command will create a contained user:

    CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER

    Please let us know if you need more clarification

    Regards,

    Oury

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.