DP-300: ADMINISTRING MICROSOFT AZURE SQL

SOLUTIONS

 IMPLEMENT A SECURE
ENVIRONMENT
A – AZURE ACTIVE DIRECTORY (NOW CALLED MICROSOFT
ENTRA ID)

 WHAT IS AZURE ACTIVE DIRECTORY

 HOW DOES IT WORK
 PRICING OPTION

 What is Azure Active Directory (Azure AD)

o This is a cloud-based identity and access management service.
o You can create users and groups in Azure AD.
o You can assign licenses to users.
o You can give access to resources in Azure to users defined in
Azure AD.
o You can also grant different roles to users in Azure AD.

 How does it work:

 Pricing option
o Azure Active Directory Free – This provides basic features of
user and group management. It also provides on-premise
 directory synchronization, basic reports and self-service
password change for cloud users.

o Azure Active Directory Premium P1 – Here hybrid users can

access both on-premises and cloud resources. It also supports
the user of dynamic groups, cloud write-back capabilities and
self-service password reset for on-premises users.

o Azure Active Directory Premium P2 – This provides

important features such as Azure Active, Directory Identity
Protection and Privileged Identity Management.

B – LAB – CONFIGURING AZURE AD

AUTHENTICATION----------

 CONFIGURING AZURE AD AUTHENTICATION

 Configuring Azure AD Authentication

o By default, when you create an Azure SQL database instance, by

default the database server will have a single server administrator
account.
o You can then create a second administrator account which is
based on an Azure AD account.
o The Azure AD account will be created as a contained database
user in the master database of the server.
o You can then create databased contained users based on the user
accounts defined in Azure AD.

Let’s go ahead and look at configuring Azure AD.

 We already have some SQL Databases in place:

 Click “+ Add” to create a new database:

 Choose existing subscription and resource group, and then click on “Create new”
under “Server *”:
 When go ahead and create a new Azure SQL Database Server, over here, you
will go ahead and mention the server admin login details (image below). So,
remember, this is something that we did carry out earlier on. This will allow us to log
into the Azure SQL Database Server and it will allow this administrator account to go
ahead and work with all the Azure SQL databases that are defined on this Azure SQL
Database Server. So, by default, when you create an Azure SQL Database Server, you
get access onto this server admin login, and this administrator has all of the privileges
over the databases that are defined on this server.

 Now, when you log into a SQL Database using SQL Server Management Studio
(SSMS), you can define SQL users in the database and give them access accordingly.
 But in the last chapter, I talked about Azure Active Directory and how we have users
defined over here:

 So normally in an organization which makes use of Azure, they would normally go

ahead and define users in Azure Active Directory and these users will actually go
ahead and work with resources defined in an Azure. So normally, they would want,
let's say a group of users to have access onto a database in let's say an Azure SQL
Server. Now, instead of defining the same user again on the Azure SQL Database
Server as a log in and as a user again, they might want to go ahead and make use of
the same identities that are defined in Azure Active Directory, because from a
 maintenance perspective, it's a headache to go ahead and create a user both in Azure
Active Directory and then create another user or a log in, in the Azure SQL Database
Server. Instead, they might want to go ahead and create a user on the Azure SQL
Database based on a login that is already defined on an Azure Active Directory user.
So, that is what we are going to learn: How do we make use of Azure Active
Directory when it comes to authentication onto an Azure SQL Database?

 First let’s go a create a new user:

 User name; name; Let me create the password; hit “Create”. We are not
attaching the user to any groups or any roles. Once the user was created, go to SQL
Databases:

 Choose a database. Both of these databases are on a SQL Server Database.

 Click on the Server name:

 Click on Active Directory admin:

 So, if you want to go ahead and enable Azure Active Directory authentication
for an Azure SQL database, you first have to go ahead and define a secondary
administrator of the Azure SQL database server that will be based on an existing user
that is defined in Azure Active Directory. So over here, I can go ahead and click on the
'Set admin' button, and over here I can go ahead and search for the user I just created
in Azure Active Directory. Click ‘Select’. Click ‘Save’. Here we are basically saying
“please assign one of my existing users as an additional administrator for the Azure
SQL Database Server.
 In SSMS, in terms of logging into the Azure SQL Database Server, I can go ahead and
take this user identity which is defined in Azure Active Directory in SQL server
Management Studio. Over here in the authentication, I'm going to go ahead and
choose Azure Active Directory Universal with MFA. Over here, let me go ahead and
paste that user name and hit on 'Connect'. So, let me go ahead and enter my
password. Now please note that since again this is the first time we're defining this
user, I'll have to go ahead and change the password. So, let me go ahead and sign in.
But now you can see we are connecting indeed onto the Azure SQL database server.
So, you can see we're connected.
1

2
 I can go on to databases and I can see both of the databases in place. If I go on to
whizlabsecondary actually I have the tables based on the adventure works sample
database. So, I can see that over here. I can right click on any table and I can go ahead
and select the data. So, because this user is now an administrator, the user has
access onto all tables in all of the databases. So, remember over here, we have now
logged into the Azure SQL database server based on an identity that is available in
Azure Active Directory.
C- LAB – CREATING AZURE AD USERS IN SQL DATABASE---

 CREATING AZURE AD USERS IN THE AZURE SQL

DATABASE

 If we go on to Azure Active Directory:

 Remember earlier on we had gone ahead and created this user of ‘whizlabusr10’. To
find him go to Users and click/search for its name, copy the user ID:
C- Let’s say I want to give access on to this user which is defined in Azure Active
Directory to have the ability to log into the Azure SQL Database. Earlier on we gone
ahead and ensured that we log into the Azure SQL Database – (Azure SQL Database
Server?) – as the user which is defined in Azure Active Directory. And now let’s say
that we want to give access on to the user defined in Azure Active Directory on to
one of our databases (whizlabsecondary). Right click on the database, hit on New
Query. Execute the following command:

CREATE USER [[email protected]] FROM EXTERNAL

PROVIDER

So, this directly create a user in the database based on the login that is defined in
Azure Active Directory. [We give the user ID of the user itself]. We need to mention
from an external provider to create the user based on Azure Active Directory as the
external identity provider.
C- Hit on Execute, to execute the command, and then you can see that we now
have the user in place. You can actually go on to the database, if you go to Security,
then Users, and see that we have the user in place.

2
1 2

C- Now we should be able to login with this user ID. Copy the user ID from the
command, hit Connect, click on Database Engine…, paste de user ID in User name:, hit
on Connect, enter the password, and check the message of failure. So, over here, even
though we have actually gone ahead and defined a user in the SQL database, we still
need to go ahead and assign the required permissions to go ahead and work with the
database itself. So, let's go ahead on to the next chapter and see how we can actually
configure permissions for the user in the SQL database.
1
2
 1

2
4- LAB – CREATING AZURE AD USERS IN SQL DATABASE---

 CONFIGURING SECURITY FOR SQL USERS

 In the previous chapter we saw how to create a user in an Azure SQL Database based
on an existing identity that is available in Azure Active Directory. But we hit a
roadblock when it came to login into the database itself. Let’s see how we can
configure security for SQL users.

 Back in SQL Server Management Studio (SSMS). Remember we are logged in as the
Azure Active Directory Administrator for this particular database. In the same query
windows where we wrote the CREATE USER command, execute the following
command:

EXEC sp_addrolemember ‘db_datareader’,

‘[email protected]’

So, we can actually go ahead and use in-built database roles that are available. Here
we are using the db_datareader role, and then I’m giving the role to this particular
user which we had just created in the database itself. This allows this user to go and
actually have the ability to read the database itself, the tables and the information in
the tables within the database itself. Hit on Execute.
 1

 Now we can connect again. Hit Connect, then Database Engine…, change the
username, and click on Options, and hit the Additional Connection Parameters.
1

2
 Here we have to mention what is the database I am connecting to, because over here
I’ve only gone ahead and created the user in the whizlabsecondary database itself.
Then hit on Connect.

database=whizlabsecondary

2
  We’ve connected onto the database server. Expand Databases, expand the database
(whizlabsecondary), expand Tables. I should be able to see the tables and to right-
click on a table and select the rows in the table itself.

1
2
3
4
4- Azure SQL Database – Transparent Data Encryption

 WHAT IS TRANSPARENT DATA ENCRYPTION

 This is a feature that is used to encrypt data at rest.

 This feature is available for Azure SQL database and Azure SQL Managed Instance.
 This is an additional security feature.
 It helps to protect the instance against threat of malicious offline activity.
 Here the feature performs real-time encryption and decryption of the database,
associated backups and transaction log files.
 By default, Transparent Data Encryption is automatically enabled for the Azure SQL
Database Instance.

Let’s go to Azure to show you the setting for Transparent Data Encryption.

 If go to any database, scroll down to the Security section, click Transparent Data
Encryption. By default, the encryption status is on, so there is nothing that you need
to do. By default, the data which is stored in the Azure data center will be encrypted
at rest.

5 - LAB – Azure SQL Database – Dynamic Data Masking

 WHAT IS DYNAMIC DATA MASKING

 HOW TO WORK WITH DYNAMIC DATA MASKING

 This is a technique that can be used to limit the exposure of sensitive data to non-
privilege users.
 Here you can decide what is the level of exposure of data.
 Common example: Let’s say a table in the database is storing credit card information.
You want to ensure that when users access the data, only the last four digits of the
credit card number is exposed in the results of the query. The other characters of the
credit card information are masked.
 There are different Dynamic Data Masking policies available:
 o Default – This is full masking of the data. For numeric data
types, the value that would be shown is zero. XXXX characters
will be used to masking fields of string data types.

o Credit card – Here only the last four digits of the credit card are
shown.

o Email – This exposes the first letter and then replaces the
domain with XXX.com

o Random number – This generates a random number based on

the selected boundaries and the actual data type.

o Custom text – Here you can go and define the exposed prefix,
the padding string and the exposed suffix.

Let’s go to Azure.

 In Azure, go to SQL Databases section, click on the database, scroll down to the
Security section, click on Dynamic Data Masking.
 Add Mask, then Save.