In this section, learn how to configure authentication for Azure PaaS database offerings. Configuring authentication, along with authorization, ensures sensitive data is appropriately safeguarded from prying eyes.
- [Instructor] Enabling database authentication is another area where you may see questions on the AZ-500 exam, specifically around Azure AD authentication for Azure SQL or SQL managed instances. So let's just go over to the Azure portal a nd have a look at the configuration I'm talking about. So in the left menu here, I'll select SQL servers. This is the Azure SQL feature. I'm going to pick a server instance. And under the settings menu in the center, I'll see Active Directory admin. This is where I can set an Azure Active Directory account as an administrator. So every SQL server has an admin account. This will be specifying a second account, so an account that has DB owner role in every database and can enter the user database as the DBO user. So in this case, I've specified nobody yet, so I'll go in and pick my Azure AD, and I'm picking a work account. So if you have a Live account that has a Gmail or other extension, you actually can't use that in this case. You need to use a proper Azure AD, what we'd call a work account. And if I go look at SQL managed instances, I have a very similar configuration here. So the SQL managed instance is a managed SQL server that is virtually identical in every way to an on-premises SQL server running the database edition, and it's really designed for folks who'd like to migrate on-premises SQL databases to Azure and expect that they'll function normally without a lot of additional configuration. So here I have under the settings menu a very similar situation. I have that Active Directory admin and the set admin options so I can specify that administrator. Now, there's one difference with the SQL managed instance, and that is the first time you come to this Active Directory Admin menu, you're going to have an orange ribbon at the top of the right pane here that says you must grant this instance read access to Azure Active Directory. To do that, you'll simply click the link in the orange ribbon, click the button behind it, and read access is granted immediately. So there's no real effort or knowledge involved there. It does assume that you're running a privileged account when you come to this screen, of course, so logging in as a global administrator, at least temporarily, is going to make good sense. And then you can pick your account you'd like to make administrator, save those changes, and that will update in just a few seconds' time. So essentially, you have now another administrator account that's a DB owner role in every database and can enter each database as the DBO user. So in geo-replication scenarios, if you have an Azure SQL instance in one data center replicating to an Azure SQL instance in another data center, you'll need to touch that secondary server to grant that permission, that admin access for your Azure AD account. If you fail to do that, and you fail from your primary to your secondary instance, that secondary instance isn't going to know about your Azure AD account, and you'll receive an access error, as you would probably expect. So for the exam, do make sure that you're familiar with the details around the account type, the need for a work account, and the special considerations in geo-replication scenarios, and you should be ready to go.
- Configuring security policies
- Enabling data authentication and auditing
- Configuring security for storage accounts
- Configuring Azure AD authentication
- Configuring security for Cosmos DB and Azure Data Lake