Part 1 – Azure SQL Database with Azure Active Directory Authentication

This post is the first post in a series of three posts and will help you with the creation of identity pass-through authentication from a client application to an API and then to an Azure SQL Database. In this post we setup an Azure SQL Database and enable Azure Active Directory authentication on the database.

Create Azure SQL Database

First step is to create a new Azure SQL Database.

  1. Open the azure portal (
  2. Click on “New” and search for SQL Database.

Azure SQL Database

  1. Click on SQL Database.
  2. In the next blade that appears click “Create”
  3. In the “New” SQL Database blade fill in the correct properties. For this example you could use the AdventureWorks database.
  4. Wait for the Azure SQL Database deployment to be done.

Enable Azure Active Directory Authentication

  1. With the Azure SQL Database that is created you also create an Azure SQL Server or you have chosen to use an existing one. Within the portal navigate to the Azure SQL Server.
  2. In the Azure SQL Server blade click on “Active Directory admin” under “Settings”


  1. Click on ” “Set admin” in the “Active Directory Admin” blade.

Active Directory Admin

  1. Add the Active Directory user that you want to use as admin and click on “Select”.
  2. In the Active Directory Admin blade click on “Save” to save the settings.

Add user to the Azure SQL Database

With the Active Directory Admin set for the Azure SQL Server you are able to login to the SQL server with SQL Server Management Studio. On all client machines, from which your applications or users connect to Azure SQL Database or Azure SQL Data Warehouse using Azure Active Directory  users / applications, you must install the following software:

You can meet these requirements by:

If you have installed the software and you met the requirements take the following steps to add other users.

  1. Make sure your Client IP address is added to the allowed addresses within the firewall of the Azure SQL Server. (Adding your Client IP to the Azure SQL server firewall)
  2. Open SQL Server Management Studio as Administrator.
  3. In the connect window fill in the Azure SQL Server and select “Active Directory Universal Authentication” as the authentication method.

Connect to Server

  1. Clicking on “Connect” will make a authentication dialog appear, fill in the right credentials (the credentials for the Active Directory Admin) and click on login.
  2. Open a new Query window in SQL Management studio and perform the following query.
Create user [User] from external provider
  1. This query will add a User, Application or Group out of Azure Active Directory to the SQL Server Users. You can use the below SQL query to check if the user is added.
SELECT * FROM sys.sysusers;
  1. By adding the user it  does not have read rights on the Azure SQL Database. Perform the next query to give the user the data reader role.
ALTER ROLE db_datareader ADD MEMBER [User]
  1. You can now login with the added user by using SQL Server Management studio but make sure you set the initial database for the connection by clicking options.

Initial Database

If you do not configure the initial database you will get the following exception: Login failed for user “NT AUTHORITY\ANONYMOUS LOGIN”. (Microsoft SQL Server, Error: 18456).

SQL Authentication Error

In the next post we will  create a Azure API Application to query the Azure SQL Database.

Related Posts

VSTS Extension for Azure Role Based Access Control Today I published an extension for Visual Studio Team Services (VSTS) that gives you the ability to add and remove role based access assignments in Az...
Listing Azure Services within a CSV file In some situations you will look into a current Azure Environment and the setup/governance of it and need to migrate or move resources around. The ...
Azure Event Grid with Custom Events As of yesterday (16-8-2017) the public preview of Azure Event Grid is live. Azure Event Grid is a fully managed event routing service. Azure Event Gri...
Removing the Classis Hybrid Connections from Azure (Azure BizTalk Service) As you know the classic hybrid connections that are build upon Azure BizTalk Services are deprecated. These connection will have to be replaced by the...
Restricting access to your Azure Web Application As you may know almost everything that is deployed to Azure is publicly available. As with Azure SQL Database you do not have a firewall available for...
Configure access to a private network for a Azure App Services On-Premise connections for Azure App Services can be created by using Hybrid Connections. Hybrid connections do not need any development or re-configu...

Leave a Reply

Your email address will not be published. Required fields are marked *