SQL Azure Integrated Authentication with a cloud-only Azure Active Directory fails

Question

I have created an Azure tenancy and configured the following:

Azure AD with:

• A simple custom domain name (less than 15 characters). D

Answer 1

I had the federation flow message until I set the domain account to use for the "Active Directory admin" setting in the Azure Sql Server features screen. Then I was able to connect using SSMS running under this account.

Note: To simplify running SSMS as this other user I used runas: C:\Windows\System32\runas.exe /savecred /user:YourAdAdminUser@YourDomain.com "C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe"

Running as this user, I connected using the SSMS authentication option, "Active Directory - Integrated". From here I ran the following in the master db:

CREATE USER [YourAdAdminUser@YourDomain.com] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = dbo

Then I connected to same server in SSMS using local SQL Authentication, logging in with the account set as the "Server admin" for the Azure Sql Server instance. From here I ran alter role commands in master db:

ALTER ROLE dbmanager ADD MEMBER [YourAdAdminUser@YourDomain.com]

ALTER ROLE loginmanager ADD MEMBER [YourAdAdminUser@YourDomain.com]

Now I could go back to the to SSMS running as the AD Admin user and from there I could run CREATE USER commands as above but for other domain accounts:

CREATE USER [OtherAccount@YourDomain.com] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = dbo

You can decide which database to run the above (e.g., master and your non-system databases).

The domain users can now log in using "Active Directory - Integrated". Note if you add a domain user that is configured for MFA, then for that user to log on using SSMS they should select the SSMS authentication option, "Azure Active Directory - Universal with MFA", and their username should be with an "@" not backslash.