SQL Azure Integrated Authentication with a cloud-only Azure Active Directory fails

Question

I have created an Azure tenancy and configured the following:

Azure AD with:

• A simple custom domain name (less than 15 characters). D

Answer 1

I had the federation flow message until I set the domain account to use for the "Active Directory admin" setting in the Azure Sql Server features screen. Then I was able to connect using SSMS running under this account.

Note: To simplify running SSMS as this other user I used runas: C:\Windows\System32\runas.exe /savecred /user:YourAdAdminUser@YourDomain.com "C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe"

Running as this user, I connected using the SSMS authentication option, "Active Directory - Integrated". From here I ran the following in the master db:

CREATE USER [YourAdAdminUser@YourDomain.com] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = dbo

Then I connected to same server in SSMS using local SQL Authentication, logging in with the account set as the "Server admin" for the Azure Sql Server instance. From here I ran alter role commands in master db:

ALTER ROLE dbmanager ADD MEMBER [YourAdAdminUser@YourDomain.com]

ALTER ROLE loginmanager ADD MEMBER [YourAdAdminUser@YourDomain.com]

Now I could go back to the to SSMS running as the AD Admin user and from there I could run CREATE USER commands as above but for other domain accounts:

CREATE USER [OtherAccount@YourDomain.com] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = dbo

You can decide which database to run the above (e.g., master and your non-system databases).

The domain users can now log in using "Active Directory - Integrated". Note if you add a domain user that is configured for MFA, then for that user to log on using SSMS they should select the SSMS authentication option, "Azure Active Directory - Universal with MFA", and their username should be with an "@" not backslash.

Answer 2

Got an update from Azure Support:

It's not working because:

1. To use Active Directory Integrated Authentication the Azure Active Directory must be federated. This is because Kerberos is necessary to do it (Kerberos TG ticket that was generated when logging in to the machine), but Azure AD doesn't know Kerberos, hence the need for ADFS.
2. Azure AD Domain Services Preview: This makes legacy features (NTLM, Kerberos, etc) available. But Azure SQL Database doesn’t support the old fashioned Windows Authentication.

So, you could add 2-3 low power VM's to achieve AD + ADFS + AAD + AAD-DS but that's definitely not the ideal way.

If I get information on future plans, I'll share them here.

**

Have the same issue and some open tickets. Will update this answer once I get additional information.

As of today, only a federated setup is supported as documented here. You have to establish an ADFS setup using AD Connect.

That's something AAD-DS should provide for a cloud-only solution. AAD-DS is still preview...