
To connect to Azure SQL using a service principal, you'll need to set up and configure Azure Active Directory (AAD) authentication. This involves creating a service principal, which is a special identity in AAD that represents your application or service.
A service principal is created through the Azure portal, specifically in the Azure Active Directory section. You can also use the Azure CLI to create a service principal, but the portal is a more visual and user-friendly experience.
To configure AAD authentication, you'll need to register your application in the Azure portal and grant the necessary permissions to access Azure SQL. This involves creating a new application registration and configuring the necessary permissions under the 'API permissions' section.
Prerequisites
To connect to Azure SQL using a service principal, you'll need an Azure subscription.
You'll also need to create a service principal in Azure Active Directory (AAD). This will allow your application to authenticate with Azure SQL.
Make sure you have the necessary permissions to create and manage service principals in your Azure subscription.
You'll need to register an Azure AD application and create a client secret. This will be used to authenticate with Azure SQL.
Ensure you have the Azure CLI installed and configured on your machine.
Related reading: Create Azure Sql Database
Create Service Principal
To connect to Azure SQL using a service principal, you first need to create one. An Azure service principal is a managed identity used by applications and services to access Azure resources, allowing them to perform tasks like managing and accessing resources, deploying applications, and accessing data.
You can create an Azure service principal by registering an application in the Azure portal. Navigate to App registrations, click on New registration, and provide a suitable name for an application. Select the "Accounts in this organizational directory only" radio button and click Register.
Once the application is registered, note the Application (client) ID and the Directory (tenant) ID, as you will need these for the next steps.
Expand your knowledge: How to Create Service Principal in Azure
To create a service principal, you can also use the portal or a script. You'll need to provide a strong password, and take note of the servicePrincipalNames property, which is a GUID.
Here are the details you'll need to create a service principal:
- Tenant ID
- Client ID
- Client secret
You can find these details in the Azure portal, under App registrations. Make sure to securely store the client secret value, as it will only be shown once after creation.
A service principal is like a user account for non-human entities in Azure, allowing services to access resources and perform tasks. It's a crucial step in connecting to Azure SQL using a service principal.
Configure Azure App
To configure Azure App, start by opening the Microsoft Entra ID (formerly known as Azure Active Directory) and navigating to the Left Panel > Manage > App registrations. Create a new registration and configure it as per your requirement, referring to the Application registration for details.
To generate a Client secret, refer to Service principal authentication. You will need this secret value for the next step.
Here are the App registration details you need to copy for the next step:
- DB server
- DB name
You will also need to copy the following App registration details:
- Client ID
- Tenant ID
- Client secret
These values will be used to connect to Azure SQL DB using Entra SPN with tools such as SSMS and PowerShell.
Create External Provider Users and Grant Permissions
To create external provider users and grant permissions, you'll need to create a corresponding user account for the Service Principal within the database itself. This involves logging in to your Azure SQL database in the Azure portal or using SQL Server Management Studio.
You'll then grant this user account the necessary permissions to access and perform actions on specific objects within the database. As an example, you can grant the Service Principal read-only permissions (SELECT) on the dbo schema.
See what others are reading: Azure Service Account
To do this, you'll create a user for the Service Principal and grant (SELECT) permission to that user. The Azure SQL snippet for this is:
We have done everything we need to enable the secure connection between Azure SQL and Azure Databricks using the Service Principal and Azure Key Vault.
In the next step, you'll create a Databricks Notebook and write a few lines of Python code to access the Azure SQL table.
Here's a step-by-step guide to creating the user and granting permissions:
1. Log in to your Azure SQL database in the Azure portal or use SQL Server Management Studio.
2. Create a user for the Service Principal.
3. Grant (SELECT) permission to the user.
Note that you'll need to repeat this process for each database and schema you want to access.
If this caught your attention, see: Access Azure Key Vault Using Service Principal C#
Define Connection
To connect to Azure SQL using a service principal, you'll first need to define the connection information. This includes setting the URL of the Azure SQL resource for authentication, which is done through the resource_app_id_url parameter.
You'll also need to retrieve the service principal credentials securely from Azure Key Vault using dbutils.secrets.get, avoiding hardcoded values. This is where you'll get the service_principal_id, service_principal_secret, and tenant_id.
The authority parameter specifies the Azure Active Directory endpoint for authentication. You can think of it as the gateway to your Azure SQL database.
To connect to your Azure SQL server, you'll need to define the server details, including the hostname, port, database_name, and table_name. This will allow you to target the specific table you want to access.
Here's a summary of the connection information you'll need to define:
- resource_app_id_url: URL of the Azure SQL resource for authentication
- service_principal_id, service_principal_secret, tenant_id: Retrieved securely from Azure Key Vault
- authority: Azure Active Directory endpoint for authentication
- hostname, port, database_name, table_name: Azure SQL server details and target table
With this connection information defined, you'll be able to construct the JDBC connection string for Azure SQL using the azure_sql_url parameter. This will allow you to connect to your Azure SQL database using a service principal.
Intriguing read: How to Connect to Azure Cosmos Db Using Connection String
Authenticate with Service Principal
To authenticate with a service principal, you need to acquire an authentication token using the service principal credentials. This token is an OAuth token that identifies the service principal.
You can use the Azure portal or the Azure CLI to create a service principal. To create one using the portal, go to the Azure Active Directory section and click on "App registrations". Then, click on "New registration" and provide a suitable name for the application.
A service principal is like a special "user account" for non-human entities in Azure, allowing services to access Azure resources. To create a service principal, note the Application (client) ID and the Directory (tenant) ID, which you'll need to add to the Azure Key Vault secrets.
Once you have the service principal, you can use it to authenticate with Azure SQL. You'll need to construct a database connection that uses the token to authenticate to the server. This involves using the service principal credentials to obtain an access token from Azure AD.
Here are the steps to acquire an authentication token:
- Create an authentication context object using `adal.AuthenticationContext(authority)`.
- Use the `acquire_token_with_client_credentials` method to obtain an access token from Azure AD.
The token you obtain is an OAuth token that identifies the service principal. You can use this token to authenticate with Azure SQL and access the database.
Connect to Azure SQL
To connect to Azure SQL using a Service Principal, you'll need to define connection information. This includes setting the URL of the Azure SQL resource for authentication, as well as retrieving credentials securely from Azure Key Vault.
You can use the `resource_app_id_url` to set the URL of the Azure SQL resource for authentication. Additionally, you'll need to retrieve the `service_principal_id`, `service_principal_secret`, and `tenant_id` securely from Azure Key Vault using `dbutils.secrets.get`.
The `authority` specifies the Azure Active Directory endpoint for authentication, while the `hostname`, `port`, `database_name`, and `table_name` define the Azure SQL server details and target table. The `azure_sql_url` constructs the JDBC connection string for Azure SQL.
To connect to Azure SQL DB using Entra SPN, you'll need to follow these testing steps:
- Go to Microsoft Entra and select the user to use to connect
- Set the `tenantId`, `clientId`, and `clientSecret` variables
- Use the `Get-MsalToken` cmdlet to retrieve an access token
- Use the access token to connect to Azure SQL DB
Here are the required variables:
You can use these variables to connect to Azure SQL DB using Entra SPN with SSMS and PowerShell.
To create an external provider user and grant permissions, you'll need to create a user account for the Service Principal within the database. This user account will need explicit permissions to interact with Azure SQL and its contents. You can grant read-only permissions (SELECT) on the dbo schema using the following Azure SQL snippet:
```sql
CREATE USER [ServicePrincipalUser] FOR LOGIN=[ServicePrincipalLogin];
GRANT SELECT ON SCHEMA::dbo TO [ServicePrincipalUser];
```
This will create a user for the Service Principal and grant SELECT permission to that user.
Readers also liked: Sql Azure Add User
AAD Setup
To set up Azure Active Directory (AAD) on your database, you need to grant AAD users or groups permissions in the databases, not the server.
You must connect to the database using an Azure AD account in Visual Studio or SQL Server Management Studio.
Choose "Active Directory Password Authentication" or "Azure Directory Integrated Authentication" from the Authentication dropdown to connect.
If you don't see these options, update your SQL Management Studio or SSDT.
Explore further: Linked Server to Azure Sql Database
If your laptop is domain joined to the Azure Active Directory domain, you can use the integrated method.
I used the password method since my laptop isn't domain joined.
For username and password, use your Azure AD (org account) credentials.
Once connected, execute the following T-SQL to grant permissions:
Use the name of the Service Principal you created earlier as the Login name.
This can be the name of the service principal or the email address of a specific user or group display name.
Explore further: How to Use Pim in Azure
Power BI Authentication
To connect to Azure SQL using a service principal, you'll need to authenticate your application. This involves acquiring an authentication token, which is an OAuth token that identifies the service principal.
To get started, you'll need to create an authentication context object using the adal library. You can do this by calling `adal.AuthenticationContext(authority)`.
Once you have the authentication context object, you can use it to acquire an access token from Azure AD. This is done by calling `context.acquire_token_with_client_credentials(...)`.
In Power BI, you can authenticate your application by publishing a report to a Power BI workspace and then editing the data source credentials. To do this, select the Settings option for the published semantic model and then expand the Data Source Credentials option.
Select Edit Credentials and choose Service Principal as the authentication method. You'll need to enter the Tenant ID, Service Principal ID, and the Secret, and then select Sign In.
Expand your knowledge: Azure Data Studio Connect to Azure Sql
Frequently Asked Questions
How to connect to Azure using Service Principal in PowerShell?
To connect to Azure using a Service Principal in PowerShell, you'll need to create a PSCredential object with the client ID and client secret, then use the New-AzConnection cmdlet to authenticate. Start by importing your client secret from a secure location, such as a text file, and then create a new credential object.
Featured Images: pexels.com

