3

I would like to know if it's possible to use Active Directory integrated security within Azure Webapp Standard version to access Azure VM SQL Server.

We have an Azure VM with SQL Server installed and joined into an Azure Directory Domain Services. The VM/SQLServer is being restricted to be accessed only within the VNet, so this VM has no Public IP. The Webapp is connected via VNet Integration to the VNet of the AD DS and VM's.

if someone could explain me if that possible/not possible to implement such a solution and what are the options that I havein AZure to use the integrated security.

Edit: Regarding managed identity in AZure Web App, only certain Azure Resources that can have a Managed Identity assigned, which here the Web App is one of them. And to be able to access a resource using MI that resource needs to support Azure AD Authentication, this is limited to specific resources: Source: Services that support managed identities for Azure resources - Azure Resource Manager - Azure Key Vault - Azure Data Lake - Azure SQL - Azure Event Hubs and Service Bus - Azure Storage The Azure vm SQL Server is not listed as one of the resources that can be accessed through AD managed identity.

Samer Sh
  • 73
  • 7

1 Answers1

0

if someone could explain me if that possible/not possible to implement such a solution and what are the options that I havein AZure to use the integrated security.

Yes, it's possible. You could configure your App Service app to use Azure Active Directory to access Azure VM sql server.

Work Flow:

The VNet Integration feature is built on top of point-to-site VPN technology. Apps in Azure App Service are hosted in a multi-tenant system, which precludes provisioning an app directly in a VNet. The point-to-site technology limits network access to just the virtual machine hosting the app. Apps are restricted to only send traffic out to the internet, through Hybrid Connections or through VNet Integration.

enter image description here

For more details, you could refer to this article.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • Are you certain that registering the app with Azure Active Directory will enable SQL Windows Authentication? In my experience, traditional on premise windows authentication does not work with AAD – Nick.Mc Jan 18 '19 at 03:39
  • @joey Thank for your answer! we already have the Vnet Integration, but how can I use it to access the domain joined SQL Server? all the documentation of Microsoft that I found explaining how to use Web app system identity to access Azure SQL Database but not Azure vm SQL Server. – Samer Sh Jan 18 '19 at 08:11
  • It seems that you [Configure and manage Azure Active Directory authentication with SQL](https://learn.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure) and want to webapp to acsess azure vm sql server. If so, you need the gateway for the VNet connection and some addresses in the point-to-site pool, refer to this [one](https://learn.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet). – Joey Cai Jan 18 '19 at 09:20
  • 1
    accessing the vm sql server is not the issue here. I'm talking here about using the integrated security inside the connection string in the WebApp. I would like the Web App to access the vm SQL Server directly through sth like managed Identity which I couldn't find if that is supported with SQL Server as IaaS or not. Again: I'm not talking about SQL PaaS (Azure SQL Database or Managed Instances) – Samer Sh Jan 18 '19 at 22:17
  • As you've found, it's possible to grant managed identity access to SQL Azure (PaaS) but I'm not aware of any way to grant a managed identity access to standard SQL (in a VM / IaaS). Managed Identity is. You could try using the same method but I'd be suprised if it works. The method is: 1. Add the managed identity to a windows group; 2. Grant the windows group access to the database – Nick.Mc Jan 20 '19 at 23:25
  • Thank for your suggestion, that's what I'm trying to do now . I will reply once I finish the testing if it worked or not. – Samer Sh Jan 21 '19 at 08:17
  • My attempt to accomplish this has proven unsuccessful (using `Integrated Security=True` yields sql connection related errors whereas using Username and Password in the same setup instantly connected. I'd be interested to know if your results varied @SamerSh – tphuoc Aug 21 '19 at 12:42
  • Unfortunately it didn’t work. Also i didn’t figure how to access the user assigned identity to access the sql server. We ended up using SQL authentication instead. – Samer Sh Aug 22 '19 at 13:05