2

TLDR;

How do I add AD users to an Azure database created in a DevOps pipeline?

Our DBA has a process to create daily bacpacs from production and store them in an azure blob container, I then provided the developers with a DevOps pipeline that restores a specified bacpac into the development server. The issue is that the developers can't connect to these databases using their domain account. I don't know how to give them access because

  1. AFAIK I can't connect with a domain user to the database from the pipeline
  2. Azure requires that the connected user is an AD user to be able to create other AD users

I could work around it by creating an sql user and grant that user permissions in the pipeline, however the company is actually moving away from sql users and relying more on AD security and MFA, so this isn't really a solution for me.

Improve this question

1 Answer 1

Reset to default
2

For one to add domin account to the database, one must be logged in to the database via a domain account that has adminstrative privileges. So there is a Azure SQL database deployment task in Azure devops wherein you have the property to execute SQL queries. So you can use that task to automate the user access through SQL tasks by connecting through the AD account.

Note: Recently a new authentication has been added of service principal

Hope this is what you are expecting :)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'll take a look at the Azure SQL database deployment task. I already use it to deploy dacpacs in other pipelines but didn't know I could use it to run queries. Can you expand on the authentication as service principal? We updated about 3-4 months ago to the "new" method but AFAIK, the task can't impersonate the account under which the service principal is configured.
Well... this was a very good solution! I couldn't get it working with Service Principal, kept getting an error about the account not being able to read AD, even after I added the Azure App to the Domain Readers. I then used Active Directory - Password with a service account we already use in all our pipelines, and it worked like a charm after adding the service account to the Domain Readers

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.