search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.26k stars 21.43k forks source link

Enable SQL insights (preview) - Authentication Clarification #86581

Closed artyq closed 2 years ago

artyq commented 2 years ago

The configuration of SQL Insights on Azure VM with SQL Server is not clear.

Our SQL VMs have SQL Auth disabled as per our security policy, therefore we are only supporting Active Directory Authentication.

The image under Enable SQL insights (preview) shows that SQL Authentication is disabled, so it makes me believe that it is possible. However, the connection string looks like a sql login and password. So it is unclear to me if AD is possible or not?

Moreover, there is a link under This script provides a mechanism to create login (in master database) and user (in user databases) for a given set of databases for allowing telegraf to monitor the databases. that shows you can use AAD auth. The readme provided shows it is possible here: https://github.com/microsoft/Application-Insights-Workbooks/blob/39b905fc532575716e93f3f586a61977ee89c87d/Workbooks/Workloads/SQL/SQL%20Insights%20Onboarding%20Scripts/Permissions_LoginUser_Account_Creation-README.txt#L101

Then later it states that all Azure SQL DB examples are applicable for VMs as well: https://github.com/microsoft/Application-Insights-Workbooks/blob/39b905fc532575716e93f3f586a61977ee89c87d/Workbooks/Workloads/SQL/SQL%20Insights%20Onboarding%20Scripts/Permissions_LoginUser_Account_Creation-README.txt#L117

However, we are not finding the correct options to use domain accounts when setting up the monitoring profile.

Clarity around all and any options would be appreciated!

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

vipulsparsh commented 2 years ago

@artyq Thanks for reaching out. We will investigate and update the thread accordingly.

SwathiDhanwada-MSFT commented 2 years ago

@artyq Kindly note the only supported method of authentication for monitoring is SQL authentication. The documents and the scripts you are referring to creates login and user using AAD authentication. Other than that, this can't be used for monitoring.

Same information has been documented here.

I also would recommend you to navigate here and share your feedback or suggestions directly with the responsible Azure feature team and clicking the vote button of your suggestion to raise visibility and priority on it.

As there are no further documentation changes, we will close the issue for now. If there are further questions , please revert and we will be glad to assist you.