Opal supports granting temporary read / write access to the following Azure databases:

• Azure SQL Databases
• Azure SQL Managed Databases

Prerequisites

Enable Microsoft Entra ID authentication for your database. For SQL Databases,

Step 1: Enable Microsoft Entra ID Authentication on SQL

For SQL Databases, go to its parent SQL Server and enable Microsoft Entra ID Authentication.

For SQL Managed Databases, go to its parent SQL Managed Instance and enable Microsoft Entra ID Authentication.

Step 2: Add Opal IP addresses to your firewall rules

On the left hand side, under Security -> Networking, add the following IP addresses to your SQL's firewall rules. If you're an on-prem customer, these will be different.

Step 3: Add your company addresses to your firewall rules

If your company uses a VPN, add any IP ranges to the firewall rules. If you don't add them, each user will have to add their unique IP address and you can easily hit Azure's 128-firewall rule limit.

Step 4: Add Opal as an Admin

If you have an existing admin:

1. Create a new Azure Security Group: SQL Admins
2. Add your existing admin to the SQL Admins Security Group
3. Add Opal's service principal to the SQL Admins security group

Using Microsoft Entra Security Groups may take Azure up to 2 hours to propagate the login changes to the databases.

Once the admin settings have synced, users will be able to connect through db_datareader and db_datawriter roles.