Adding Azure Databases
Add Azure databases to grant users temporary access
Opal supports granting temporary read / write access to the following Azure databases:
- Azure SQL Databases
- Azure SQL Managed Databases
Prerequisites
Enable Microsoft Entra ID authentication for your database. For SQL Databases,
Step 1: Enable Microsoft Entra ID Authentication on SQL
For SQL Databases, go to its parent SQL Server and enable Microsoft Entra ID Authentication.
For SQL Managed Databases, go to its parent SQL Managed Instance and enable Microsoft Entra ID Authentication.
Step 2: Add Opal IP addresses to your firewall rules
On the left hand side, under Security
-> Networking
, add the following IP addresses to your SQL's firewall rules. If you're an on-prem customer, these will be different.
Step 3: Add your company addresses to your firewall rules
If your company uses a VPN, add any IP ranges to the firewall rules. If you don't add them, each user will have to add their unique IP address and you can easily hit Azure's 128-firewall rule limit.
Step 4: Assign the managed-identity permissions
- Go to the SQL Server or SQL Managed Instance,
Security
->Identity
. UnderSystem Managed Identity
, toggle the status toOn
and save this setting. - Go to
Microsoft Entra ID
, on the left hand panel,Manage
->Roles & Administrators
, find theDirectory Readers
role and click on it. - Click
Add Assignment
and add the SQL Server or SQL Managed Instance Managed Identity.
This may take an hour to sync.
Step 5: Add Opal as an Admin
If you have an existing admin:
- Create a new Azure Security Group:
SQL Admins
- Add your existing admin to the
SQL Admins
Security Group - Add Opal's service principal to the
SQL Admins
security group
Using Microsoft Entra Security Groups may take Azure up to 2 hours to propagate the login changes to the databases.
Once the admin settings have synced, users will be able to connect through db_datareader
and db_datawriter
roles.
Updated about 1 month ago