Which Of The Following Is The Basis Of Granting Access For An Object In Mac
App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for your app, which is a turn-key solution for securing access to Azure SQL Database and other Azure services. Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the connection strings. In this tutorial, you will add managed identity to the sample web app you built in one of the following tutorials:
How do we use your data? By clicking 'Continue with Facebook', you accept that your first name, last name, Birthday, Gender, Location, Age Range, and Relationship status will be used to create and manage your user account.
When you're finished, your sample app will connect to SQL Database securely without the need of username and passwords.
Note
The steps covered in this tutorial support the following versions:
- .NET Framework 4.7.2 and above
- .NET Core 2.2 and above
What you will learn:
- Enable managed identities
- Grant SQL Database access to the managed identity
- Configure Entity Framework to use Azure AD authentication with SQL Database
- Connect to SQL Database from Visual Studio using Azure AD authentication
Note
Azure AD authentication is different from Integrated Windows authentication in on-premises Active Directory (AD DS). AD DS and Azure AD use completely different authentication protocols. For more information, see Azure AD Domain Services documentation.
If you don't have an Azure subscription, create a free account before you begin.
Prerequisites
This article continues where you left off in Tutorial: Build an ASP.NET app in Azure with SQL Database or Tutorial: Build an ASP.NET Core and SQL Database app in Azure App Service. If you haven't already, follow one of the two tutorials first. Alternatively, you can adapt the steps for your own .NET app with SQL Database.
To debug your app using SQL Database as the back end, make sure that you've allowed client connection from your computer. If not, add the client IP by following the steps at Manage server-level IP firewall rules using the Azure portal.
Use Azure Cloud Shell
Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.
To start Azure Cloud Shell:
Option | Example/Link |
---|---|
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. | |
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. | |
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. |
To run the code in this article in Azure Cloud Shell:
Start Cloud Shell.
Select the Copy button on a code block to copy the code.
Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.
Select Enter to run the code.
Grant database access to Azure AD user
First enable Azure AD authentication to SQL Database by assigning an Azure AD user as the Active Directory admin of the SQL Database server. This user is different from the Microsoft account you used to sign up for your Azure subscription. It must be a user that you created, imported, synced, or invited into Azure AD. For more information on allowed Azure AD users, see Azure AD features and limitations in SQL Database.
If your Azure AD tenant doesn't have a user yet, create one by following the steps at Add or delete users using Azure Active Directory.
Find the object ID of the Azure AD user using the az ad user list
and replace <user-principal-name>. The result is saved to a variable.
Tip
To see the list of all user principal names in Azure AD, run az ad user list --query [].userPrincipalName
.
Add this Azure AD user as an Active Directory admin using az sql server ad-admin create
command in the Cloud Shell. In the following command, replace <server-name> with the SQL Database server name (without the .database.windows.net
suffix).
For more information on adding an Active Directory admin, see Provision an Azure Active Directory administrator for your Azure SQL Database Server
Set up Visual Studio
Windows
Visual Studio for Windows is integrated with Azure AD authentication. To enable development and debugging in Visual Studio, add your Azure AD user in Visual Studio by selecting File > Account Settings from the menu, and click Add an account.
To set the Azure AD user for Azure service authentication, select Tools > Options from the menu, then select Azure Service Authentication > Account Selection. Select the Azure AD user you added and click OK.
You're now ready to develop and debug your app with the SQL Database as the back end, using Azure AD authentication.
MacOS
Visual Studio for Mac is not integrated with Azure AD authentication. However, the Microsoft.Azure.Services.AppAuthentication library that you will use later can use tokens from Azure CLI. To enable development and debugging in Visual Studio, first you need to install Azure CLI on your local machine.
Once Azure CLI is installed on your local machine, sign in to Azure CLI with the following command using your Azure AD user:
You're now ready to develop and debug your app with the SQL Database as the back end, using Azure AD authentication.
Modify your project
The steps you follow for your project depends on whether it's an ASP.NET project or an ASP.NET Core project.
Modify ASP.NET
In Visual Studio, open the Package Manager Console and add the NuGet package Microsoft.Azure.Services.AppAuthentication:
In Web.config, working from the top of the file and make the following changes:
In
<configSections>
, add the following section declaration in it:below the closing
</configSections>
tag, add the following XML code for<SqlAuthenticationProviders>
.Find the connection string called
MyDbConnection
and replace itsconnectionString
value with'server=tcp:<server-name>.database.windows.net;database=<db-name>;UID=AnyString;Authentication=Active Directory Interactive'
. Replace <server-name> and <db-name> with your server name and database name.
Note Wacom xd 0405 u driver for mac.
The SqlAuthenticationProvider you just registered is based on top of the AppAuthentication library you installed earlier. By default, it uses a system-assigned identity. To leverage a user-assigned identity, you will need to provide an additional configuration. Please see connection string support for the AppAuthentication library.
That's every thing you need to connect to SQL Database. When debugging in Visual Studio, your code uses the Azure AD user you configured in Set up Visual Studio. You'll set up the SQL Database server later to allow connection from the managed identity of your App Service app.
Type Ctrl+F5
to run the app again. The same CRUD app in your browser is now connecting to the Azure SQL Database directly, using Azure AD authentication. This setup lets you run database migrations from Visual Studio.
Modify ASP.NET Core
In Visual Studio, open the Package Manager Console and add the NuGet package Microsoft.Azure.Services.AppAuthentication:
In the ASP.NET Core and SQL Database tutorial, the MyDbConnection
connection string isn't used at all because the local development environment uses a Sqlite database file, and the Azure production environment uses a connection string from App Service. With Active Directory authentication, you want both environments to use the same connection string. In appsettings.json, replace the value of the MyDbConnection
connection string with:
Next, you supply the Entity Framework database context with the access token for the SQL Database. In DataMyDatabaseContext.cs, add the following code inside the curly braces of the empty MyDatabaseContext (DbContextOptions<MyDatabaseContext> options)
constructor:
Note
This demonstration code is synchronous for clarity and simplicity.
That's every thing you need to connect to SQL Database. When debugging in Visual Studio, your code uses the Azure AD user you configured in Set up Visual Studio. You'll set up the SQL Database server later to allow connection from the managed identity of your App Service app. The AzureServiceTokenProvider
class caches the token in memory and retrieves it from Azure AD just before expiration. You don't need any custom code to refresh the token.
Tip
If the Azure AD user you configured has access to multiple tenants, call GetAccessTokenAsync('https://database.windows.net/', tenantid)
with the desired tenant ID to retrieve the proper access token.
Type Ctrl+F5
to run the app again. The same CRUD app in your browser is now connecting to the Azure SQL Database directly, using Azure AD authentication. This setup lets you run database migrations from Visual Studio.
Use managed identity connectivity
Next, you configure your App Service app to connect to SQL Database with a system-assigned managed identity.
Note
While the instructions in this section are for a system-assigned identity, a user-assigned identity can just as easily be used. To do this. you would need the change the az webapp identity assign command
to assign the desired user-assigned identity. Then, when creating the SQL user, make sure to use the name of the user-assigned identity resource rather than the site name.
Enable managed identity on app
To enable a managed identity for your Azure app, use the az webapp identity assign command in the Cloud Shell. In the following command, replace <app-name>.
Here's an example of the output:
Grant permissions to managed identity
Note
If you want, you can add the identity to an Azure AD group, then grant SQL Database access to the Azure AD group instead of the identity. For example, the following commands add the managed identity from the previous step to a new group called myAzureSQLDBAccessGroup:
In the Cloud Shell, sign in to SQL Database by using the SQLCMD command. Replace <server-name> with your SQL Database server name, <db-name> with the database name your app uses, and <aad-user-name> and <aad-password> with your Azure AD user's credentials.
In the SQL prompt for the database you want, run the following commands to grant the permissions your app needs. For example,
<identity-name> is the name of the managed identity in Azure AD. If the identity is system-assigned, the name always the same as the name of your App Service app. To grant permissions for an Azure AD group, use the group's display name instead (for example, myAzureSQLDBAccessGroup).
Type EXIT
to return to the Cloud Shell prompt.
Note
The back-end services of managed identities also maintains a token cache that updates the token for a target resource only when it expires. If you make a mistake configuring your SQL Database permissions and try to modify the permissions after trying to get a token with your app, you don't actually get a new token with the updated permissions until the cached token expires.
Modify connection string
Remember that the same changes you made in Web.config or appsettings.json works with the managed identity, so the only thing to do is to remove the existing connection string in App Service, which Visual Studio created deploying your app the first time. Use the following command, but replace <app-name> with the name of your app.
Publish your changes
All that's left now is to publish your changes to Azure.
If you came from Tutorial: Build an ASP.NET app in Azure with SQL Database, publish your changes in Visual Studio. In the Solution Explorer, right-click your DotNetAppSqlDb project and select Publish.
In the publish page, click Publish.
If you came from Tutorial: Build an ASP.NET Core and SQL Database app in Azure App Service, publish your changes using Git, with the following commands:
When the new webpage shows your to-do list, your app is connecting to the database using the managed identity.
You should now be able to edit the to-do list as before.
Clean up resources
In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:
This command may take a minute to run.
Next steps
What you learned:
- Enable managed identities
- Grant SQL Database access to the managed identity
- Configure Entity Framework to use Azure AD authentication with SQL Database
- Connect to SQL Database from Visual Studio using Azure AD authentication
Advance to the next tutorial to learn how to map a custom DNS name to your web app.