David Barbarin » PowerShell

AAD user creation on behalf AAD Service Principal with Azure SQL DB

mikedavem — Sun, 02 Aug 2020 22:28:06 +0000

An interesting improvement was announced by the SQL AAD team on Monday 27th July 2020 and concerns the support for Azure AD user creation on behalf of Azure AD Applications for Azure SQL as mentioned to this Microsoft blog post.

In my company, this is something we were looking for a while with our database refresh process in Azure. Before talking this new feature, let me share a brief history of different considerations we had for this DB refresh process over the time with different approaches we went through. First let’s precise DB Refresh includes usually at least two steps: restoring backup / copying database – you have both ways in Azure SQL Database – and realigning security context with specific users regarding your targeted environment (ACC / INT …). But the latter is not as trivial as you may expect if you opted to use either a SQL Login / User or a Service Principal to carry out this operation in your process. Indeed, in both cases creating an Azure AD User or Group is not supported, and if you try you will face this error message:

‘’ is not a valid login or you do not have permission.

All the stuff (either Azure automation runbook and PowerShell modules on-prem) done so far and described afterwards meets the same following process:

First, we used Invoke-SQCMD in Azure Automation runbook with T-SQL query to create a copy of a source database to the target server. T-SQL is mandatory in this case as per documented in the Microsoft BOL because PROD and ACC or INT servers are not on the same subscription. Here a simplified sample of code:

...
$CopyDBCMD = @{
'Database' = 'master'
'ServerInstance' = $TargetServerName
'Username' = $SQLUser
'Password' = $SQLPWD
'Query' = 'CREATE DATABASE '+ '[' + $DatabaseName + '] ' + 'AS COPY OF ' + '[' + $SourceServerName + '].[' + $DatabaseName + ']'
}

Invoke-Sqlcmd @CopyDBCMD
...

But as you likely know, Invoke-SQLCMD doesn’t support AAD authentication and because SQL Login authentication was the only option here, it led us dealing with an annoying issue about the security configuration step with AAD users or groups as you may imagine.

Then, because we based authentication mainly on trust architecture and our security rules require using it including apps with managed identities or service principals, we wanted also to introduce this concept to our database refresh process. Fortunately, service principals are supported with Azure SQL DBs since v12 with access token for authentication by ADALSQL. The corresponding DLL is required on your server or if you use it from Azure Automation like us, we added the ADAL.PS module but be aware it is now deprecated, and I advise you to strongly invest in moving to MSAL. Here a sample we used:

...
$response = Get-ADALToken `
-ClientId $clientId `
-ClientSecret $clientSecret `
-Resource $resourceUri `
-Authority $authorityUri `
-TenantId $tenantName

...

$connectionString = "Server=tcp:$SqlInstanceFQDN,1433;Initial Catalog=master;Persist Security Info=False;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;"
# Create the connection object
$connection = New-Object System.Data.SqlClient.SqlConnection($connectionString)
# Set AAD generated token to SQL connection token
$connection.AccessToken = $response.AccessToken

Try {
$connection.Open()
...
}
...

But again, even if the copy or restore steps are well managed, we still got stuck with security reconfiguration, because service principals were not supported for creating AAD users or groups so far …

In the meantime, we found out a temporary and interesting solution based on dbatools framework and the Invoke-dbaquery command which supports AAD authentication (Login + Password). As we may not rely on service principal in this case, using a dedicated AAD account was an acceptable tradeoff to manage all the database refresh process steps. But going through this way comes with some disadvantages because running Invoke-dbaquery in a full Azure automation mode is not possible with missing ADALsql.dll. Workaround may be to use hybrid-worker, but we didn’t want to add complexity to our current architecture only for this special case. Instead we decided to move the logic of the Azure automation runbook into on-prem PowerShell framework which already include logic for DB refresh for on-prem SQL Server instances.

Here a simplified sample of code we are using:

...
Try {
# Connect to get access to Key Vault info
Connect-AzAccount | Out-Null

[String]$user = (Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name "AZSQL-SQLBCKUSER").SecretValueText
[System.Security.SecureString]$pwd = ConvertTo-SecureString (Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name "AZSQL-SQLBCKPWD").SecretValueText -AsPlainText -Force
[String]$SourceServerName = (Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name "AZSQL-NAME").SecretValueText
[String]$TargetServerName = (Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name "AZSQL-TARGETNAME").SecretValueText + '.database.windows.net'

# DB Restore will be performed in the context of dedicated AAD account
$pscredential = New-Object -TypeName System.Management.Automation.PSCredential($user, $pwd)

Write-Host "Restoring DB:$DatabaseName from Source Server: $SourceServerName to Target Server: $TargetServerName"

$Query = "CREATE DATABASE [$DatabaseName] AS COPY OF [$SourceServerName].[$DatabaseName]"
Invoke-DbaQuery `
-SqlInstance $TargetServerName `
-Database master `
-SqlCredential $pscredential `
-Query $Query `
-EnableException

# Wait for DB online and ready ...
# Code should be implemented for this check

Write-Output "Applying security configuration to DB: $DatabaseName on Server:$TargetServerName"

$Query = "
DROP USER [az_sql_ro];CREATE USER [az_sql_ro] FROM EXTERNAL PROVIDER;
"
Invoke-DbaQuery `
-SqlInstance $TargetServerName `
-Database $DatabaseName `
-SqlCredential $pscredential `
-Query $Query `
-EnableException

}
Catch {
Write-Host "Error encountered: $($_.Exception.Message)"
}
...

Referring to the PowerShell code above, in the second step, we create an AAG group [az_sql_ro] on behalf of the AAD dedicated account with the CLAUSE FROM EXTERNAL PROVIDER.

Finally, with the latest news published by the SQL AAD team, we will likely consider using back service principal instead of dedicated Windows AAD account. This Microsoft blog post explains in details how it works and what you have to setup to make it work correctly. I don’t want to duplicate what is already explained so I will apply the new stuff to my context.

Referring to the above blog post, you need first to setup a server identity for your Azure SQL Server as below:

Set-AzSqlServer `
-ResourceGroupName sandox-rg `
-ServerName a-s-sql02 `
-AssignIdentity

# Check server identity
Get-AzSqlServer `
-ResourceGroupName sandox-rg `
-ServerName a-s-sql02 | `
Select-Object ServerName, Identity

ServerName Identity
---------- --------
a-s-sql02 Microsoft.Azure.Management.Sql.Models.ResourceIdentity

Let’s have a look at the server identity

# Get identity details
$identity = Get-AzSqlServer `
-ResourceGroupName sandox-rg `
-ServerName a-s-sql02

$identity.identity

PrincipalId Type TenantId
----------- ---- --------
7f0d16f7-b172-4c97-94d3-34f0f7ed93cf SystemAssigned 2fcd19a7-ab24-4aef-802b-6851ef5d1ed5

In fact, assigning a server identity means creating a system assigned managed identity in the Azure AD tenant that’s trusted by the subscription of the instance. To keep things simple, let’s say that System Managed Identity in Azure is like to Managed Account or Group Managed Account on-prem. Those identities are self-managed by the system. Then you need to grant this identity the Azure AD « Directory Readers « permission to get rights for creating AAD Users or Groups on behalf of this identity. A PowerShell script is provided by Microsoft here a sample of code I applied in my context for testing:

...
Try {
$DatabaseName = "test-DBA"

# Connect to get access to Key Vault info
Connect-AzAccount | Out-Null

[String]$user = (Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name "AZSQL-SQLBCKAPPID").SecretValueText
[System.Security.SecureString]$pwd = ConvertTo-SecureString (Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name "AZSQL-SQLBCKAPPSECRET").SecretValueText -AsPlainText -Force
[String]$SourceServerName = (Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name "AZSQL-NAME").SecretValueText
[String]$TargetServerName = (Get-AzKeyVaultSecret -VaultName $KeyvaultName -Name "AZSQL-TARGETNAME").SecretValueText + '.database.windows.net'

# DB Restore will be performed in the context of dedicated AAD account
$pscredential = New-Object -TypeName System.Management.Automation.PSCredential($user, $pwd)

$adalPath = "${env:ProgramFiles}\WindowsPowerShell\Modules\Az.Profile.7.0\PreloadAssemblies"
# To install the latest AzureRM.profile version execute -Install-Module -Name AzureRM.profile
$adal = "$adalPath\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = "$adalPath\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
$resourceAppIdURI = 'https://database.windows.net/'

# Set Authority to Azure AD Tenant
$authority = 'https://login.windows.net/' + $tenantId

$ClientCred = [Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential]::new($clientId, $clientSecret)
$authContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]::new($authority)
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$ClientCred)
$Tok = $authResult.Result.CreateAuthorizationHeader()
$Tok=$Tok.Replace("Bearer ","")

Write-host "Token generated is ..."
$Tok
Write-host ""

Write-Host "Create SQL connectionstring"
$conn = New-Object System.Data.SqlClient.SQLConnection

$conn.ConnectionString = "Data Source=$TargetServerName;Initial Catalog=master;Connect Timeout=30"
$conn.AccessToken = $Tok

Write-host "Connect to database and execute SQL script"
$conn.Open()

Write-Host "Check connected user ..."
$Query = "SELECT USER_NAME() AS [user_name];"
$command = New-Object -TypeName System.Data.SqlClient.SqlCommand($Query, $conn)
$Command.ExecuteScalar()
$conn.Close()

Write-Host "Restoring DB:$DatabaseName from Source Server: $SourceServerName to Target Server: $TargetServerName"

$conn.ConnectionString = "Data Source=$TargetServerName;Initial Catalog=master;Connect Timeout=30"
$conn.AccessToken = $Tok
$conn.Open()
$Query = "DROP DATABASE IF EXISTS [$DatabaseName]; CREATE DATABASE [$DatabaseName] AS COPY OF [$SourceServerName].[$DatabaseName]"
$command = New-Object -TypeName System.Data.SqlClient.SqlCommand($Query, $conn)
$command.CommandTimeout = 1200
$command.ExecuteNonQuery()
$conn.Close()

# Wait for DB online and ready ...
# Code should be implemented for this check

Write-Output "Applying security configuration to DB: $DatabaseName on Server:$TargetServerName"

$conn.ConnectionString = "Data Source=$TargetServerName;Initial Catalog=$DatabaseName;Connect Timeout=30"
$conn.AccessToken = $Tok
$conn.Open()
$Query = 'CREATE USER [az_sql_ro] FROM EXTERNAL PROVIDER;'
$command = New-Object -TypeName System.Data.SqlClient.SqlCommand($Query, $conn)
$command.ExecuteNonQuery()
$conn.Close()

}
Catch {
Write-Output "Error encountered: $($_.Exception.Message)"
}
...

Using service principal required few changes in my case. I now get credentials of the service principal (ClientId and Secret) from Azure Key Vault instead of the AAD dedicated account used in previous example. I also changed the way to connect to SQL Server by relying on ADALSQL to get the access token instead of using dbatools commands. Indeed, as far as I know, dbatools doesn’t support this authentication way (yet?).

The authentication process becomes as follows:

My first test seems to be relevant:

This improvement looks promise and may cover broader scenarios as the one I described in this blog post. This feature is in preview at the moment of this write-up and I hope to see it coming soon in GA as well as a potential support of preferred PowerShell framework DBAtools

See you!

SQL Server PowerShell : Récupérer la volumétrie globale des serveurs SQL

mikedavem — Sat, 12 Jun 2010 11:35:49 +0000

Un collègue qui est chargé de rationnaliser les processus d’entreprises autour des serveurs de bases de données m’a demandé s’il était possible de connaître la volumétrie de chaque serveur SQL Server en terme d’espace disque et la volumétrie globale de l’ensemble de ces serveurs. L’idée ici est d’avoir une idée de la volumétrie d’espace disque pour chaque technologie de bases de données (SQL Server et Oracle notamment). Je vous propose ici un script PowerShell permettant de réaliser cette tâche.

Ce script s’exécute avec la version 2.0 de PowerShell. Il faut également avoir installé les outils de management de SQL Server 2008.

Ce script prend en paramètres d’entrées :

- Un fichier texte comportant la liste des serveurs SQL recensés dans l’entreprise (sql_server.txt)
- Un script SQL permettant de récupérer la volumétrie globale de chaque serveur pour l’ensemble des bases de données systèmes et utilisateurs. (size_serveur.sql)

. et il délivre en sortie :

- Un affichage dans la console pour chaque serveur joignable, la version de SQL Server et sa volumétrie globale
- Un fichier log (SqlLog.txt). Dans ce fichier existe une entrée pour chaque serveur où il s’est produit une erreur (Serveur inacessible, compte de connexion incorrect, erreur d’exécution du script SQL etc..).

Le script SQL (size_serveur.sql) :

/************************************************
* @Author = BARBARIN David                     *
* @Description =                               *
* Récupération de la version du serveur SQL + *
* volumétrie globale de l’ensemble des bases   *
* des données (fichiers DATA + LOG)            *
************************************************/

DECLARE @version TINYINT

SELECT @version = CAST(RIGHT(LEFT(@@VERSION, CHARINDEX(‘.’, @@VERSION) – 1), 2) AS TINYINT)

– Version inférieur à SQL Server 2005
IF (@version < 9)
BEGIN
SELECT
    @@VERSION AS version_sql,
    CAST(SUM(size) * 8. / 1024 / 1024 AS DECIMAL(15,2)) AS size_GB
FROM master..sysaltfiles
END
– Version supérieure ou égale à SQL Server 2005
ELSE
BEGIN
SELECT
    @@VERSION AS version_sql,
    CAST(SUM(size) * 8. / 1024 / 1024 AS DECIMAL(15,2)) AS size_GB
FROM sys.master_files
END

Le script PowerShell (volumetrie_sqlserver.ps1) :

####################################
# @author = David BARBARIN                                  #
# @Description =                                                   #
# Volumétrie globale par serveur                              #
# et totale                                                            #
# @PARAM =                                                         #
# Fichier texte contenant la liste                              #
# des serveurs SQL                                                #
# @OUTPUT =                                                       #
# Nom du serveur + version                                    #
# Volumétrie par serveur                                         #
# Volumétrie globale                                             #
# Erreurs dans fichier log                                        #
# SqlLog.txt                                                         #
###################################

# Désactivation des messages d’erreurs sur la console PowerShell
$ErrorActionPreference = « SilentlyContinue »

# Chargement des snapin pour SQL Server
Add-PSSnapin SqlServerCmdletSnapin100
Add-PSSnapin SqlServerProviderSnapin100

# Récupération de la liste des serveurs
$servers = get-content « sql_server.txt »

# Path courant
$path = Get-Location

# Username et Password
$credentialsql = «  » # Pour une authentification de type Windows -> $credentialsql = « Windows »
$username = « user »
$password = « password »

$result_final = 0

# Initialisation fichier
$date = get-date
Write-output « Erreur log du $date » | out-File « $path\SqlLog.txt »

# Pour chaque serveur on récupère les informations de volumétrie
foreach($server in $servers)
{
$error.Clear()
try {
# Exécution script sql de récupération volumétrie données.
if ($credentialsql -eq « Windows »)
{
   $result = Invoke-Sqlcmd -ServerInstance $server -inputFile « $path\size_serveur.sql » -OutputSqlErrors $false
}
else
{
   $result = Invoke-Sqlcmd -Username $username -Password $password -ServerInstance $server -inputFile « $path\size_serveur.sql » -OutputSqlErrors $false
}
# Affichage du résultat dans la fenêtre Powershell
Write-Host « ——— »
Write-Host « Serveur : » $server
Write-Host « Version : » $result.version_sql
Write-Host « Volumétrie serveur : » $result.size_GB « GB »
# Comptabilisation du volume de données global
$result_final = $result_final + $result.size_GB
}
catch
{
# Affichage erreur dans la fenêtre PowerShell
Write-Host « ——— »
Write-Host « Serveur : » $server
Write-Host « Problème de récupération des données. Vérifiez le journal d’erreurs SqlLog.txt »
# Enregistrement détail de l’erreur dans le fichier log
$message = « — Erreur de récupération pour le serveur : $server . $error »
Write-output $message | out-File -append « $path\SqlLog.txt »
}
Finally {
Continue
}
}

# Affichage volumétrie globale dans la fenêtre Powershell
Write-Host « ——— »
Write-Host « ——— »
Write-Host « Volumétrie total : » $result_final « GB »
Write-Host « ——— »
Write-Host « ——— »

# Suppression des snapin pour SQL Server
Remove-PSSnapin SqlServerCmdletSnapin100
Remove-PSSnapin SqlServerProviderSnapin100

Bon audit !!

David BARBARIN (Mikedavem)
Elève ingénieur CNAM Lyon

SQL Server PowerShell : Comment récupérer rapidement les informations générales d’une liste de serveurs

mikedavem — Tue, 01 Jun 2010 20:06:51 +0000

Il y a peu de temps j’ai dû effectué un audit sur un ensemble de serveurs SQL. Autant vous dire que j’ai essayé d’optimiser certaines tâches comme la récupération de certaines données générales du serveur comme les processeurs, la mémoire, les disques et le système d’exploitation. Voici un script Powershell qui permet de récupérer ces informations rapidement !!

Le script utilise un fichier nommé sqlserver.txt dans lequel il suffit de mettre les noms des serveurs SQL à auditer. Assurer vous également que le compte utilisé par le script ait les droits nécessaires pour interroger du cmdlet sur le serveur concerné. Ce script a été testé sur Windows 2003 Server, Windows Server 2008 et Windows Server 2008 R2.

#################################
# @author = Mikedavem           #
# @Description =                #
# Récupération d’informations   #
# serveurs (CPU, mémoire,       #
# disques, OS …)              #
#################################

$computername = « computername »;
$login = « domain\administrateur »
$pwd = convertto-securestring « pasword » -asplaintext -force;
$servers = get-content « sql_server.txt »

# Définition du crédential
$credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $login,$pwd -ErrorAction « silentlycontinue »;

foreach($server in $servers)
{
$operatingSystem = get-wmiobject win32_OperatingSystem -computername $server -credential $credential
Write-Host $operatingSystem.CSName
Write-Host $operatingSystem.Caption
Write-Host « ——— »
Write-Host « Disques : »

$Disk = get-WmiObject Win32_LogicalDisk -computername $server -credential $credential | Where {$_.Name -ne « A: » -and $_.DriveType -eq « 3 »}

foreach ( $disque in $Disk ) {
    # calul de la taille en Giga octet
    $taille = $disque.freespace / (1024*1024*1024)
    $taille = [math]::round($taille, 1) # Arrondi la taille à la décimale
    $size = $disque.size / (1024*1024*1024)
    $size = [math]::round($size, 1)

    Write-host « Drive= » $disque.Name « Size= » $size « Go FreeSpace= » $taille « Go »
}

Write-Host « ——— »
Write-Host « CPU : »

$processor = get-wmiobject Win32_processor -computername $server -credential $credential
foreach ($proc in $processor)
{
Write-Host « ID= » $proc.DeviceID « Proc= » $proc.Name « , Speed= »$proc.CurrentClockSpeed »MHz Arch= » -nonewline;
Switch($proc.Architecture)
             {
              0{« x86″}
              1{« MIPS »}
              2{« Alpha »}
              3{« PowerPC »}
              6{« Intel Itanium IPF »}
              9{« x64″}
             }
}

Write-Host « ——— »
Write-Host « Memory : »
$memory = get-wmiobject Win32_ComputerSystem -computername $server -credential $credential
foreach ($mem in $memory)
{
$tailleRAM = [math]::round($mem.TotalPhysicalMemory / (1024 * 1024 * 1024), 1)
Write-Host « Total of memory = » $tailleRAM « Go »;
}
Write-Host « ——— »
Write-Host «  »
}

Bon audit !!

David BARBARIN (Mikedavem)
Elève ingénieur CNAM

SQL Server PowerShell : Activer désactiver certains protocoles SQL Server

mikedavem — Tue, 01 Jun 2010 18:52:15 +0000

Sur certaines éditions de SQL Server, l’activation du protocole TCPIP requiert une action manuelle. Voici un script powershell qui peut être intégré à une installation automatique et qui active le protocole TCPIP d’une part et désactive les canaux nommés d’autre part.

Ce script prend en paramètre le nom du serveur ainsi qu’un compte de connexion et mot de passe. Ce compte doit être administrateur du serveur en local pour pouvoir accéder à l’espace de nom « root\Microsoft\SqlServer\ComputerManagement« . De plus, il faudra penser à changer l’espace de nom en « root\Microsoft\SqlServer\ComputerManagement10 » pour SQL Server 2008 et SQL Server 2008 R2. Enfin ce script n’opère que sur l’instance par défaut.

#################################
# @author = Mikedavem           #
# @Description =                #
# Activation du protocole TCPIP #
# et désactiviation des canaux #
# nommés.                       #
#################################

$computername = « computeurname »;
$login = « domain\administrateur »
$pwd = convertto-securestring « pass » -asplaintext -force;

try
{
    # Définition du crédential
    $credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $login,$pwd -ErrorAction « silentlycontinue »;

    # Protocol Canaux nommés à désactiver
    $protocol = Get-WmiObject -computername $computername -credential $credential -namespace « root\Microsoft\SqlServer\ComputerManagement10″ `
                              -class ServerNetworkProtocol `
                              -filter « ProtocolName=’np’ and InstanceName=’MSSQLSERVER' » `
                              -ErrorAction « silentlycontinue »;
    $protocol.SetDisable();

    # Protocol TCP à activer
    $protocol = Get-WmiObject -computername $computername -credential $credential -namespace « root\Microsoft\SqlServer\ComputerManagement10″ `
                              -class ServerNetworkProtocol `
                              -filter « ProtocolName=’tcp’ and InstanceName=’MSSQLSERVER' »;
    $protocol.SetEnable();

    # Redémarrage service SQL
    $sqlservice = Get-WmiObject -computername $computername -credential $credential -namespace « root\Microsoft\SqlServer\ComputerManagement10″ `
                                -class SqlService `
                                -filter « ServiceName=’MSSQLSERVER' » `
                                -ErrorAction « silentlycontinue »;
    $sqlservice.StopService();
    $sqlservice.StartService();
}
catch
{
    « Une erreur est survenue lors de la mise à jour des protocoles : »;
    « Détail de l’erreur : »
    $err = $Error[0];
    $err | Format-List *;
}

Bonne activation de protocole !!

David BARBARIN (Mikedavem)
Elève ingénieur CNAM