使用多重要素 AAD 驗證搭配 Azure SQL Database 和 Azure SQL 資料倉儲 (mfa 的 SSMS 支援)Using Multi-factor AAD authentication with Azure SQL Database and Azure SQL Data Warehouse (SSMS support for MFA)

Azure SQL Database 和 Azure SQL 資料倉儲支援使用「Active Directory 通用驗證」 ,從 SQL Server Management Studio (SSMS) 連線。Azure SQL Database and Azure SQL Data Warehouse support connections from SQL Server Management Studio (SSMS) using Active Directory Universal Authentication. 這篇文章討論的各種驗證選項,以及與使用通用驗證相關聯的限制之間的差異。This article discusses the differences between the various authentication options, and also the limitations associated with using Universal Authentication.

下載最新的 SSMS - 在用戶端電腦上,從下載 SQL Server Management Studio (SSMS) 下載最新版的 SSMS。Download the latest SSMS - On the client computer, download the latest version of SSMS, from Download SQL Server Management Studio (SSMS).

所有功能這篇文章所述,使用至少 2017 年 7 月 17.2 版。For all the features discussed in this article, use at least July 2017, version 17.2. 最新的 [連線] 對話方塊中,看起來應該類似下圖:The most recent connection dialog box, should look similar to the following image:

1mfa-universal-connect1mfa-universal-connect

五個驗證選項The five authentication options

Active Directory 通用驗證支援兩種非互動式驗證方法:Active Directory Universal Authentication supports the two non-interactive authentication methods: - Active Directory - Password 驗證Active Directory - Password authentication - Active Directory - Integrated 驗證Active Directory - Integrated authentication

有兩種非互動式驗證模型,可以用於許多不同的應用程式 (ADO.NET、 JDCB、 ODC 等等)。There are two non-interactive authentication models as well, which can be used in many different applications (ADO.NET, JDCB, ODC, etc.). 這兩種方法絕對不會產生快顯對話方塊中:These two methods never result in pop-up dialog boxes:

  • Active Directory - Password
  • Active Directory - Integrated

互動式的方法,也是 Azure multi-factor authentication (MFA) 的支援:The interactive method is that also supports Azure multi-factor authentication (MFA) is:

  • Active Directory - Universal with MFA

Azure MFA 有助於保護對資料與應用程式的存取,同時可以滿足使用者對簡單登入程序的需求。Azure MFA helps safeguard access to data and applications while meeting user demand for a simple sign-in process. 它利用各種簡單的驗證選項來提供強大的驗證 (包括電話、簡訊、含有 Pin 的智慧卡或行動應用程式通知),讓使用者能夠選擇自己喜歡的方式。It delivers strong authentication with a range of easy verification options (phone call, text message, smart cards with pin, or mobile app notification), allowing users to choose the method they prefer. 搭配 Azure AD 使用互動式 MFA 時,會出現快顯對話方塊以進行驗證。Interactive MFA with Azure AD can result in a pop-up dialog box for validation.

如需 Multi-Factor Authentication 的說明,請參閱 Multi-Factor AuthenticationFor a description of Multi-Factor Authentication, see Multi-Factor Authentication. 如需了解組態步驟,請參閱設定適用於 SQL Server Management Studio 的 Azure SQL Database 多重要素驗證For configuration steps, see Configure Azure SQL Database multi-factor authentication for SQL Server Management Studio.

Azure AD 網域名稱或租用戶 ID 參數Azure AD domain name or tenant ID parameter

SSMS 第 17 版開始,從其他 Azure Active Directory 匯入目前 Active Directory 的使用者 (如來賓使用者),可以在連線時提供 Azure AD 網域名稱或租用戶 ID。Beginning with SSMS version 17, users that are imported into the current Active Directory from other Azure Active Directories as guest users, can provide the Azure AD domain name, or tenant ID when they connect. 來賓使用者包括從其他 Azure AD、Microsoft 帳戶 (例如 outlook.com、hotmail.com、live.com) 或其他帳戶 (例如 gmail.com) 邀請的使用者。Guest users include users invited from other Azure ADs, Microsoft accounts such as outlook.com, hotmail.com, live.com, or other accounts like gmail.com. 此資訊可讓 [Active Directory 通用驗證搭配 MFA 驗證] 識別正確的驗證授權單位。This information, allows Active Directory Universal with MFA Authentication to identify the correct authenticating authority. 支援 Microsoft 帳戶 (MSA) (如 outlook.com、hotmail.com、live.com) 或非 MSA 帳戶時也需要此選項。This option is also required to support Microsoft accounts (MSA) such as outlook.com, hotmail.com, live.com, or non-MSA accounts. 所有要使用通用驗證來進行驗證的這些使用者,皆必須輸入他們的 Azure AD 網域名稱或租用戶 ID。All these users who want to be authenticated using Universal Authentication must enter their Azure AD domain name or tenant ID. 此參數代表目前與 Azure 伺服器連結的 Azure AD 網域名稱/租用戶 ID。This parameter represents the current Azure AD domain name/tenant ID the Azure Server is linked with. 例如,如果 Azure 伺服器與 Azure AD 網域 contosotest.onmicrosoft.com 相關聯,其中託管的使用者 joe@contosodev.onmicrosoft.com 是從 Azure AD 網域 contosodev.onmicrosoft.com 匯入,則用於驗證此使用者的必要網域名稱為 contosotest.onmicrosoft.comFor example, if Azure Server is associated with Azure AD domain contosotest.onmicrosoft.com where user joe@contosodev.onmicrosoft.com is hosted as an imported user from Azure AD domain contosodev.onmicrosoft.com, the domain name required to authenticate this user is contosotest.onmicrosoft.com. 如果使用者是 Azure AD (與 Azure 伺服器連結) 的原生使用者,不是 MSA 帳戶,則不需要網域名稱或租用戶 ID。When the user is a native user of the Azure AD linked to Azure Server, and is not an MSA account, no domain name or tenant ID is required. 若要輸入參數 (從 SSMS 第 17.2 版開始),請在 [連線到資料庫] 對話方塊中完成對話方塊,並選取 [Active Directory - Universal with MFA] ,按一下 [選項] ,完成 [使用者名稱] 方塊,然後按一下 [連線屬性] 索引標籤。核取 [AD 網域名稱或租用戶 ID] 方塊並提供驗證授權單位,如網域名稱 (contosotest.onmicrosoft.com) 或租用戶 ID 的 GUID。To enter the parameter (beginning with SSMS version 17.2), in the Connect to Database dialog box, complete the dialog box, selecting Active Directory - Universal with MFA authentication, click Options, complete the User name box, and then click the Connection Properties tab. Check the AD domain name or tenant ID box, and provide authenticating authority, such as the domain name (contosotest.onmicrosoft.com) or the GUID of the tenant ID.
mfa-tenant-ssmsmfa-tenant-ssms

Azure AD 企業對企業支援Azure AD business to business support

在 Azure AD B2B 案例中,以來賓使用者身分支援的 Azure AD 使用者 (請參閱什麼是 Azure B2B 共同作業),只能以在目前 Azure AD 中建立之群組的成員連線至 SQL Database 和 SQL 資料倉儲,並且在指定的資料庫中使用 Transact-SQL CREATE USER 手動對應。Azure AD users supported for Azure AD B2B scenarios as guest users (see What is Azure B2B collaboration) can connect to SQL Database and SQL Data Warehouse only as part of members of a group created in current Azure AD and mapped manually using the Transact-SQL CREATE USER statement in a given database. 例如,如果 steve@gmail.com 受邀加入 Azure AD contosotest (與 Azure Ad 網域contosotest.onmicrosoft.com),則必須在 Azure AD 中建立包含 steve@gmail.com 成員的 Azure AD 群組 (例如 usergroup)。For example, if steve@gmail.com is invited to Azure AD contosotest (with the Azure Ad domain contosotest.onmicrosoft.com), an Azure AD group, such as usergroup must be created in the Azure AD that contains the steve@gmail.com member. 然後,此群組必須建立特定的資料庫 (也就是 MyDatabase) 的 Azure AD SQL 系統管理員或 Azure AD DBO 藉由執行 TRANSACT-SQLCREATE USER [usergroup] FROM EXTERNAL PROVIDER陳述式。Then, this group must be created for a specific database (that is, MyDatabase) by Azure AD SQL admin or Azure AD DBO by executing a Transact-SQL CREATE USER [usergroup] FROM EXTERNAL PROVIDER statement. 建立資料庫使用者後,使用者 steve@gmail.com 就可以使用 SSMS 驗證選項 Active Directory – Universal with MFA support 來登入 MyDatabaseAfter the database user is created, then the user steve@gmail.com can log in to MyDatabase using the SSMS authentication option Active Directory – Universal with MFA support. 根據預設,使用者群組只有 connect 權限,而任何進一步的資料存取權則需以一般方式進行授與。The usergroup, by default, has only the connect permission and any further data access that will need to be granted in the normal way. 請注意,身為來賓使用者的使用者 steve@gmail.com 必須核取此方塊,並且在 SSMS [連線屬性] 對話方塊中新增 AD 網域名稱 contosotest.onmicrosoft.comNote that user steve@gmail.com as a guest user must check the box and add the AD domain name contosotest.onmicrosoft.com in the SSMS Connection Property dialog box. [AD 網域名稱或租用戶 ID] 選項僅對 [通用驗證搭配 MFA 連線] 選項提供支援,否則會呈現灰色。The AD domain name or tenant ID option is only supported for the Universal with MFA connection options, otherwise it is greyed out.

適用於 SQL Database 和 SQL 資料倉儲的通用驗證限制Universal Authentication limitations for SQL Database and SQL Data Warehouse

  • SSMS 和 SqlPackage.exe 是目前唯一透過 Active Directory 通用驗證,針對 MFA 啟用的工具。SSMS and SqlPackage.exe are the only tools currently enabled for MFA through Active Directory Universal Authentication.
  • SSMS 17.2 版支援使用通用驗證搭配 MFA 的多使用者同時存取。SSMS version 17.2, supports multi-user concurrent access using Universal Authentication with MFA. 17.0 和 17.1 版,使用通用驗證將 SSMS 的登入限制為單一 Azure Active Directory 帳戶。Version 17.0 and 17.1, restricted a login for an instance of SSMS using Universal Authentication to a single Azure Active Directory account. 若要以另一個 Azure AD 帳戶登入,您必須使用另一個 SSMS 執行個體To log in as another Azure AD account, you must use another instance of SSMS. (這項限制僅限於 Active Directory 通用驗證;您可以使用 Active Directory 密碼驗證、Active Directory 整合式驗證或 SQL Server 驗證來登入不同的伺服器)。(This restriction is limited to Active Directory Universal Authentication; you can log in to different servers using Active Directory Password Authentication, Active Directory Integrated Authentication, or SQL Server Authentication).
  • SSMS 支援 Active Directory 通用驗證,可使用物件總管、查詢編輯器及查詢存放區視覺效果。SSMS supports Active Directory Universal Authentication for Object Explorer, Query Editor, and Query Store visualization.
  • SSMS 17.2 版針對匯出/擷取/部署資料資料庫提供 DacFx 精靈支援。SSMS version 17.2 provides DacFx Wizard support for Export/Extract/Deploy Data database. 特定使用者使用通用驗證透過初始驗證對話方塊進行驗證後,DacFx 精靈的運作方式與所有其他驗證方法相同。Once a specific user is authenticated through the initial authentication dialog using Universal Authentication, the DacFx Wizard functions the same way it does for all other authentication methods.
  • SSMS 資料表設計工具不支援通用驗證。The SSMS Table Designer does not support Universal Authentication.
  • 除了您必須使用支援的 SSMS 版本之外,Active Directory 通用驗證並沒有其他軟體需求。There are no additional software requirements for Active Directory Universal Authentication except that you must use a supported version of SSMS.
  • 通用驗證的 Active Directory 驗證程式庫 (ADAL) 版本已更新為最新的 ADAL.dll 3.13.9 可用發行版本。The Active Directory Authentication Library (ADAL) version for Universal authentication was updated to its latest ADAL.dll 3.13.9 available released version. 請參閱 Active Directory Authentication Library 3.14.1See Active Directory Authentication Library 3.14.1.

後續步驟Next steps