Create a Microsoft Azure Synapse SQL connection to securely read data from or write data to Microsoft Azure Synapse SQL.
Prerequisites
You can configure Microsoft SQL Server, Azure Active Directory, Managed Identity, and Service Principal authentication types to access Microsoft Azure Synapse SQL.
Before you configure the connection properties, you need to keep the authentication details handy based on the authentication type that you want to use.
Azure Active Directory authentication
To connect to Microsoft Azure Synapse SQL using Azure Active Directory (AAD) authentication, you need to create an Azure Active Directory administrator and an Azure Active Directory user.
Import a server certificate
If a trust store file isn't configured for your organization and you want to use AAD authentication with Active Directory Federation Services in Azure, you need to import the server certificate. For more information, contact your organization administrator.
Import the server certificate to the following location:
To add new users to your Azure Active Directory, you must have an administrator role.
To set up an Azure Active Directory administrator for AAD and Microsoft SQL Server that hosts your Microsoft Azure Synapse SQL, perform the following steps:
1Log on to the Microsoft Azure portal using your credentials.
The Dashboard page appears.
2From the All Resources page, select the Microsoft SQL Server that hosts Microsoft Azure Synapse SQL.
3Under Settings displayed for Microsoft SQL Server, select the Active Directory admin option.
The image shows the Active Directory admin settings:
4Click Set admin.
The Add admin page appears.
5Enter the email ID that you want to use as admin, and then click Select.
6Click Save.
Create an Azure Active Directory user
Create an AAD user and use the AAD user credentials when you configure a Microsoft Azure Synapse SQL connection with AAD authentication.
Perform the following steps to create an AAD user:
1Connect to Microsoft Azure Synapse SQL using the Azure Active Directory administrator created in the previous steps.
You can use Microsoft SQL Server Management Studio to connect to the Microsoft Azure Synapse SQL.
2In a new query window in Microsoft SQL Server Management Studio, run the following command to create an AAD user:
create user [user@foobar.com] from external provider;
3Assign the following privileges to the user:
CREATE USER [username] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [username]
ALTER ROLE db_datawriter ADD MEMBER [username]
GRANT EXECUTE TO [username]
grant ALTER ANY EXTERNAL DATA SOURCE to [username];
grant create table to [username];
grant create schema to [username];
grant select to [username];
grant update to [username];
grant insert to [username];
grant delete to [username];
grant create view to [username];
grant select on schema :: sys to [username];
grant control to [username];
EXEC sp_addrolemember 'db_owner','[username]';
ALTER ROLE db_owner ADD MEMBER [username]
Service principal authentication
Service Principal authentication involves the use of a service principal identity to authenticate and authorize access to Azure resources. Before you use service principal authentication to connect to Microsoft Azure Synapse SQL, be sure to complete certain prerequisites.
1Register a service principal application.
2Configure a service principal user for a dedicated SQL pool.
Managed Identity authentication uses managed identities in Azure Active Directory to authenticate and authorize access to Azure resources securely.
When you use managed identity authentication to connect to Microsoft Azure Synapse SQL, the user for the system assigned identity is the virtual machine for which you enable the identity. The user for the user assigned identity is the user identity that you create in the Azure portal.
Before you use managed identity authentication to connect to Microsoft Azure Synapse SQL or Microsoft Azure Data Lake Storage Gen2, be sure to complete certain prerequisites.
1Create an Azure virtual machine.
2Install the Secure Agent on the Azure virtual machine.
3Enable system assigned identity or user assigned identity for the Azure virtual machine.
If you enable both and do not specify the client ID, the system assigned identity is used for authentication.
4After you add or remove a managed identity, restart the Azure virtual machine.
Connect to Microsoft Azure Synapse SQL
Let's configure the Microsoft Azure Synapse SQL connection properties to connect to Microsoft Azure Synapse SQL.
Before you begin
Before you get started, you'll need to get information from your Microsoft Azure Synapse SQL account based on the authentication type that you want to configure.
Connection details
The following table describes the basic connection properties:
Property
Description
Connection Name
Name of the connection.
Each connection name must be unique within the organization. Connection names can contain alphanumeric characters, spaces, and the following special characters: _ . + -,
Maximum length is 255 characters.
Description
Description of the connection. Maximum length is 4000 characters.
Type
Microsoft Azure Synapse SQL
Runtime Environment
The name of the runtime environment where you want to run tasks.
For application ingestion and replication tasks, database ingestion and replication tasks, and streaming ingestion and replication tasks, you cannot use the Hosted Agent or serverless runtime environments. For file ingestion and replication tasks, you can use the Hosted Agent but not serverless environments.
Azure DW JDBC URL
The Microsoft Azure Synapse SQL JDBC connection string.
Use the following string to connect to Microsoft Azure Synapse SQL:
You can include an authentication parameter in the connection string to specify the authentication type. You can configure the following authentication types to connect to Microsoft Azure Synapse SQL:
- Microsoft SQL Server
- Azure Active Directory
- Managed Identity
- Service Principal
If you don't include an authentication parameter in the connection string, the Secure Agent uses Microsoft SQL Server authentication as the authentication type.
Connection string format for Microsoft SQL Server authentication
User name to connect to the Microsoft Azure Synapse SQL account.
- For AAD authentication, provide your AAD user name.
- For Microsoft SQL server authentication, provide your SQL auth user name.
- For service principal authentication, provide the application ID or client ID for your application registered in Azure Active Directory.
This property doesn't apply to Managed Identity authentication.
Azure DW JDBC Password
Password to connect to the Microsoft Azure Synapse SQL account.
- For AAD authentication, provide the password of the AAD user.
- For Microsoft SQL server authentication, provide the password of SQL auth user.
- For service principal authentication, provide the client secret for your application registered in the Azure Active Directory.
This property doesn't apply to Managed Identity authentication.
Azure DW Client ID
Required if you want to use the user-assigned managed identity for Managed Identity Authentication to connect to Microsoft Azure Synapse SQL.
The client ID of the user-assigned managed identity.
If you use system-assigned managed identity, leave the field empty.
Azure DW Schema Name
Name of the schema in Microsoft Azure Synapse SQL.
Azure storage types
You can select Microsoft Azure Blob Storage or Microsoft Azure Data Lake Storage Gen2 as the Azure storage type to stage the data files. Default is Azure Blob.
Select your preferred storage type and then configure the storage-specific parameters.
To get credentials for shared key authentication when you connect to Microsoft Azure Blob Storage or Microsoft Azure Data Lake Storage Gen2 to stage files, see Get credentials for shared key authentication How-To Library article.
To get credentials for service principal authentication when you connect to Microsoft Azure Data Lake Storage Gen2 to stage files, see Get credentials for service principal authentication How-To Library article.
Azure Blob storage
When you select Microsoft Azure Blob as the storage type, you can configure Shared Key Authentication as the authentication type to stage the files.
The following table describes the authentication type that you can configure for Microsoft Azure Blob storage:
Property
Description
Authentication Type
Authentication type to connect to Microsoft Azure Blob storage to stage the files.
You can configure Shared Key Authentication as the authentication type to stage the files.
Shared Key Authentication
Uses the storage account name and account key to connect to Microsoft Azure Blob storage.
The following table describes the basic connection properties for shared key authentication:
Property
Description
Azure Blob Account Name
Name of the Microsoft Azure Blob Storage account to stage the files.
Azure Blob Account Key
The Microsoft Azure Blob Storage access key to stage the files.
Container Name
The name of the container in the Azure Blob Storage account.
ADLS Gen2 storage
When you select Microsoft Azure Data Lake Storage Gen2 as the storage type, you can configure various authentication types to stage the files.
The following table describes authentication types that you can configure for Microsoft Azure Data Lake Storage Gen2 storage:
Property
Description
Authentication Type
Authentication type to connect to Azure storage to stage the files.
Uses the storage account name and account key to connect to Microsoft Azure Data Lake Storage Gen2.
The following table describes the basic connection properties for shared key authentication:
Property
Description
ADLS Gen2 Storage Account Name
Name of the Microsoft Azure Data Lake Storage Gen2 account to stage the files.
ADLS Gen2 Account Key
The Microsoft Azure Data Lake Storage Gen2 access key to stage the files.
File System Name
The name of the file system in the Microsoft Azure Data Lake Storage Gen2 account.
Service Principal Authentication
Uses the account name, client ID, client secret, and tenant ID to connect to Microsoft Azure Data Lake Storage Gen2.
The following table describes the basic connection properties for service principal authentication:
Property
Description
ADLS Gen2 Storage Account Name
Name of the Microsoft Azure Data Lake Storage Gen2 account to stage the files.
Client ID
The client ID of your application.
Enter the application ID or client ID for your application registered in the Azure Active Directory.
Client Secret
The client secret for your application.
Tenant ID
The directory ID or tenant ID for your application.
File System Name
The name of the file system in the Microsoft Azure Data Lake Storage Gen2 account.
Managed Identity Authentication
Select this authentication type to authenticate using system-assigned or user-assigned identities that are assigned to applications in Azure to access Azure resources in Microsoft Azure Data Lake Storage Gen2.
The following table describes the basic connection properties for managed identity authentication:
Property
Description
ADLS Gen2 Storage Account Name
Name of the Microsoft Azure Data Lake Storage Gen2 account to stage the files.
Client ID
The client ID of your application.
Enter the client ID for the user-assigned managed identity. If the managed identity is system-assigned, leave the field empty.
File System Name
The name of the file system in the Microsoft Azure Data Lake Storage Gen2 account.
In a file ingestion and replication task, if you select Microsoft Azure Synapse SQL with Managed Identity authentication type as the target, then you must select Microsoft Azure Data Lake Storage Gen2 as the source.
Advanced settings
The following table describes the advanced connection properties:
Property
Description
External Data Source
The data source to create the external table.
Ensure that the external data source exists in Microsoft Azure Synapse SQL and you have the permission to access the external data source.
When you use the copy command method to load data from the staging location to Microsoft Azure Synapse SQL, you don't need to specify an external data source.
Staging Schema Name
The name of the schema that the Secure Agent uses to create external tables for staging data files.
If you do not specify the staging schema name, the Secure Agent considers the configured Azure DW Schema Name.
Blob End-point
Type of Microsoft Azure endpoint.
Select one of the following endpoints:
- core.windows.net. Connects to Azure endpoints.
- core.usgovcloudapi.net. Connects to US Government Microsoft Azure Synapse SQL endpoints.
- core.chinacloudapi.cn. Connects to Microsoft Azure Synapse SQL endpoints in the China region.
Default is core.windows.net.
VNet Rule
Enable to connect to a Microsoft Azure Synapse SQL endpoint residing in a virtual network (VNet).
This property doesn't apply to a serverless runtime environment.
Permissions
Permissions define the level of access for the operations that you can perform in Microsoft Azure Synapse SQL.
You must verify the following permissions:
•Ensure that a default schema is present at the account level or user or group level in Microsoft Azure SQL Data Warehouse.
•Verify that either the db_owner privilege or the following more granular privileges are granted to the user to connect to Microsoft Azure SQL Data Warehouse and perform operations successfully:
- EXEC sp_addrolemember 'db_datareader', '<user>'; // Alternately assign permission to the individual table.
- EXEC sp_addrolemember 'db_datawriter', '<user>'; // Alternately assign permission to the individual table.
- GRANT ALTER ANY EXTERNAL DATA SOURCE TO <user>;
- GRANT ALTER ANY EXTERNAL FILE FORMAT TO <user>;
- GRANT CONTROL TO <user>; // To grant all permissions on the database.
or
GRANT ALTER ANY SCHEMA TO <user>;// To grant permissions only on the schema.
- GRANT CREATE TABLE TO <user>;
- Assign required privileges for tasks performed through Pre-SQL and Post-SQL commands.
•If you configure the staging schema name in the connection properties, ensure the following additional privileges are granted to the user:
- ALTER ROLE db_datareader ADD MEMBER <user>;
- GRANT ALTER ANY EXTERNAL DATA SOURCE TO <user>;
- GRANT ALTER ANY EXTERNAL FILE FORMAT TO <user>;
- GRANT CREATE TABLE TO <user>;
- GRANT ALTER ON SCHEMA::<staging_schema_name> TO <user>;// Ensures this user does not have access to create or drop an external table in another schema.
- GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::<db_credential_name> TO <user>;// Ensures this user does not have access to drop the credentials.
For example, GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::db_creds1 TO srvls;
•If you have the ALTER ANY SCHEMA permissions, you must create the Master Key, Database Scoped Credential, and External Data Source in Microsoft Azure Synapse SQL that require the CONTROL permission on the database and specify the external data source when you create a connection.
Also, Microsoft Azure Synapse SQL Connector does not delete the Database Scoped Credential and External Data Source. You must manually delete the Database Scoped Credential and External Data Source.
•When you use managed identity authentication to connect to Microsoft Azure Synapse SQL, grant permissions to the virtual machine and user identity. For example, GRANT CONTROL TO <virtual machine name>; and GRANT CONTROL TO <user identity name>;
