Table of Contents
Why Doesn’t Azure SQL Support Azure AD Domain Services Authentication?
Prepare for AZ-500 exam by understanding why Azure SQL supports modern Azure AD authentication but not Azure AD Domain Services. Learn the difference between cloud-native identities and managed domain services for database access.
Question
With Azure SQL, you can configure Azure AD Domain Services authentication.
A. TRUE
B. FALSE
Answer
B. FALSE
Explanation
The statement is B. FALSE. Azure SQL Database supports native Azure Active Directory (Azure AD) authentication but does not support authentication via Azure AD Domain Services (Azure AD DS), as they are two distinct services with different authentication protocols.
Azure SQL supports Azure AD authentication, but not Azure AD Domain Services at this time.
Azure AD Authentication for Azure SQL
This is the modern, cloud-native method for authenticating to Azure SQL.
- It uses Azure AD identities (users, groups, service principals, and managed identities) for authentication.
- The authentication mechanism is based on modern protocols like OAuth 2.0 and token-based access.
- This integration allows for benefits like centralized identity management, passwordless connections using managed identities, and enforcement of Multi-Factor Authentication (MFA) and Conditional Access policies.
Understanding Azure AD Domain Services (Azure AD DS)
Azure AD DS is a managed domain service that provides traditional domain protocols for the cloud.
- It is designed for legacy applications that require protocols like Kerberos, NTLM, and LDAP.
- The primary use case is to “lift and shift” on-premises applications to Azure VMs without having to re-architect their authentication mechanisms. It essentially provides a managed Active Directory domain in Azure.
The Fundamental Difference in Authentication Models
The reason for the incompatibility lies in the authentication protocols each service uses.
- Azure SQL Database is a Platform-as-a-Service (PaaS) offering built for the cloud. It is designed to accept modern, token-based authentication from Azure AD. It does not have endpoints that listen for or understand traditional Kerberos or NTLM authentication requests that come from a domain controller.
- Azure AD Domain Services provides authentication for services that can be formally “domain-joined,” which is a concept that applies to virtual machines (IaaS), not to a managed PaaS database like Azure SQL Database.
Where Azure AD DS Authentication Is Used
For clarity, it’s important to know which SQL offerings can use traditional domain authentication:
- SQL Server on an Azure VM: A virtual machine running SQL Server can be joined to an Azure AD DS managed domain. This allows users to connect using Windows Authentication, just as they would on-premises.
- Azure SQL Managed Instance: This PaaS offering is specifically designed for migrating on-premises SQL Server workloads with minimal changes. As part of this “lift-and-shift” compatibility, it does support Windows Authentication and can integrate with Azure AD DS, acting as a bridge between the PaaS and IaaS worlds.
Therefore, while native Azure SQL Database relies solely on Azure AD, other services in the Azure SQL family have different authentication capabilities to support different migration scenarios.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.