locked
Multiple AD accounts as Server admin RRS feed

  • Question

  • Hello Team,

    Is it possible to add an AD account or group as server level admin via SQL scripts?
    Note : We already have an account added in Active Director admin via portal

    We want to add any role at server level which would allow the other AD user to create/delete databases in the server via scripts.

    So is it even possible?

    Thursday, May 21, 2020 12:15 PM

All replies

  • Hi Nandan,

    With Azure SQL (logical) Server that either hosts a Data Warehouse (Synapse Analytics) or SQL Database, you can only have a single account as the Active Directory Admin. This account can either be an individual AD user or an AD group. Please see: Create an Azure AD administrator for Azure SQL server

    The Additional considerations section details the limitation:

    • To enhance manageability, we recommend you provision a dedicated Azure AD group as an administrator.
    • Only one Azure AD administrator (a user or group) can be configured for an Azure SQL Database server or Azure Synapse at any time.
      • The addition of Azure AD server principals (logins) for managed instances allows the possibility of creating multiple Azure AD server principals (logins) that can be added to the sysadmin role. (Note: Does not apply to Synapse Analytics)
    • Only an Azure AD administrator for SQL Server can initially connect to the Azure SQL Database server, managed instance, or Azure Synapse using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users.

    You will need to deprovision the current AD Admin, identify an AD Group account in your tenant, and then add this identity to your Azure SQL (logical) Server. You can then add/remove individual AD user accounts to this AD Group who require AD Admin privileges to the Synapse Analytics instance.  

    Please let me know if you require additional information.

    Regards,

    Mike

    Tuesday, May 26, 2020 9:55 PM
  • Hello Nandan , 

    At this time it not possible . The account must be an user . We do have server roles admins you can read more on that here .



    Thanks Himanshu
    ================
    If you think my answer helped you , please click "mark as answer " , this will be help other community members to get to the resolution faster
    Alone, we can do so little; together, we can do so much

    Tuesday, May 26, 2020 10:04 PM