Applies to: Azure Public Cloud | Azure Government
Workloads: Azure SQL Database | Azure SQL Managed Instance | SQL Server on Azure VM
Discover Azure SQL resources
After onboarding Azure SQL subscriptions, we must first discover the SQL resources associated with those subscriptions. We support both, automatic and manual discovery of SQL resources within a subscription.
Note:
The SQL managed instances and SQL servers are discovered automatically. You must perform manual discovery for SQL servers on Azure virtual machines for the first time. The SQL servers on Azure virtual machines and its resources will be auto discovered subsequently.
Manual discovery of Azure SQL resources on Azure VM
You must perform manual discovery for SQL servers on Azure virtual machines for the first time. This is a two-step process:
Discover SQL servers on virtual machines.
Once the SQL servers are discovered, assign valid credentials to be able to discover databases on those servers. Databases are discovered only after authentication is assigned.
After this, the SQL servers on Azure virtual machines and its resources will be discovered automatically.
Prerequisites
Ensure you complete the prerequisites before proceeding with manual discovery.
Procedure
On the Management Console, from the left navigation pane, select your Azure subscription and click SQL.
On the top right corner, click Discover Resources.
On the Discover Resources window, select Azure VMs based on tags or VM Names for discovery.
names.Click Run Discovery.
The SQL resources on the selected Azure VMs are discovered and displayed on the SQL resources listings page.
Note:
It may take anywhere from 1 to 10 minutes to discover resources depending on environment size.
Automatic discovery of Azure SQL resources
The SQL resources are periodically discovered via Automatic discovery. The automatic discovery does the following:
Runs once in 24 hours from the time of onboarding, to update all the resources on the subscription.
Automatically updates previously discovered SQL servers on Azure VM and its database information.
Only works for previously discovered SQL servers on Azure VM and its database resources
Ensure you meet the requirements mentioned here for automatic discovery.
Assign Authentication
After discovering your Azure SQL resources, you must configure authentication to enable backup and recovery operations. Depending on your environment, this involves assigning a Service Principal (recommended) or SQL authentication.
See the following procedure to assign authentication to the SQL server:
Procedure
Log in to the Druva Cloud Platform Console. On the Global Navigation Panel, click Azure and select Organization.
Alternatively, you can navigate to the Enterprise Workloads Management Console and select the Organization from the top menu. Select Protect > Go to Azure.
On the left navigation pane, select your Azure subscription and click SQL.
Select the SQL resources you want to authenticate and click > Assign Authentication.
On the Assign Authentication window, select one of the following authentication types and click Next.
Note:
We do not recommend changing authentication type after taking backup as it may lead to failure of backup of the restored database.Service Principal: This authentication method uses the Druva Backup Role to access your Azure SQL instance. For assigning the authentication type Service Principal, you must first map the Service Principal to your SQL database in the Azure environment. This is a one-time activity that you must do for every organization. For more information, see How to map service principal in Azure.
Important: For SQL Server on VMs, this authentication type applies only to SQL server versions 2022 and above. Verify your SQL software version before proceeding. An incorrect version will cause backup and restore operations to fail.
SQL Authentication: In this authentication type, you must provide a valid username and password to connect to the database. Druva maintains the credentials securely in its Credential Store. In addition, you can also create new credentials to connect to the database. For more information, see Add credentials.
For more information about SQL authentication, see this Microsoft article.
Note:To perform SQL authentication, the user :
Must be a local user in the SQL Server management studio.
Must have the
sysadminrole.
On the click of Next, the system executes a set of prechecks for proactively identifying issues such as incorrect authentication, inadequate connectivity, or missing prerequisites, thereby reducing the likelihood of subsequent job failure. If a precheck fails, it must be resolved before proceeding to the backup set configuration. For more information, see Validating Azure SQL readiness with Pre-checks.
Click Finish.
Next Steps
Configure Entra ID Service Principal Authentication in Azure
This section contains the steps to configure Entra ID Service Principal Authentication for:
Azure SQL Database and Managed Instance
SQL Server on Azure VMs
Configure Entra ID Service Principal Authentication for Azure SQL Database and Managed Instance
Applies to: Azure SQL Database | Azure SQL Managed Instance
Login to Azure Portal.
Click Azure SQL and search for the SQL server instance for which you want to map Service principal.
Right click on the SQL server instance.
For Azure SQL database and managed instance, do the following:
Click Settings > Microsoft Entra ID.
In the Microsoft Entra ID window, click Set admin.
In the Enterprise applications tab, select the admin based on your organization ID. In the search box, type “
<utphx/dcp>-druva-bkp-app-<org_id>”. The<org_id>is the sited ID in the Management Console URL. For example, consider your Management Console URL ishttps://console.druva.com/enterpriseworkloads/#op=oraclesbt-servers/siteid=923.
In this case, your org id will be “923”.
Example:
This sets the admin for the SQL server database.
Configure Entra ID Service Principal Authentication for SQL Server on Azure VMs
Applies to: SQL Server on Azure VMs (SQL Server 2022 or later)
To protect your databases, Druva connects via an Azure Service Principal to securely discover, back up, and restore your data without storing native database credentials. This configuration requires establishing a trusted identity path between your Azure Virtual Machine (VM) infrastructure, Microsoft Entra ID, and the Druva Cloud Platform.
Prerequisites
Before configuring Entra ID authentication, ensure you satisfy the following deployment requirements:
Azure Portal Access: Sign in to the Azure portal using an account with active Contributor and User Access Administrator permissions on the target subscription.
SQL Server permissions: The Azure user has sysadmin privileges on the SQL Server instance.
SQL Server Version: The destination instance must run SQL Server 2022 or later on Azure Windows Virtual Machines. For legacy SQL Server instances, you can use native SQL Authentication. For more information, see the SQL Authentication section.
Required Azure permissions: Ensure the Azure user has the following access to the Microsoft Entra permissions:
Permission Action | Permission ID | Permission Description |
Microsoft.Features | /providers/register/action | Register Azure resource providers |
Microsoft.Support | /register/action
| Register the Microsoft.Support resource provider |
Microsoft.Compute/virtualMachines | /write | Create or update Azure Virtual Machines |
Microsoft.Authorization | /roleAssignments/write | Create Azure RBAC role assignments |
Microsoft.SqlVirtualMachine | /sqlVirtualMachines/write
| Create or update SQL Virtual Machine resources |
Microsoft.SqlVirtualMachine | /sqlVirtualMachines/azureSqlServerConfigurations/write
| Configure Azure SQL Server settings for SQL Virtual Machines |
microsoft.directory | /roleAssignments/create | Create Microsoft Entra role assignments |
microsoft.directory | /applications/standard/read
| Read standard properties of application registrations |
microsoft.directory | /servicePrincipals/standard/read | Read standard properties of service principals |
Procedure
Sign in to the Azure portal for performing the following configuration procedures:
Register the SQL Virtual Machine Resource Provider
Register your subscription with the SQL Virtual Machine resource provider to allow Microsoft Entra ID authentication on your workloads.
On the Azure portal menu, search for Subscriptions and select it from the available options.
Select the specific subscription you want to view.
On the left navigation menu under Settings, select Resource providers.
Find the Microsoft.SqlVirtualMachine resource provider. You can use the search bar to filter the list.
Select the Microsoft.SqlVirtualMachine resource provider, and select Register.
Enable the System-Assigned Managed Identity
Activate a system-assigned managed identity on your virtual machine to allow the SQL VM resource to authenticate with Microsoft Entra ID.
On the Azure portal menu, search for Virtual machines and select it from the available options.
Select the specific virtual machine that hosts your SQL Server instance.
On the left navigation menu under Settings, select Identity.
On the System assigned tab, change the configuration Status to On.
Select Save.
When prompted to confirm, select Yes to enable the system-assigned managed identity.
Note:
Enabling the system-assigned managed identity automatically registers the virtual machine identity with Microsoft Entra ID.
Assign the Directory Readers Role
Assign the Directory Readers role to the virtual machine identity so it can read directory objects and authenticate database users.
On the Azure portal menu, search for and select Microsoft Entra ID.
In the left navigation menu under Manage, select Roles and administrators.
In the search box, type Directory Readers, and then select the Directory Readers role from the list.
Select Add assignments.
In the Add assignments pane, under Select members, search for the name of the virtual machine.
Select your virtual machine identity from the search results, and then select Add.
Configure the Azure SQL VM to Accept Entra Authentication
Enable Microsoft Entra authentication on your SQL virtual machine resource to allow the database instance to accept external identity tokens.
On the Azure portal menu, search for and select SQL virtual machines.
Select your target SQL virtual machine from the list.
On the left navigation menu under Security, select Security Configuration.
Under the Microsoft Entra Authentication section, select Enable.
For the Managed identity type parameter, select System-assigned from the dropdown menu.
Select Save at the top of the page.
Identify the Druva Backup Application Display Name
Locate the exact display name of the Druva application inside your Microsoft Entra ID tenant. You will use this precise name to authorize Druva as a recognized administrator within your SQL Server system script.
On the Azure portal menu, search for and select Microsoft Entra ID.
In the left navigation menu under Manage, select App registrations.
Select the All applications tab.
In the search box, search for your Druva backup application.
Naming tip: The application name uses the format dcp-druva-bkp-app-your_org_id or utphx-druva-bkp-app-your_org_id. Your organization ID (your_org_id) is found in your Druva Cloud Platform console URL (for example: siteid=923).Locate the application in the search results and copy the Display name exactly as shown.
Important:
Copy the exact display name value. You must enclose this name in square brackets—for example: [dcp-druva-bkp-app-923]—when substituting it inside the database T-SQL script in the next section.
Create the Database Login and Grant Privileges
Connect to your SQL Server instance and run a Transact-SQL (T-SQL) script to create the login and grant the required database privileges.
Connect to your SQL Server instance on the Azure VM by using a tool like SQL Server Management Studio (SSMS) or Azure Data Studio. Sign in with an account that has sysadmin privileges.
Open a new query window and ensure your database context is set to the master database.
Copy the following T-SQL script into the query window, replacing [your_druva_app_display_name] with the exact bracketed text string verified in the previous section:
CREATE LOGIN [your_druva_app_display_name] FROM EXTERNAL PROVIDER;
GO
ALTER SERVER ROLE sysadmin ADD MEMBER [your_druva_app_display_name];
GOExecute the query block to apply the login credentials.
Add credentials
You can define credentials and assign them to one or more servers seamlessly without having to input the credentials manually each time.
Procedure
On the Database Authentication page, click New Credentials.
On the Add Credentials page, provide the following details:
Label: Enter a label to uniquely identify a credential that you want to store with Druva.
Username: Enter the username of the credential you want to store with Druva. If your account uses a domain, enter the username as domain\username. For example, DruvaCorp\JohnDoe.
Password: Enter the password of the credential you want to store with Druva.
Confirm Password: Re-enter the password of the credential you want to store with Druva.
Click Save.
Druva lists all the credentials on the Credentials Store page. To view the credentials, select an organization if the organization is enabled, and then click Settings > Credentials Store on the top menu.
Related Keywords: Azure SQL database discovery, Azure SQL discovery, Azure SQL authentication




