Skip to main content

Discovery and authentication of Azure SQL Resources

Applies to: Azure Public Cloud | Azure Government

Workloads: Azure SQL Database | Azure SQL Managed Instance | SQL Server on Azure VM

Discover Azure SQL resources

After onboarding Azure SQL subscriptions, we must first discover the SQL resources associated with those subscriptions. We support both, automatic and manual discovery of SQL resources within a subscription.


Note:

The SQL managed instances and SQL servers are discovered automatically. You must perform manual discovery for SQL servers on Azure virtual machines for the first time. The SQL servers on Azure virtual machines and its resources will be auto discovered subsequently.


Manual discovery of Azure SQL resources on Azure VM

You must perform manual discovery for SQL servers on Azure virtual machines for the first time. This is a two-step process:

  1. Discover SQL servers on virtual machines.

  2. Once the SQL servers are discovered, assign valid credentials to be able to discover databases on those servers. Databases are discovered only after authentication is assigned.

After this, the SQL servers on Azure virtual machines and its resources will be discovered automatically.

Prerequisites

Ensure you complete the prerequisites before proceeding with manual discovery.

Procedure

  1. On the Management Console, from the left navigation pane, select your Azure subscription and click SQL.

  2. On the top right corner, click Discover Resources.

  3. On the Discover Resources window, select Azure VMs based on tags or VM Names for discovery.
    names.

  4. Click Run Discovery.

The SQL resources on the selected Azure VMs are discovered and displayed on the SQL resources listings page.


Note:

It may take anywhere from 1 to 10 minutes to discover resources depending on environment size.


Automatic discovery of Azure SQL resources

The SQL resources are periodically discovered via Automatic discovery. The automatic discovery does the following:

  • Runs once in 24 hours from the time of onboarding, to update all the resources on the subscription.

  • Automatically updates previously discovered SQL servers on Azure VM and its database information.

  • Only works for previously discovered SQL servers on Azure VM and its database resources

Ensure you meet the requirements mentioned here for automatic discovery.

Assign Authentication

After discovering your Azure SQL resources, you must configure authentication to enable backup and recovery operations. Depending on your environment, this involves assigning a Service Principal (recommended) or SQL authentication.

See the following procedure to assign authentication to the SQL server:

Procedure

  1. Log in to the Druva Cloud Platform Console. On the Global Navigation Panel, click Azure and select Organization.

    Alternatively, you can navigate to the Enterprise Workloads Management Console and select the Organization from the top menu. Select Protect > Go to Azure.

  2. On the left navigation pane, select your Azure subscription and click SQL.

  3. Select the SQL resources you want to authenticate and click > Assign Authentication.

  4. On the Assign Authentication window, select one of the following authentication types and click Next.


    Note:
    ​We do not recommend changing authentication type after taking backup as it may lead to failure of backup of the restored database.


    1. Service Principal: This authentication method uses the Druva Backup Role to access your Azure SQL instance. For assigning the authentication type Service Principal, you must first map the Service Principal to your SQL database in the Azure environment. This is a one-time activity that you must do for every organization. For more information, see How to map service principal in Azure.


      Important:

      For SQL Server on VMs, this authentication type applies only to SQL server versions 2022 and above. Verify your SQL software version before proceeding. An incorrect version will cause backup and restore operations to fail.


    2. SQL Authentication: In this authentication type, you must provide a valid username and password to connect to the database. Druva maintains the credentials securely in its Credential Store. In addition, you can also create new credentials to connect to the database. For more information, see Add credentials.
      For more information about SQL authentication, see this Microsoft article.


      Note:

      To perform SQL authentication, the user :

      • Must be a local user in the SQL Server management studio.

      • Must have the sysadmin role.



      On the click of Next, the system executes a set of prechecks for proactively identifying issues such as incorrect authentication, inadequate connectivity, or missing prerequisites, thereby reducing the likelihood of subsequent job failure. If a precheck fails, it must be resolved before proceeding to the backup set configuration. For more information, see Validating Azure SQL readiness with Pre-checks.


  5. Click Finish.

Next Steps

Configure Entra ID Service Principal Authentication in Azure

This section contains the steps to configure Entra ID Service Principal Authentication for:

  • Azure SQL Database and Managed Instance

  • SQL Server on Azure VMs

Configure Entra ID Service Principal Authentication for Azure SQL Database and Managed Instance

Applies to: Azure SQL Database | Azure SQL Managed Instance

  1. Login to Azure Portal.

  2. Click Azure SQL and search for the SQL server instance for which you want to map Service principal.

  3. Right click on the SQL server instance.

  4. For Azure SQL database and managed instance, do the following:

    1. Click Settings > Microsoft Entra ID.

    2. In the Microsoft Entra ID window, click Set admin.

    3. In the Enterprise applications tab, select the admin based on your organization ID. In the search box, type “<utphx/dcp>-druva-bkp-app-<org_id>”. The <org_id> is the sited ID in the Management Console URL. For example, consider your Management Console URL is https://console.druva.com/enterpriseworkloads/#op=oraclesbt-servers/siteid=923.

    In this case, your org id will be “923”.

    Example:

This sets the admin for the SQL server database.

Configure Entra ID Service Principal Authentication for SQL Server on Azure VMs

Applies to: SQL Server on Azure VMs (SQL Server 2022 or later)

To protect your databases, Druva connects via an Azure Service Principal to securely discover, back up, and restore your data without storing native database credentials. This configuration requires establishing a trusted identity path between your Azure Virtual Machine (VM) infrastructure, Microsoft Entra ID, and the Druva Cloud Platform.

Prerequisites

Before configuring Entra ID authentication, ensure you satisfy the following deployment requirements:

  • Azure Portal Access: Sign in to the Azure portal using an account with active Contributor and User Access Administrator permissions on the target subscription.

  • SQL Server permissions: The Azure user has sysadmin privileges on the SQL Server instance.

  • SQL Server Version: The destination instance must run SQL Server 2022 or later on Azure Windows Virtual Machines. For legacy SQL Server instances, you can use native SQL Authentication. For more information, see the SQL Authentication section.

  • Required Azure permissions: Ensure the Azure user has the following access to the Microsoft Entra permissions:

Permission Action

Permission ID

Permission Description

Microsoft.Features

/providers/register/action

Register Azure resource providers

Microsoft.Support

/register/action

Register the Microsoft.Support resource provider

Microsoft.Compute/virtualMachines

/write

Create or update Azure Virtual Machines

Microsoft.Authorization

/roleAssignments/write

Create Azure RBAC role assignments

Microsoft.SqlVirtualMachine

/sqlVirtualMachines/write

Create or update SQL Virtual Machine resources

Microsoft.SqlVirtualMachine

/sqlVirtualMachines/azureSqlServerConfigurations/write

Configure Azure SQL Server settings for SQL Virtual Machines

microsoft.directory

/roleAssignments/create

Create Microsoft Entra role assignments

microsoft.directory

/applications/standard/read

Read standard properties of application registrations

microsoft.directory

/servicePrincipals/standard/read

Read standard properties of service principals

Procedure

Sign in to the Azure portal for performing the following configuration procedures:

Register the SQL Virtual Machine Resource Provider

Register your subscription with the SQL Virtual Machine resource provider to allow Microsoft Entra ID authentication on your workloads.

  1. On the Azure portal menu, search for Subscriptions and select it from the available options.

  2. Select the specific subscription you want to view.

  3. On the left navigation menu under Settings, select Resource providers.

  4. Find the Microsoft.SqlVirtualMachine resource provider. You can use the search bar to filter the list.

  5. Select the Microsoft.SqlVirtualMachine resource provider, and select Register.

Enable the System-Assigned Managed Identity

Activate a system-assigned managed identity on your virtual machine to allow the SQL VM resource to authenticate with Microsoft Entra ID.

  1. On the Azure portal menu, search for Virtual machines and select it from the available options.

  2. Select the specific virtual machine that hosts your SQL Server instance.

  3. On the left navigation menu under Settings, select Identity.

  4. On the System assigned tab, change the configuration Status to On.

  5. Select Save.

  6. When prompted to confirm, select Yes to enable the system-assigned managed identity.


    Note:
    Enabling the system-assigned managed identity automatically registers the virtual machine identity with Microsoft Entra ID.


Assign the Directory Readers Role

Assign the Directory Readers role to the virtual machine identity so it can read directory objects and authenticate database users.

  1. On the Azure portal menu, search for and select Microsoft Entra ID.

  2. In the left navigation menu under Manage, select Roles and administrators.

  3. In the search box, type Directory Readers, and then select the Directory Readers role from the list.

  4. Select Add assignments.

  5. In the Add assignments pane, under Select members, search for the name of the virtual machine.

  6. Select your virtual machine identity from the search results, and then select Add.

Configure the Azure SQL VM to Accept Entra Authentication

Enable Microsoft Entra authentication on your SQL virtual machine resource to allow the database instance to accept external identity tokens.

  1. On the Azure portal menu, search for and select SQL virtual machines.

  2. Select your target SQL virtual machine from the list.

  3. On the left navigation menu under Security, select Security Configuration.

  4. Under the Microsoft Entra Authentication section, select Enable.

  5. For the Managed identity type parameter, select System-assigned from the dropdown menu.

  6. Select Save at the top of the page.

Identify the Druva Backup Application Display Name

Locate the exact display name of the Druva application inside your Microsoft Entra ID tenant. You will use this precise name to authorize Druva as a recognized administrator within your SQL Server system script.

  1. On the Azure portal menu, search for and select Microsoft Entra ID.

  2. In the left navigation menu under Manage, select App registrations.

  3. Select the All applications tab.

  4. In the search box, search for your Druva backup application.
    Naming tip: The application name uses the format dcp-druva-bkp-app-your_org_id or utphx-druva-bkp-app-your_org_id. Your organization ID (your_org_id) is found in your Druva Cloud Platform console URL (for example: siteid=923).

  5. Locate the application in the search results and copy the Display name exactly as shown.


    Important:

    Copy the exact display name value. You must enclose this name in square brackets—for example: [dcp-druva-bkp-app-923]—when substituting it inside the database T-SQL script in the next section.


Create the Database Login and Grant Privileges

Connect to your SQL Server instance and run a Transact-SQL (T-SQL) script to create the login and grant the required database privileges.

  1. Connect to your SQL Server instance on the Azure VM by using a tool like SQL Server Management Studio (SSMS) or Azure Data Studio. Sign in with an account that has sysadmin privileges.

  2. Open a new query window and ensure your database context is set to the master database.

  3. Copy the following T-SQL script into the query window, replacing [your_druva_app_display_name] with the exact bracketed text string verified in the previous section:

    CREATE LOGIN [your_druva_app_display_name] FROM EXTERNAL PROVIDER;

    GO

    ALTER SERVER ROLE sysadmin ADD MEMBER [your_druva_app_display_name];

    GO

  4. Execute the query block to apply the login credentials.

Add credentials

You can define credentials and assign them to one or more servers seamlessly without having to input the credentials manually each time.

Procedure

  1. On the Database Authentication page, click New Credentials.

  2. On the Add Credentials page, provide the following details:

    • Label: Enter a label to uniquely identify a credential that you want to store with Druva.

    • Username: Enter the username of the credential you want to store with Druva. If your account uses a domain, enter the username as domain\username. For example, DruvaCorp\JohnDoe.

    • Password: Enter the password of the credential you want to store with Druva.

    • Confirm Password: Re-enter the password of the credential you want to store with Druva.

  3. Click Save.

Druva lists all the credentials on the Credentials Store page. To view the credentials, select an organization if the organization is enabled, and then click Settings > Credentials Store on the top menu.

Related Keywords: Azure SQL database discovery, Azure SQL discovery, Azure SQL authentication

Did this answer your question?