Quickstart: Create a database in Azure SQL Database with ledger enabled

Applies to: Azure SQL Database

In this quickstart, you create a ledger database in Azure SQL Database and configure automatic digest storage by using the Azure portal.

Prerequisite

You need an active Azure subscription. If you don't have one, create a trial account.

Permissions

To create databases via Transact-SQL: CREATE DATABASE permissions are necessary. To create a database a login must be either the server admin login (created when the Azure SQL Database logical server was provisioned), the Microsoft Entra admin of the server, a member of the dbmanager database role in master. For more information, see CREATE DATABASE.

To create databases via the Azure portal, PowerShell, Azure CLI, or REST API: Azure RBAC permissions are needed, specifically the Contributor, SQL DB Contributor, or SQL Server Contributor Azure RBAC role. For more information, see Azure RBAC built-in roles.

Create a ledger database and configure digest storage

Create a single ledger database in the serverless compute tier, and configure uploading ledger digests to an Azure Storage account.

To create a single database in the Azure portal:

  1. Browse to the Select SQL deployment option page.

  2. Under SQL databases, leave Resource type set to Single database, and select Create.

    Screenshot of the Azure portal, select Azure SQL deployment page, creating a new single database.

  3. On the Basics tab of the Create SQL Database form, under Project details, select the Azure subscription you want to use.

  4. For Resource group, select Create new, enter myResourceGroup, and select OK.

  5. For Database name, enter demo.

  6. For Server, select Create new. Fill out the New server form with the following values:

    • Server name: Enter mysqlserver, and add some characters for uniqueness. We can't provide an exact server name to use because server names must be globally unique for all servers in Azure, not just unique within a subscription. Enter something like mysqlserver12345, and the portal lets you know if it's available or not.
    • Server admin login: Enter azureuser.
    • Password: Enter a password that meets requirements. Enter it again in the Confirm password box.
    • Location: Select a location from the dropdown list.
    • Allow Azure services to access this server: Select this option to enable access to digest storage.

    Select OK.

  7. Leave Want to use SQL elastic pool set to No.

  8. Under Compute + storage, select Configure database.

  9. This quickstart uses a serverless database, so select Serverless, and then select Apply.

  10. On the Networking tab, for Connectivity method, select Public endpoint.

  11. For Firewall rules, set Add current client IP address to Yes. Leave Allow Azure services and resources to access this server set to No.

  12. Select Next: Security at the bottom of the page.

    Screenshot that shows the Networking tab of the Create SQL Database screen in the Azure portal.

  13. On the Security tab, in the Ledger section, select the Configure ledger option.

    Screenshot that shows configuring a ledger on the Security tab of the Azure portal.

  14. On the Configure ledger pane, in the Ledger section, select the Enable for all future tables in this database checkbox. This setting ensures that all future tables in the database will be ledger tables. For this reason, all data in the database will show any evidence of tampering. By default, new tables will be created as updatable ledger tables, even if you don't specify LEDGER = ON in CREATE TABLE. You can also leave this option unselected. You're then required to enable ledger functionality on a per-table basis when you create new tables by using Transact-SQL.

  15. In the Digest Storage section, Enable automatic digest storage is automatically selected. Then, a new Azure Storage account and container where your digests are stored is created.

  16. Select Apply.

    Screenshot that shows the Configure ledger pane in the Azure portal.

  17. Select Review + create at the bottom of the page.

    Screenshot that shows reviewing and creating a ledger database on the Security tab of the Azure portal.

  18. On the Review + create page, after you review, select Create.

Clean up resources

Keep the resource group, server, and single database for the next steps. You'll learn how to use the ledger feature of your database with different methods.

When you're finished using these resources, delete the resource group you created. This action also deletes the server and single database within it, and the storage account.

Note

If you've configured and locked a time-based retention policy on the container, you need to wait until the specified immutability period ends before you can delete the storage account.

To delete myResourceGroup and all its resources by using the Azure portal:

  1. In the portal, search for and select Resource groups. Then select myResourceGroup from the list.
  2. On the resource group page, select Delete resource group.
  3. Under Type the resource group name, enter myResourceGroup, and then select Delete.