为 SQL Server Management Studio 和 Azure AD 配置多重身份验证Configure multi-factor authentication for SQL Server Management Studio and Azure AD

适用于: 是Azure SQL 数据库是Azure SQL 托管实例是Azure Synapse Analytics (SQL DW) APPLIES TO: yesAzure SQL Database yesAzure SQL Managed Instance yes Azure Synapse Analytics (SQL DW)

本文演示如何将 Azure Active Directory (Azure AD) 多重身份验证 (MFA) 与 SQL Server Management Studio (SSMS) 结合使用。This article shows you how to use Azure Active Directory (Azure AD) multi-factor authentication (MFA) with SQL Server Management Studio (SSMS). 将 SSMS 或 SqlPackage.exe 连接到 Azure SQL 数据库Azure SQL 托管实例Azure Synapse Analytics(以前称为 Azure SQL 数据仓库)时,可以使用 Azure AD MFA。Azure AD MFA can be used when connecting SSMS or SqlPackage.exe to Azure SQL Database, Azure SQL Managed Instance and Azure Synapse Analytics (formerly Azure SQL Data Warehouse). 有关多重身份验证的概述,请参阅 SQL 数据库、SQL 托管实例和 Azure Synapse 的通用身份验证(SSMS 对 MFA 的 支持)For an overview of multi-factor authentication, see Universal Authentication with SQL Database, SQL Managed Instance, and Azure Synapse (SSMS support for MFA).

重要

本文其余部分将 Azure SQL 数据库、Azure SQL 托管实例和 Azure Synapse(以前称为 Azure SQL 数据仓库)中的数据库统称为数据库,并且服务器指的是为 Azure SQL 数据库和 Azure Synapse 托管数据库的服务器Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse (formerly Azure SQL Data Warehouse) are referred to collectively in the remainder of this article as databases, and the server is referring to the server that hosts databases for Azure SQL Database and Azure Synapse.

配置步骤Configuration steps

  1. 配置 Azure Active Directory - 有关详细信息,请参阅管理 Azure AD 目录将本地标识与 Azure Active Directory 集成将自己的域名添加到 Azure ADAzure 现在支持与 Windows Server Active Directory 联合使用 Windows PowerShell 管理 Azure ADConfigure an Azure Active Directory - For more information, see Administering your Azure AD directory, Integrating your on-premises identities with Azure Active Directory, Add your own domain name to Azure AD, Azure now supports federation with Windows Server Active Directory, and Manage Azure AD using Windows PowerShell.
  2. 配置 MFA - 有关分步说明,请参阅什么是 Azure 多重身份验证?Configure MFA - For step-by-step instructions, see What is Azure Multi-Factor Authentication?.
  3. 配置 Azure AD 身份验证 - 有关分步说明,请参阅使用 Azure Active Directory 身份验证连接到 SQL 数据库、SQL 托管实例或 Azure SynapseConfigure Azure AD Authentication - For step-by-step instructions, see Connecting to SQL Database, SQL Managed Instance, or Azure Synapse using Azure Active Directory Authentication.
  4. 下载 SSMS - 在客户端计算机上,从下载 SQL Server Management Studio (SSMS) 下载最新的 SSMS。Download SSMS - On the client computer, download the latest SSMS, from Download SQL Server Management Studio (SSMS).

使用通用身份验证搭配 SSMS 进行连接Connecting by using universal authentication with SSMS

以下步骤演示如何使用最新的 SSMS 进行连接。The following steps show how to connect using the latest SSMS.

  1. 若要使用通用身份验证进行连接,请在 SQL Server Management Studio (SSMS) 中的“连接到服务器”对话框中选择“Active Directory - 通用且具有 MFA 支持” 。To connect using Universal Authentication, on the Connect to Server dialog box in SQL Server Management Studio (SSMS), select Active Directory - Universal with MFA support. (如果看到“Active Directory 通用身份验证”,则使用的不是最新版本的 SSMS。)(If you see Active Directory Universal Authentication you are not on the latest version of SSMS.)

    1mfa-universal-connect

  2. 采用格式 user_name@domain.com,使用 Azure Active Directory 凭据完成“用户名”框。Complete the User name box with the Azure Active Directory credentials, in the format user_name@domain.com.

    1mfa-universal-connect-user

  3. 如果要以来宾用户身份进行连接,则不再需要填写来宾用户的“AD 域名或租户 ID”字段,因为 SSMS 18. x 或更高版本会自动识别它。If you are connecting as a guest user, you no longer need to complete the AD domain name or tenant ID field for guest users because SSMS 18.x or later automatically recognizes it. 有关详细信息,请参阅 SQL 数据库、SQL 托管实例和 Azure Synapse 的通用身份验证(SSMS 对 MFA 的支持)For more information, see Universal Authentication with SQL Database, SQL Managed Instance, and Azure Synapse (SSMS support for MFA).

    mfa-no-tenant-ssms

    但是,如果要使用 SSMS 17.x 或更早版本以来宾用户身份进行连接,则必须单击“选项”,然后在“连接属性”对话框中,填写“AD 域名或租户 ID”框。However, If you are connecting as a guest user using SSMS 17.x or older, you must click Options, and on the Connection Property dialog box, and complete the AD domain name or tenant ID box.

    mfa-tenant-ssms

  4. 选择“选项”并在“选项”对话框中指定数据库 。Select Options and specify the database on the Options dialog box. (如果连接的用户是来宾用户 [如 joe@outlook.com],则必须选中该框并在“选项”中添加当前 AD 域名或租户 ID。(If the connected user is a guest user (i.e. joe@outlook.com), you must check the box and add the current AD domain name or tenant ID as part of Options. 请参阅使用 SQL 数据库和 SQL 数据仓库(针对 MFA 的 SSMS 支持)进行通用身份验证See Universal Authentication with SQL Database and SQL Data Warehouse (SSMS support for MFA). 然后单击“连接”。Then click Connect.

  5. 显示“登录到帐户” 对话框时,提供 Azure Active Directory 标识的帐户和密码。When the Sign in to your account dialog box appears, provide the account and password of your Azure Active Directory identity. 如果用户属于与 Azure AD 联合的域,则无需任何密码。No password is required if a user is part of a domain federated with Azure AD.

    2mfa-sign-in

    备注

    如果使用不需要 MFA 的帐户进行通用身份验证,可以在此时连接。For Universal Authentication with an account that does not require MFA, you connect at this point. 对于需要 MFA 的用户,请继续执行以下步骤:For users requiring MFA, continue with the following steps:

  6. 可能会显示两个 MFA 设置对话框。Two MFA setup dialog boxes might appear. 这个一次性操作根据 MFA 管理员设置而定,因此可能是可选的。This one time operation depends on the MFA administrator setting, and therefore may be optional. 对于已启用 MFA 的域,有时会预定义此步骤(例如,域会要求用户使用智能卡和 PIN 码)。For an MFA enabled domain this step is sometimes pre-defined (for example, the domain requires users to use a smartcard and pin).

    3mfa-setup

  7. 通过第二个可能出现的一次性对话框,可以选择身份验证方法的详细信息。The second possible one time dialog box allows you to select the details of your authentication method. 可能的选项由管理员配置。The possible options are configured by your administrator.

    4mfa-verify-1

  8. Azure Active Directory 向你发送确认信息。The Azure Active Directory sends the confirming information to you. 收到验证码后,将其输入到“输入验证码”框中,然后单击“登录”。When you receive the verification code, enter it into the Enter verification code box, and click Sign in.

    5mfa-verify-2

验证完成后,SSMS 便会正常连接(假设凭据和防火墙访问有效)。When verification is complete, SSMS connects normally presuming valid credentials and firewall access.

后续步骤Next steps