教程:使用 Azure AD 服务器主体(登录名)确保 Azure SQL 数据库中托管实例的安全性Tutorial: Managed instance security in Azure SQL Database using Azure AD server principals (logins)

托管实例几乎提供最新 SQL Server 本地(企业版)数据库引擎具备的所有安全功能:Managed instance provides nearly all security features that the latest SQL Server on-premises (Enterprise Edition) Database Engine has:

  • 在隔离的环境中限制访问Limiting access in an isolated environment
  • 使用需要标识的身份验证机制(Azure AD、SQL 身份验证)Use authentication mechanisms that require identity (Azure AD, SQL Authentication)
  • 将授权与基于角色的成员身份和权限配合使用Use authorization with role-based memberships and permissions
  • 启用安全功能Enable security features

本教程介绍如何执行下列操作:In this tutorial, you learn how to:

  • 为托管实例创建 Azure Active Directory (AD) 服务器主体(登录名)Create an Azure Active Directory (AD) server principal (login) for a managed instance
  • 将权限授予托管实例中的 Azure AD 服务器主体(登录名)Grant permissions to Azure AD server principals (logins) in a managed instance
  • 基于 Azure AD 服务器主体(登录名)创建 Azure AD 用户Create Azure AD users from Azure AD server principals (logins)
  • 向 Azure AD 用户分配权限并管理数据库安全性Assign permissions to Azure AD users and manage database security
  • 以 Azure AD 用户身份使用模拟Use impersonation with Azure AD users
  • 以 Azure AD 用户身份使用跨数据库查询Use cross-database queries with Azure AD users
  • 了解安全功能,例如威胁防护、审核、数据掩码和加密Learn about security features, such as threat protection, auditing, data masking, and encryption

有关详细信息,请参阅 Azure SQL 数据库托管实例概述功能文章。To learn more, see the Azure SQL Database managed instance overview and capabilities articles.

先决条件Prerequisites

若要完成本教程,请确保具备以下先决条件:To complete the tutorial, make sure you have the following prerequisites:

限制对托管实例的访问Limiting access to your managed instance

可以通过专用 IP 地址访问托管实例。Managed instances can be accessed through a private IP address. 与在隔离的 SQL Server 本地环境中非常类似,应用程序或用户需要访问托管实例网络 (VNet) 才能建立连接。Much like an isolated SQL Server on-premises environment, applications or users need access to the managed instance network (VNet) before a connection can be established. 有关详细信息,请参阅将应用程序连接到托管实例For more information, see the following article, Connect your application to a managed instance.

还可以在托管实例上配置服务终结点,该终结点允许使用与 Azure SQL 数据库相同的方式进行公共连接。It is also possible to configure a service endpoint on the managed instance, which allows for public connections, in the same fashion as Azure SQL Database. 有关详细信息,请参阅以下文章:在 Azure SQL 数据库托管实例中配置公共终结点For more information, see the following article, Configure public endpoint in Azure SQL Database managed instance.

备注

即使启用了服务终结点,SQL 数据库防火墙规则也不适用。Even with service endpoints enabled, SQL Database firewall rules do not apply. 托管实例使用自己的内置防火墙来管理连接。Managed instance has its own built-in firewall to manage connectivity.

使用 SSMS 为托管实例创建 Azure AD 服务器主体(登录名)Create an Azure AD server principal (login) for a managed instance using SSMS

第一个 Azure AD 服务器主体(登录名)可以由标准 SQL Server 帐户(非 Azure AD)创建,该帐户是 sysadmin,或者是在设置过程中创建的托管实例的 Azure AD 管理员。The first Azure AD server principal (login) can be created by the standard SQL Server account (non-azure AD) that is a sysadmin, or the Azure AD admin for the managed instance created during the provisioning process. 有关详细信息,请参阅为托管实例预配 Azure Active Directory 管理员For more information, see Provision an Azure Active Directory administrator for your managed instance. Azure AD 服务器主体的 GA 以来,此功能已更改。This functionality has changed since the GA of Azure AD server principals.

有关如何连接到托管实例的示例,请参阅以下文章:See the following articles for examples of connecting to your managed instance:

  1. SQL Server Management Studio 中使用充当 sysadmin 或 MI 的 Azure AD 管理员的标准 SQL Server 帐户(非 Azure AD)登录到托管实例。Log into your managed instance using a standard SQL Server account (non-azure AD) that is a sysadmin or an Azure AD admin for MI, using SQL Server Management Studio.

  2. 在“对象资源管理器”中右键服务器,然后选择“新建查询”。 In Object Explorer, right-click the server and choose New Query.

  3. 在查询窗口中,使用以下语法为本地 Azure AD 帐户创建登录名:In the query window, use the following syntax to create a login for a local Azure AD account:

    USE master
    GO
    CREATE LOGIN login_name FROM EXTERNAL PROVIDER
    GO
    

    此示例为帐户 nativeuser@aadsqlmi.partner.onmschina.cn 创建登录名。This example creates a login for the account nativeuser@aadsqlmi.partner.onmschina.cn.

    USE master
    GO
    CREATE LOGIN [nativeuser@aadsqlmi.partner.onmschina.cn] FROM EXTERNAL PROVIDER
    GO
    
  4. 在工具栏上,选择“执行”以创建登录名。 On the toolbar, select Execute to create the login.

  5. 执行以下 T-SQL 命令检查新添加的登录名:Check the newly added login, by executing the following T-SQL command:

    SELECT *  
    FROM sys.server_principals;  
    GO
    

    native-login.png

有关详细信息,请参阅 CREATE LOGINFor more information, see CREATE LOGIN.

授予权限以允许创建托管实例登录名Granting permissions to allow the creation of managed instance logins

若要创建其他 Azure AD 服务器主体(登录名),必须向主体(SQL 或 Azure AD)授予 SQL Server 角色或权限。To create other Azure AD server principals (logins), SQL Server roles or permissions must be granted to the principal (SQL or Azure AD).

SQL 身份验证SQL authentication

  • 如果登录名是 SQL 主体,则只有属于 sysadmin 角色的登录名才能使用 create 命令来为 Azure AD 帐户创建登录名。If the login is a SQL Principal, only logins that are part of the sysadmin role can use the create command to create logins for an Azure AD account.

Azure AD 身份验证Azure AD authentication

  • 要使新建的 Azure AD 服务器主体(登录名)能够为其他 Azure AD 用户、组或应用程序创建其他登录名,请向新建的登录名授予 sysadminsecurityadmin 服务器角色。To allow the newly created Azure AD server principal (login) the ability to create other logins for other Azure AD users, groups, or applications, grant the login sysadmin or securityadmin server role.
  • 最起码需要向 Azure AD 服务器主体(登录名)授予 ALTER ANY LOGIN 权限才能让其创建其他 Azure AD 服务器主体(登录名)。At a minimum, ALTER ANY LOGIN permission must be granted to the Azure AD server principal (login) to create other Azure AD server principals (logins).
  • 默认情况下,向 master 数据库中新建的 Azure AD 服务器主体(登录名)授予的标准权限为:CONNECT SQLVIEW ANY DATABASEBy default, the standard permission granted to newly created Azure AD server principals (logins) in master is: CONNECT SQL and VIEW ANY DATABASE.
  • 可向托管实例中的多个 Azure AD 服务器主体(登录名)授予 sysadmin 服务器角色。The sysadmin server role can be granted to many Azure AD server principals (logins) within a managed instance.

将登录名添加到 sysadmin 服务器角色:To add the login to the sysadmin server role:

  1. 再次登录到托管实例,或通过充当 sysadmin 的 Azure AD 管理员或 SQL 主体使用现有连接。Log into the managed instance again, or use the existing connection with the Azure AD admin or SQL Principal that is a sysadmin.

  2. 在“对象资源管理器”中右键服务器,然后选择“新建查询”。 In Object Explorer, right-click the server and choose New Query.

  3. 使用以下 T-SQL 语法向 Azure AD 服务器主体(登录名)授予 sysadmin 服务器角色:Grant the Azure AD server principal (login) the sysadmin server role by using the following T-SQL syntax:

    ALTER SERVER ROLE sysadmin ADD MEMBER login_name
    GO
    

    以下示例向登录名 nativeuser@aadsqlmi.partner.onmschina.cn 授予 sysadmin 服务器角色The following example grants the sysadmin server role to the login nativeuser@aadsqlmi.partner.onmschina.cn

    ALTER SERVER ROLE sysadmin ADD MEMBER [nativeuser@aadsqlmi.partner.onmschina.cn]
    GO
    

使用 SSMS 创建其他 Azure AD 服务器主体(登录名)Create additional Azure AD server principals (logins) using SSMS

创建 Azure AD 服务器主体(登录名)并向其提供 sysadmin 特权后,该登录名可以结合 CREATE LOGIN 使用 FROM EXTERNAL PROVIDER 子句创建其他登录名。Once the Azure AD server principal (login) has been created, and provided with sysadmin privileges, that login can create additional logins using the FROM EXTERNAL PROVIDER clause with CREATE LOGIN.

  1. 在 SQL Server Management Studio 中使用 Azure AD 服务器主体(登录名)连接到托管实例。Connect to the managed instance with the Azure AD server principal (login), using SQL Server Management Studio. 输入托管实例主机名。Enter your managed instance host name. 若要在 SSMS 中进行身份验证,可在使用 Azure AD 帐户登录时从三个选项中选择:For Authentication in SSMS, there are three options to choose from when logging in with an Azure AD account:

  2. 选择“Active Directory - 支持 MFA 的通用方法”。 Select Active Directory - Universal with MFA support. 此时会打开“多重身份验证(MFA)登录”窗口。This brings up a Multi-Factor Authentication (MFA) login window. 使用 Azure AD 密码登录。Sign in with your Azure AD password.

    mfa-login-prompt.png

  3. 在 SSMS 的“对象资源管理器”中右键服务器,然后选择“新建查询”。 In SSMS Object Explorer, right-click the server and choose New Query.

  4. 在查询窗口中,使用以下语法为另一个 Azure AD 帐户创建登录名:In the query window, use the following syntax to create a login for another Azure AD account:

    USE master
    GO
    CREATE LOGIN login_name FROM EXTERNAL PROVIDER
    GO
    

    此示例为 Azure AD 用户 bob@aadsqlmi.net 创建登录名。该用户的 aadsqlmi.net 域已与 Azure AD aadsqlmi.partner.onmschina.cn 相联合。This example creates a login for the Azure AD user bob@aadsqlmi.net, whose domain aadsqlmi.net is federated with the Azure AD aadsqlmi.partner.onmschina.cn.

    执行以下 T-SQL 命令。Execute the following T-SQL command. 联合的 Azure AD 帐户是本地 Windows 登录名和用户的托管实例替代项。Federated Azure AD accounts are the managed instance replacements for on-premises Windows logins and users.

    USE master
    GO
    CREATE LOGIN [bob@aadsqlmi.net] FROM EXTERNAL PROVIDER
    GO
    
  5. 使用 CREATE DATABASE 语法在托管实例中创建数据库。Create a database in the managed instance using the CREATE DATABASE syntax. 在下一部分,此数据库将用于测试用户登录名。This database will be used to test user logins in the next section.

    1. 在“对象资源管理器”中右键服务器,然后选择“新建查询”。 In Object Explorer, right-click the server and choose New Query.

    2. 在查询窗口中,使用以下语法创建名为 MyMITestDB 的数据库。In the query window, use the following syntax to create a database named MyMITestDB.

      CREATE DATABASE MyMITestDB;
      GO
      
  6. 为 Azure AD 中的某个组创建托管实例登录名。Create a managed instance login for a group in Azure AD. 将该登录名添加到托管实例之前,该组需要在 Azure AD 中存在。The group will need to exist in Azure AD before you can add the login to managed instance. 请参阅使用 Azure Active Directory 创建基本组并添加成员See Create a basic group and add members using Azure Active Directory. 创建组 mygroup 并在其中添加成员。Create a group mygroup and add members to this group.

  7. 在 SQL Server Management Studio 中打开新的查询窗口。Open a new query window in SQL Server Management Studio.

    此示例假设 Azure AD 中存在名为 mygroup 的组。This example assumes there exist a group called mygroup in the Azure AD. 运行以下命令:Execute the following command:

    USE master
    GO
    CREATE LOGIN [mygroup] FROM EXTERNAL PROVIDER
    GO
    
  8. 为了进行测试,请使用新建的登录名或组登录到托管实例。As a test, log into the managed instance with the newly created login or group. 与托管实例建立新的连接,并在身份验证时使用新登录名。Open a new connection to the managed instance, and use the new login when authenticating.

  9. 在“对象资源管理器”中右键服务器,然后选择新连接对应的“新建查询”。 In Object Explorer, right-click the server and choose New Query for the new connection.

  10. 执行以下命令,检查新建的 Azure AD 服务器主体(登录名)的服务器权限:Check server permissions for the newly created Azure AD server principal (login) by executing the following command:

    SELECT * FROM sys.fn_my_permissions (NULL, 'DATABASE')
    GO
    

备注

对于 Azure AD 来宾用户,仅当已将其添加为 Azure AD 组的一部分时,才支持将其用于托管实例登录名。Azure AD guest users are supported for managed instance logins, only when added as part of an Azure AD Group. Azure AD 来宾用户是指在另一个 Azure AD 中邀请其加入托管实例所属 Azure AD 的帐户。An Azure AD guest user is an account that is invited to the Azure AD that the managed instance belongs to, from another Azure AD. 例如,可将 joe@contoso.com(Azure AD 帐户)或 steve@outlook.com(MSA 帐户)添加到 Azure AD aadsqlmi 中的组。For example, joe@contoso.com (Azure AD Account) or steve@outlook.com (MSA Account) can be added to a group in the Azure AD aadsqlmi. 将用户添加到组后,可以使用 CREATE LOGIN 语法在托管实例 master 数据库中为该组创建登录名。Once the users are added to a group, a login can be created in the managed instance master database for the group using the CREATE LOGIN syntax. 属于此组的来宾用户可以使用其当前登录名(例如 joe@contoso.com 或 steve@outlook.com)连接到托管实例。Guest users who are members of this group can connect to the managed instance using their current logins (For example, joe@contoso.com or steve@outlook.com).

基于 Azure AD 服务器主体(登录名)创建 Azure AD 用户并授予权限Create an Azure AD user from the Azure AD server principal (login) and give permissions

在托管实例中对单个数据库授权的方式非常类似于本地 SQL Server 的授权。Authorization to individual databases works much in the same way in managed instance as it does with SQL Server on-premises. 可以基于数据库中的现有登录名创建用户并为其提供对该数据库的权限,或者将该用户添加到数据库角色。A user can be created from an existing login in a database, and be provided with permissions on that database, or added to a database role.

创建名为 MyMITestDB 的数据库以及一个只有默认权限的登录名后,下一步是基于该登录名创建用户。Now that we've created a database called MyMITestDB, and a login that only has default permissions, the next step is to create a user from that login. 目前,该登录名可以连接到托管实例和查看所有数据库,但无法与数据库交互。At the moment, the login can connect to the managed instance, and see all the databases, but can't interact with the databases. 如果使用具有默认权限的 Azure AD 帐户登录并尝试展开新建的数据库,将会看到以下错误:If you sign in with the Azure AD account that has the default permissions, and try to expand the newly created database, you'll see the following error:

ssms-db-not-accessible.png

有关授予数据库权限的详细信息,请参阅数据库引擎权限入门For more information on granting database permissions, see Getting Started with Database Engine Permissions.

创建 Azure AD 用户并创建示例表Create an Azure AD user and create a sample table

  1. 在 SQL Server Management Studio 中使用 sysadmin 帐户登录到托管实例。Log into your managed instance using a sysadmin account using SQL Server Management Studio.

  2. 在“对象资源管理器”中右键服务器,然后选择“新建查询”。 In Object Explorer, right-click the server and choose New Query.

  3. 在查询窗口中,使用以下语法基于 Azure AD 服务器主体(登录名)创建 Azure AD 用户:In the query window, use the following syntax to create an Azure AD user from an Azure AD server principal (login):

    USE <Database Name> -- provide your database name
    GO
    CREATE USER user_name FROM LOGIN login_name
    GO
    

    以下示例基于登录名 bob@aadsqlmi.net: 创建用户 bob@aadsqlmi.net。The following example creates a user bob@aadsqlmi.net from the login bob@aadsqlmi.net:

    USE MyMITestDB
    GO
    CREATE USER [bob@aadsqlmi.net] FROM LOGIN [bob@aadsqlmi.net]
    GO
    
  4. 也支持基于组的形式的 Azure AD 服务器主体(登录名)创建 Azure AD 用户。It's also supported to create an Azure AD user from an Azure AD server principal (login) that is a group.

    以下示例为 Azure AD 中的 Azure AD 组 mygroup 创建登录名。The following example creates a login for the Azure AD group mygroup that exists in your Azure AD.

    USE MyMITestDB
    GO
    CREATE USER [mygroup] FROM LOGIN [mygroup]
    GO
    

    属于 mygroup 的所有用户都可以访问 MyMITestDB 数据库。All users that belong to mygroup can access the MyMITestDB database.

    重要

    基于 Azure AD 服务器主体(登录名)创建用户时,请指定与登录名中的 login_name 相同的 user_name。When creating a USER from an Azure AD server principal (login), specify the user_name as the same login_name from LOGIN.

    有关详细信息,请参阅 CREATE USERFor more information, see CREATE USER.

  5. 在新查询窗口中,使用以下 T-SQL 命令创建测试表:In a new query window, create a test table using the following T-SQL command:

    USE MyMITestDB
    GO
    CREATE TABLE TestTable
    (
    AccountNum varchar(10),
    City varchar(255),
    Name varchar(255),
    State varchar(2)
    );
    
  6. 使用创建的用户在 SSMS 中创建连接。Create a connection in SSMS with the user that was created. 你会注意到,无法看到 sysadmin 在以前创建的表 TestTableYou'll notice that you cannot see the table TestTable that was created by the sysadmin earlier. 我们需要向该用户提供读取数据库中的数据的权限。We need to provide the user with permissions to read data from the database.

  7. 可以执行以下命令来检查用户当前拥有的权限:You can check the current permission the user has by executing the following command:

    SELECT * FROM sys.fn_my_permissions('MyMITestDB','DATABASE')
    GO
    

将用户添加到数据库级角色Add users to database-level roles

要使用户能够查看数据库中的数据,我们可以向该用户提供数据库级角色For the user to see data in the database, we can provide database-level roles to the user.

  1. 在 SQL Server Management Studio 中使用 sysadmin 帐户登录到托管实例。Log into your managed instance using a sysadmin account using SQL Server Management Studio.

  2. 在“对象资源管理器”中右键服务器,然后选择“新建查询”。 In Object Explorer, right-click the server and choose New Query.

  3. 使用以下 T-SQL 语法向 Azure AD 用户授予 db_datareader 数据库角色:Grant the Azure AD user the db_datareader database role by using the following T-SQL syntax:

    Use <Database Name> -- provide your database name
    ALTER ROLE db_datareader ADD MEMBER user_name
    GO
    

    以下示例为用户 bob@aadsqlmi.net 和组 mygroup 提供对 MyMITestDB 数据库的 db_datareader 权限:The following example provides the user bob@aadsqlmi.net and the group mygroup with db_datareader permissions on the MyMITestDB database:

    USE MyMITestDB
    GO
    ALTER ROLE db_datareader ADD MEMBER [bob@aadsqlmi.net]
    GO
    ALTER ROLE db_datareader ADD MEMBER [mygroup]
    GO
    
  4. 执行以下命令,检查在数据库中创建的 Azure AD 用户是否存在:Check the Azure AD user that was created in the database exist by executing the following command:

    SELECT * FROM sys.database_principals
    GO
    
  5. 使用已添加到 db_datareader 角色的用户身份与托管实例建立新的连接。Create a new connection to the managed instance with the user that has been added to the db_datareader role.

  6. 在“对象资源管理器”中展开数据库,以查看表。 Expand the database in Object Explorer to see the table.

    ssms-test-table.png

  7. 打开新查询窗口并执行以下 SELECT 语句:Open a new query window and execute the following SELECT statement:

    SELECT *
    FROM TestTable
    

    是否能够看到表中的数据?Are you able to see data from the table? 应会看到返回的列。You should see the columns being returned.

    ssms-test-table-query.png

模拟 Azure AD 服务器级主体(登录名)Impersonating Azure AD server-level principals (logins)

托管实例支持模拟 Azure AD 服务器级主体(登录名)。Managed instance supports the impersonation of Azure AD server-level principals (logins).

测试模拟Test impersonation

  1. 在 SQL Server Management Studio 中使用 sysadmin 帐户登录到托管实例。Log into your managed instance using a sysadmin account using SQL Server Management Studio.

  2. 在“对象资源管理器”中右键服务器,然后选择“新建查询”。 In Object Explorer, right-click the server and choose New Query.

  3. 在查询窗口中,使用以下命令创建新的存储过程:In the query window, use the following command to create a new stored procedure:

    USE MyMITestDB
    GO  
    CREATE PROCEDURE dbo.usp_Demo  
    WITH EXECUTE AS 'bob@aadsqlmi.net'  
    AS  
    SELECT user_name();  
    GO
    
  4. 使用以下命令来查看执行该存储过程时模拟的用户是否为 bob@aadsqlmi.net 。Use the following command to see that the user you're impersonating when executing the stored procedure is bob@aadsqlmi.net.

    Exec dbo.usp_Demo
    
  5. 使用 EXECUTE AS LOGIN 语句测试模拟:Test impersonation by using the EXECUTE AS LOGIN statement:

    EXECUTE AS LOGIN = 'bob@aadsqlmi.net'
    GO
    SELECT SUSER_SNAME()
    REVERT
    GO
    

备注

只有属于 sysadmin 角色的 SQL 服务器级主体(登录名)可以针对 Azure AD 主体执行以下操作:Only the SQL server-level principals (logins) that are part of the sysadmin role can execute the following operations targeting Azure AD principals:

  • EXECUTE AS USEREXECUTE AS USER
  • EXECUTE AS LOGINEXECUTE AS LOGIN

在托管实例中使用跨数据库查询Using cross-database queries in managed instances

使用 Azure AD 服务器主体(登录名)的 Azure AD 帐户支持跨数据库查询。Cross-database queries are supported for Azure AD accounts with Azure AD server principals (logins). 若要使用 Azure AD 组测试跨数据库查询,需要创建另一个数据库和表。To test a cross-database query with an Azure AD group, we need to create another database and table. 如果已存在一个数据库和表,则无需额外创建。You can skip creating another database and table if one already exist.

  1. 在 SQL Server Management Studio 中使用 sysadmin 帐户登录到托管实例。Log into your managed instance using a sysadmin account using SQL Server Management Studio.

  2. 在“对象资源管理器”中右键服务器,然后选择“新建查询”。 In Object Explorer, right-click the server and choose New Query.

  3. 在查询窗口中,使用以下命令创建名为 MyMITestDB2 的数据库和名为 TestTable2 的表。In the query window, use the following command to create a database named MyMITestDB2 and table named TestTable2:

    CREATE DATABASE MyMITestDB2;
    GO
    USE MyMITestDB2
    GO
    CREATE TABLE TestTable2
    (
    EmpId varchar(10),
    FirstName varchar(255),
    LastName varchar(255),
    Status varchar(10)
    );
    
  4. 在新查询窗口中执行以下命令,在新数据库 MyMITestDB2 中创建用户 mygroup,并向 mygroup 授予对该数据库的 SELECT 权限:In a new query window, execute the following command to create the user mygroup in the new database MyMITestDB2, and grant SELECT permissions on that database to mygroup:

    USE MyMITestDB2
    GO
    CREATE USER [mygroup] FROM LOGIN [mygroup]
    GO
    GRANT SELECT TO [mygroup]
    GO
    
  5. 使用 SQL Server Management Studio 以 Azure AD 组 mygroup 的成员身份登录到托管实例。Sign into the managed instance using SQL Server Management Studio as a member of the Azure AD group mygroup. 打开新查询窗口并执行跨数据库 SELECT 语句:Open a new query window and execute the cross-database SELECT statement:

    USE MyMITestDB
    SELECT * FROM MyMITestDB2..TestTable2
    GO
    

    应会看到 TestTable2 的表结果。You should see the table results from TestTable2.

Azure AD 服务器主体(登录名)支持的其他方案Additional scenarios supported for Azure AD server principals (logins)

  • Azure AD 服务器主体(登录名)支持 SQL 代理管理和作业执行。SQL Agent management and job executions are supported for Azure AD server principals (logins).
  • Azure AD 服务器主体(登录名)可以执行数据库备份和还原操作。Database backup and restore operations can be executed by Azure AD server principals (logins).
  • 审核与 Azure AD 服务器主体(登录名)和身份验证事件相关的所有语句。Auditing of all statements related to Azure AD server principals (logins) and authentication events.
  • 属于 sysadmin 服务器角色成员的 Azure AD 服务器主体(登录名)可以建立专用管理员连接。Dedicated administrator connection for Azure AD server principals (logins) that are members of the sysadmin server-role.
  • 支持 Azure AD 服务器主体(登录名)使用 sqlcmd 实用程序SQL Server Management Studio 工具。Azure AD server principals (logins) are supported with using the sqlcmd Utility and SQL Server Management Studio tool.
  • 来自 Azure AD 服务器主体(登录名)的登录事件支持登录触发器。Logon triggers are supported for logon events coming from Azure AD server principals (logins).
  • 可以使用 Azure AD 服务器主体(登录名)设置 Service Broker 和数据库邮件。Service Broker and DB mail can be setup using Azure AD server principals (logins).

后续步骤Next steps

启用安全功能Enable security features

请参阅托管实例安全功能一文,全面了解保护数据库的各种方式。See the following managed instance capabilities security features article for a comprehensive list of ways to secure your database. 此文介绍了以下安全功能:The following security features are discussed:

托管实例功能Managed instance capabilities

有关托管实例功能的完整概述,请参阅:For a complete overview of a managed instance capabilities, see: