对 Azure SQL 数据库和 Azure SQL 数据仓库使用多重 AAD 身份验证(SSMS 支持 MFA)Using Multi-factor AAD authentication with Azure SQL Database and Azure SQL Data Warehouse (SSMS support for MFA)

Azure SQL 数据库和 Azure SQL 数据仓库支持使用 Active Directory 通用身份验证,从 SQL Server Management Studio (SSMS) 进行连接。Azure SQL Database and Azure SQL Data Warehouse support connections from SQL Server Management Studio (SSMS) using Active Directory Universal Authentication. 本文讨论了各种身份验证选项之间的差异,以及与使用通用身份验证相关的限制。This article discusses the differences between the various authentication options, and also the limitations associated with using Universal Authentication.

下载最新 SSMS - 在客户端计算机上,从下载 SQL Server Management Studio (SSMS) 下载最新版本的 SSMS。Download the latest SSMS - On the client computer, download the latest version of SSMS, from Download SQL Server Management Studio (SSMS).

对于本文中讨论的所有功能,请至少使用 2017 年 7 月的版本 17.2。For all the features discussed in this article, use at least July 2017, version 17.2. 最新的连接对话框应与下图类似:The most recent connection dialog box, should look similar to the following image:

1mfa-universal-connect1mfa-universal-connect

五个身份验证选项The five authentication options

Active Directory 通用身份验证支持两种非交互式身份验证方法:Active Directory Universal Authentication supports the two non-interactive authentication methods: - Active Directory - Password 身份验证Active Directory - Password authentication - Active Directory - Integrated 身份验证Active Directory - Integrated authentication

非交互式身份验证模型也有两种,它们可用于许多不同的应用程序(ADO.NET、JDCB、ODC 等)中。There are two non-interactive authentication models as well, which can be used in many different applications (ADO.NET, JDCB, ODC, etc.). 这两种方法绝对不会产生弹出式对话框:These two methods never result in pop-up dialog boxes:

  • Active Directory - Password
  • Active Directory - Integrated

同时支持 Azure 多重身份验证 (MFA) 的交互式方法是:The interactive method is that also supports Azure multi-factor authentication (MFA) is:

  • Active Directory - Universal with MFA

Azure MFA 可帮助保护对数据和应用程序的访问,同时满足用户对简单登录过程的需求。Azure MFA helps safeguard access to data and applications while meeting user demand for a simple sign-in process. 它利用一系列简单的验证选项(电话、短信、含有 PIN 码的智能卡或移动应用通知)提供强身份验证,用户可以根据自己的偏好选择所用的方法。It delivers strong authentication with a range of easy verification options (phone call, text message, smart cards with pin, or mobile app notification), allowing users to choose the method they prefer. 配合使用 Azure AD 和交互式 MFA 时会出现用于验证的弹出式对话框。Interactive MFA with Azure AD can result in a pop-up dialog box for validation.

有关多重身份验证的说明,请参阅多重身份验证For a description of Multi-Factor Authentication, see Multi-Factor Authentication. 有关配置步骤,请参阅配置 SQL Server Management Studio 的 Azure SQL 数据库多重身份验证For configuration steps, see Configure Azure SQL Database multi-factor authentication for SQL Server Management Studio.

Azure AD 域名称或租户 ID 参数Azure AD domain name or tenant ID parameter

SSMS 版本 17 开始,以来宾用户身份从其他 Azure Active Directory 导入到当前 Active Directory 的用户在连接时可提供 Azure AD 域名或租户 ID。Beginning with SSMS version 17, users that are imported into the current Active Directory from other Azure Active Directories as guest users, can provide the Azure AD domain name, or tenant ID when they connect. 来宾用户包括从其他 Azure AD、Microsoft 帐户(如 outlook.com、hotmail.com、live.com)或其他帐户(如 gmail.com)邀请的用户。Guest users include users invited from other Azure ADs, Microsoft accounts such as outlook.com, hotmail.com, live.com, or other accounts like gmail.com. 此信息使“Active Directory - 通用且具有 MFA 身份验证”可以识别正确的身份验证机构。This information, allows Active Directory Universal with MFA Authentication to identify the correct authenticating authority. 此选项也是支持 outlook.com、hotmail.com、live.com 等 Microsoft 帐户 (MSA) 或非 MSA 帐户的必需选项。This option is also required to support Microsoft accounts (MSA) such as outlook.com, hotmail.com, live.com, or non-MSA accounts. 所有要使用通用身份验证进行身份验证的用户必须输入其 Azure AD 域名或租户 ID。All these users who want to be authenticated using Universal Authentication must enter their Azure AD domain name or tenant ID. 此参数表示 Azure 服务器当前链接的 Azure AD 域名/租户ID。This parameter represents the current Azure AD domain name/tenant ID the Azure Server is linked with. 例如,如果 Azure Server 与 Azure AD 域 contosotest.onmicrosoft.com(其中用户 joe@contosodev.onmicrosoft.com 托管为从 Azure AD 域 contosodev.onmicrosoft.com 导入的用户)相关联,则需用于对此用户进行身份验证的域名为 contosotest.onmicrosoft.comFor example, if Azure Server is associated with Azure AD domain contosotest.onmicrosoft.com where user joe@contosodev.onmicrosoft.com is hosted as an imported user from Azure AD domain contosodev.onmicrosoft.com, the domain name required to authenticate this user is contosotest.onmicrosoft.com. 如果用户是链接到 Azure 服务器的 Azure AD 的本机用户,并且不是 MSA 帐户,则无需提供域名或租户 ID。When the user is a native user of the Azure AD linked to Azure Server, and is not an MSA account, no domain name or tenant ID is required. 若要输入参数(从 SSMS 版本 17.2 开始),请在“连接到数据库”对话框中,完成该对话框,选择“Active Directory - 通用且具有 MFA”身份验证,单击“选项”,完成“用户名”框,然后单击“连接属性”选项卡。选中“AD 域名或租户 ID”框,然后提供身份验证机构,如域名 (contosotest.onmicrosoft.com) 或租户 ID 的 GUID。To enter the parameter (beginning with SSMS version 17.2), in the Connect to Database dialog box, complete the dialog box, selecting Active Directory - Universal with MFA authentication, click Options, complete the User name box, and then click the Connection Properties tab. Check the AD domain name or tenant ID box, and provide authenticating authority, such as the domain name (contosotest.onmicrosoft.com) or the GUID of the tenant ID.
mfa-tenant-ssmsmfa-tenant-ssms

SQL 数据库和 SQL 数据仓库的 Active Directory 通用身份验证限制Universal Authentication limitations for SQL Database and SQL Data Warehouse

  • SSMS 和 SqlPackage.exe 是目前唯一通过 Active Directory 通用身份验证针对 MFA 启用的工具。SSMS and SqlPackage.exe are the only tools currently enabled for MFA through Active Directory Universal Authentication.
  • SSMS 版本 17.2 支持使用具有 MFA 的通用身份验证进行多用户并发访问。SSMS version 17.2, supports multi-user concurrent access using Universal Authentication with MFA. 版本 17.0 和 17.1 将使用通用身份验证的 SSMS 实例的登录名限制到单个 Azure Active Directory 帐户。Version 17.0 and 17.1, restricted a login for an instance of SSMS using Universal Authentication to a single Azure Active Directory account. 若要以另一个 Azure AD 帐户登录,则必须使用另一个 SSMS 实例。To log in as another Azure AD account, you must use another instance of SSMS. (此限制仅限于 Active Directory 通用身份验证;如果使用 Active Directory 密码验证、Active Directory 集成身份验证或 SQL Server 身份验证,可以登录到不同的服务器)。(This restriction is limited to Active Directory Universal Authentication; you can log in to different servers using Active Directory Password Authentication, Active Directory Integrated Authentication, or SQL Server Authentication).
  • 对于对象资源管理器、查询编辑器和查询存储可视化效果,SSMS 支持 Active Directory 通用身份验证。SSMS supports Active Directory Universal Authentication for Object Explorer, Query Editor, and Query Store visualization.
  • SSMS 版本 17.2 为导出/提取/部署数据数据库提供 DacFx 向导支持。SSMS version 17.2 provides DacFx Wizard support for Export/Extract/Deploy Data database. 在特定用户使用通用身份验证通过初始身份验证对话框进行了身份验证之后,DacFx 向导的工作方式与针对所有其他身份验证方法的方式相同。Once a specific user is authenticated through the initial authentication dialog using Universal Authentication, the DacFx Wizard functions the same way it does for all other authentication methods.
  • SSMS 表设计器不支持通用身份验证。The SSMS Table Designer does not support Universal Authentication.
  • 除了必须使用支持的 SSMS 版本,Active Directory 通用身份验证没有其他软件需求。There are no additional software requirements for Active Directory Universal Authentication except that you must use a supported version of SSMS.
  • 通用身份验证的 Active Directory 身份验证库 (ADAL) 版本已更新到最新的 ADAL.dll 3.13.9 可用发行版。The Active Directory Authentication Library (ADAL) version for Universal authentication was updated to its latest ADAL.dll 3.13.9 available released version. 请参阅 Active Directory 身份验证库 3.14.1See Active Directory Authentication Library 3.14.1.

后续步骤Next steps