mgmt, sql , fix live test failures#49163
Conversation
Introduces a method to enable Microsoft Entra-only authentication when creating SQL Servers, addressing scenarios where policies require disabling SQL authentication. Updates tests and utilities to use Entra admin exclusively, improving compliance with platform security requirements.
github-actions
Bot
added
the
Mgmt
There was a problem hiding this comment.
I think name this similar to CLI
https://learn.microsoft.com/en-us/cli/azure/sql/server?view=azure-cli-latest#az-sql-server-create
Create a server without SQL Admin, with AD admin and AD Only enabled.
So, here, we can do withAzureActiveDirectoryOnlyAuthentication() at this (impl would set withAzureADOnlyAuthentication(true)`.
And another optional stage and method, e.g. withExternalActiveDirectoryAdministrator(String userLogin, String sid) (similar to WithActiveDirectoryAdministrator).
And test code would be
.withAzureActiveDirectoryOnlyAuthentication()
.withExternalActiveDirectoryAdministrator(.., ..)
.
PS: there is --external-admin-principal-type in CLI. Do we need it?
@XiaofeiCao for opinion
There was a problem hiding this comment.
Agree. We should have a dedicated withAzureActiveDirectoryOnlyAuthentication.
Also, I'm seeing we already have withActiveDirectoryAdministrator method, can we reuse that?
e.g.
WithActiveDirectoryAdministrator withAzureActiveDirectoryOnlyAuthentication();There was a problem hiding this comment.
They appear somehow different. withAzureActiveDirectoryOnlyAuthentication would create a resource.
There was a problem hiding this comment.
Yeah, then we should have two phases.
interface WithAzureActiveDirectoryOnlyAuthentication {
WithExternalActiveDirectoryAdministrator withAzureActiveDirectoryOnlyAuthentication();
}
interface WithExternalActiveDirectoryAdministrator {
WithCreate withExternalActiveDirectoryAdministrator(.., ..);
}@v-huizhu2 Could you help check what's sqlServer.innerModel().administrators().principalType() after server creation? I assume server will "infer" from the "sid" if not provided, though need confirmation.
There was a problem hiding this comment.
- API naming — Done. Renamed to .withAzureActiveDirectoryOnlyAuthentication() + .withExternalActiveDirectoryAdministrator(userLogin, sid) as you suggested, matching the CLI pattern.
- Do we need --external-admin-principal-type? — The implementation now hardcodes withPrincipalType(PrincipalType.USER) in withExternalActiveDirectoryAdministrator(). The server can infer the principal type from the SID, but setting it explicitly to USER avoids an extra Graph lookup by the service. If we need to support Group or Application in the future, we can add an overload. For now, all live tests use a user principal, so USER is sufficient.
- Two-phase interface design — Done.
- What's sqlServer.innerModel().administrators().principalType() after creation? — The implementation now sets withPrincipalType(PrincipalType.USER) explicitly. The service does infer it from the SID if omitted, but setting it explicitly is safer and avoids ambiguity.
There was a problem hiding this comment.
On 2: any code not in test folder is for user to use. not for your test to use. "all live tests use a user principal, so USER is sufficient" is not a explanation.
There was a problem hiding this comment.
For general region, we could make it a field property and reference it in each test, in case we need to update it again in future recording tests.
There was a problem hiding this comment.
Region as field property — Done. Extracted DEFAULT_REGION, SECONDARY_REGION, TERTIARY_REGION as private static final constants at class level.
There was a problem hiding this comment.
What's the accountKey if SAS is disabled?
There was a problem hiding this comment.
What's the accountKey if SAS is disabled? — That's exactly why the threat detection policy test is now commented out. The AAD-only tenant requires disableSharedKeyAccess(), which makes getKeys() return keys the data plane won't accept. The securityAlertPolicies API has no Managed Identity option (unlike auditingSettings), so there's no working auth path. The import/export test was rewritten to use withManagedIdentity(uamiResourceId) instead.
There was a problem hiding this comment.
These seems not needed?
There was a problem hiding this comment.
These seems not needed?" (adminLogin/adminSid in SqlServerTest) — Correct, removed. Each test now calls azureCliSignedInUser() directly to get the AzureUser, making the adminLogin()/adminSid() helpers and their caching logic unnecessary.
There was a problem hiding this comment.
Is this due to concurrent test running? If so, we could enhance the azureCliSignedInUser method, to cache the AzureUser instance.
There was a problem hiding this comment.
"Is this due to concurrent test running? Cache azureCliSignedInUser?" — The azureCliSignedInUser() method is inherited from ResourceManagerTestProxyTestBase. Each test method calls it independently; tests don't run concurrently within a single class (JUnit 5 default). If caching is desired for performance, it can be done in the base class. Current usage is simple and correct without caching.
Enables user-assigned managed identity authentication for SQL database import/export operations, allowing secure access to storage accounts when shared-key authentication is disabled. Updates public APIs, implementation, and tests to support this authentication method. Also refines Entra-only authentication setup, streamlining interface and test usage. Relates to customer scenarios with storage accounts enforcing identity-based access.
Cleans up formatting by deleting a redundant empty line, improving code readability and maintaining style consistency.
Removes unnecessary line breaks and indentation in several interface method and type declarations to improve code readability and maintain consistency across model definitions.
Allows user-assigned managed identity authentication for SQL database import, export, and creation stages in the fluent API, clarifying that these enhancements impact only SDK-implemented interfaces and do not break user implementations.
| { | ||
| "code": "java.method.addedToInterface", | ||
| "new" : { | ||
| "matcher": "regex", | ||
| "match": "method .* com\\.azure\\.resourcemanager\\.sql\\.models\\.(SqlDatabase|SqlDatabaseOperations|SqlDatabaseExportRequest|SqlDatabaseImportRequest)\\.DefinitionStages\\.(WithAuthentication|WithAuthenticationAfterElasticPool|WithAuthenticationTypeAndLoginPassword)(<ParentT>)?::withManagedIdentity\\(java\\.lang\\.String\\)" | ||
| }, | ||
| "justification": "Adds user-assigned managed identity authentication option to SQL database import/export and creation fluent stages. These DefinitionStages interfaces are only meant to be implemented by the SDK itself." | ||
| }, |
There was a problem hiding this comment.
revert these, no reason to break when write code.
| withActiveDirectoryLoginAndPassword(String administratorLogin, String administratorPassword); | ||
|
|
||
| /** | ||
| * Sets the user-assigned managed identity used to authenticate to the SQL database for export. |
There was a problem hiding this comment.
Is it restricted to uami? Can sami be used here?
Also, can signed-in user's objectId be used?
| // | ||
| // The UAMI resource ID is read from the AZURE_SQL_IMPORT_EXPORT_UAMI_ID environment variable. | ||
| // If it is not provided the test is skipped instead of failing. | ||
| String uamiResourceId = System.getenv("AZURE_SQL_IMPORT_EXPORT_UAMI_ID"); |
There was a problem hiding this comment.
Is it possible to programmatically create uami and assign "Storage Blob Data Contributor" to it?
If so, could you also try sami path?
- get sami ID
- assign "Storage Blob Data Contributor" to it
- import/export(without setting
withManagedIdentity)
3 participants
Introduces a method to enable Microsoft Entra-only authentication when creating SQL Servers, addressing scenarios where policies require disabling SQL authentication. Updates tests and utilities to use Entra admin exclusively, improving compliance with platform security requirements.
Description
#49070
If an SDK is being regenerated based on a new swagger spec, a link to the pull request containing these swagger spec changes has been included above.
All SDK Contribution checklist:
General Guidelines and Best Practices
Testing Guidelines