AZURE SQL Database User

Question

I created SQL account for an application but how do I restrict or deny the same account not to connect the database using SSMS or Azure data studio by the developers since the developers can view the user information in web.config file.

Thanks, Sandeep

Answer 1

Basically the answer to your question is... You can't...

There is no way to identify the client of a certain connection in Azure SQL. What you can do, for example, is restrict access to a certain server using s firewall. But if your dev env is on the same machine as your SSMS that won't work because you're then blocking the dev env as well.

In that case, the best practice is to create a dev database to which all devs have access. In that case, it doesn't matter for you everyone knows the password because it's the dev database.

For production environments, you need to treat database credentials as secrets and thus make sure they are stored in a safe place. When you're using Azure, the KeyVault may be a good place to store the password. This KeyVault has a fine grained way of allowing access to secrets for individuals as well as IT systems.

Answer 2

You can use Azure Active Directory to authenticate your app, so that you don't need to write the username and password in config file.

With Azure AD authentication, you can centrally manage the identities of database users and other Microsoft services in one central location.

Benefits:

• It provides an alternative to SQL Server authentication.

• It helps stop the proliferation of user identities across servers.

• It allows password rotation in a single place.

You can read more details from this document.