Description:

Microsoft Entra admin (formerly Azure AD admin) allows Azure SQL servers to use Microsoft Entra ID authentication. This enables centralized identity management, MFA, Conditional Access, group-based access, and eliminates reliance on SQL-only authentication.


Rationale:

Configuring a Microsoft Entra admin strengthens security by enabling MFA, reducing SQL password logins, and allowing centralized, controlled access. Without it, SQL servers rely on less secure SQL authentication.


Impact:

Enabling a Microsoft Entra admin does not break SQL logins but enables Entra authentication. If you choose the optional setting "Support only Microsoft Entra authentication", SQL logins will be disabled — use this only if ready.


Default Value:

By default, SQL servers show: Admin name: No Microsoft Entra admin


Pre-requisites:

  • You must have Owner, Contributor, or SQL Server Contributor access.

  • The admin you choose must be a valid Microsoft Entra user or group.


Test Plan:

  1. Sign in to the Azure portal  https://portal.azure.com

  2. In the portal, search for SQL servers. Select the target SQL server.

  3. Under Settings, click Microsoft Entra ID.

  4. Under the Microsoft Entra admin, look at the Admin name.

  5. Confirm that it does not display “No Microsoft Entra admin.”

  1. If it shows “No Microsoft Entra admin,” then follow the implementation plan.

Implementation Plan:

  1. Sign in to the Azure portal https://portal.azure.com

  2. In the portal, search for SQL servers and select the SQL server.

  1. Under Settings, select Microsoft Entra ID. Click Set admin.

  1. Choose the Entra user or group you want to assign as the admin.

  2. Click Save.


Backout Plan:

  1. Sign in to the Azure portal at https://portal.azure.com.

  2. In the portal, search for SQL servers and select the server.

  3. Open Microsoft Entra ID under Settings.

  4. Click Remove admin.

  5. Click Save to apply the rollback.

Reference: