Permissions, Auditing, and Passwordless Access
Control database access with object-level permissions, track all activity with SQL auditing, and eliminate passwords with Microsoft Entra authentication.
Who can do what β and who is watching
Think of a building with key cards, security cameras, and no physical keys.
Permissions are key cards β each personβs card only opens the doors they need. Auditing is the security camera β it records who went where and when. Passwordless access replaces physical keys (passwords that can be stolen) with biometric scanners (managed identity, certificates) that cannot be copied.
Object-level permissions
SQL Server uses a hierarchy: server β database β schema β object. Permissions flow down and DENY always wins.
-- Grant SELECT on specific tables
GRANT SELECT ON SCHEMA::Sales TO [SalesTeam];
-- Grant EXECUTE on a stored procedure
GRANT EXECUTE ON dbo.usp_GetCustomerOrders TO [AppService];
-- Deny direct table access but allow through procedures
DENY SELECT ON dbo.Customers TO [AppService];
GRANT EXECUTE ON dbo.usp_GetCustomer TO [AppService];
-- AppService can only access customer data through the stored procedurePrinciple of least privilege
| Pattern | Example | Why |
|---|---|---|
| Schema-level grants | GRANT SELECT ON SCHEMA::Reports | Simpler than per-table grants |
| Procedure-only access | DENY on tables, GRANT on procedures | Application sees only what procedures expose |
| Database roles | CREATE ROLE ReadOnlyAnalyst; GRANT SELECT TO ReadOnlyAnalyst | Group permissions, assign users to roles |
| EXECUTE AS | CREATE PROCEDURE ... WITH EXECUTE AS 'AppUser' | Procedure runs with specific identity regardless of caller |
Passwordless access
Modern SQL authentication eliminates passwords entirely using Microsoft Entra ID (formerly Azure AD).
| Method | How It Works | Best For |
|---|---|---|
| Managed Identity | Azure resource authenticates automatically β no credentials stored | Azure VMs, App Service, Functions connecting to Azure SQL |
| Service Principal | Application registers in Entra ID, authenticates with certificate or federated credential | Non-Azure apps, CI/CD pipelines |
| Entra ID user | Interactive login with MFA, SSO | Developers, DBAs, analysts |
| SQL authentication | Username + password stored in connection string | Legacy only β avoid for new applications |
-- Create a contained database user for a managed identity
CREATE USER [my-app-service] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [my-app-service];
ALTER ROLE db_datawriter ADD MEMBER [my-app-service];SQL auditing
Auditing records database events to a log for compliance and security investigation.
Azure SQL auditing
-- Server-level auditing (Azure SQL) β configured in Azure portal or CLI
-- Logs to Azure Blob Storage, Log Analytics, or Event Hub
-- Database-level audit specifications
CREATE DATABASE AUDIT SPECIFICATION AuditSensitiveAccess
FOR SERVER AUDIT [AzureSQLAudit]
ADD (SELECT, INSERT, UPDATE, DELETE ON dbo.Customers BY [public]),
ADD (EXECUTE ON dbo.usp_TransferFunds BY [public])
WITH (STATE = ON);Exam tip: Auditing is not optional for compliance
The exam often presents scenarios where a company must demonstrate βwho accessed what data and whenβ for regulatory compliance (GDPR, SOX, HIPAA). The answer is always auditing β not just permissions. Permissions control access; auditing proves what actually happened.
For Azure SQL, audit logs can flow to: Blob Storage (cheapest), Log Analytics (queryable with KQL), or Event Hub (real-time streaming to SIEM tools).
Leo at SearchWave deploys his application to Azure App Service. The app needs to connect to Azure SQL Database. The security team requires no credentials in code or configuration. What should Leo use?
π¬ Video coming soon
Next up: Transaction Isolation and Concurrency β understand how transactions interact and prevent blocking and deadlocks.