Azure SQL Database

Resources and authorization for Azure SQL Database are automatically discovered for connected Azure tenants, unless the service is disabled in the provider settings.

To collect complete authorization metadata for each database, you will need to create a local database user that the app registration can connect as to execute read-only queries.

• You will need access to Azure SQL Database(s) and permission to create the local user.

• The Azure SQL Database must have an Azure AD Admin configured.

• The database user must have the same name as the Azure app registration used for discovery, or match the "DB User" name provided when configuring the connection.

Create a local database user the Veza service principal can assume

Connect to your database and create a user, updating db_user in the examples to match the name of the Veza app registration:

CREATE USER [db_user] FROM EXTERNAL PROVIDER

Note that you must connect using Azure AD Authentication to create the Azure AD-connected local user.

Grant select permissions to the sys schema:

GRANT VIEW DEFINITION TO [db_user]

Grant Reader role to the Azure subscription

The app registration must have the Reader role to the Azure subscription attached to the resources to discover. You can check if this was already configured during provider setup, by viewing the subscription's role assignments under Access Control (IAM):

3. Review and assign the role. You can verify the subscription's role assignments from the main Access control panel.

The next time Veza conducts discovery of your Azure tenant, the new data source will be registered and appear on the Configuration > Apps and Data Sources panel.