Azure SQL Database
Configuring Azure SQL database for Veza discovery
Resources and authorization for Azure SQL Database are automatically discovered for connected Azure tenants, unless the service is disabled in the provider settings.
To collect complete authorization metadata for each database, you will need to create a local database user that the app registration can connect as to execute read-only queries.
You will need access to Azure SQL Database(s) and permission to create the local user.
The Azure SQL Database must have an Azure AD Admin configured.
The database user must have the same name as the Azure app registration used for discovery, or match the "DB User" name provided when configuring the connection.
Create a local database user the Veza service principal can assume
Connect to your database and create a user, updating db_user
in the examples to match the name of the Veza app registration:
Note that you must connect using Azure AD Authentication to create the Azure AD-connected local user.
Grant select permissions to the sys
schema:
Grant Reader
role to the Azure subscription
Reader
role to the Azure subscriptionThe app registration must have the Reader
role to the Azure subscription attached to the resources to discover. You can check if this was already configured during provider setup, by viewing the subscription's role assignments under Access Control (IAM):
Review and assign the role. You can verify the subscription's role assignments from the main Access control panel.
The next time Veza conducts discovery of your Azure tenant, the new data source will be registered and appear on the Configuration > Apps and Data Sources panel.
Last updated