Security – Page 3 – Curated SQL

Connecting to Power BI as a Guest User

Published 2024-09-20 by Kevin Feasel

Koen Verbeeck can only enter a tenant with explicit permission:

Sometimes your Microsoft Entra ID account (formerly known as Azure Active Directory) is added as a guest user in another tenant. This happens quite a lot when you’re a consultant and your client can’t create a new user in their own tenant, so they add the account of your own company as a guest instead. If you’re not a consultant, it can also happen after a merger or acquisition and you’re suddenly stuck with multiple tenants.

Yeah, this is a real annoyance with Microsoft Fabric / Power BI. Koen links to a 5-year-old feature request that I recommend upvoting.

Comments closed

Using Managed Identities in Azure Logic Apps

Published 2024-09-19 by Kevin Feasel

Koen Verbeeck doesn’t want to change a password yet again:

A stored procedure is executed on an Azure SQL Database. The connection to this database was configured using SQL Server Authentication. The goal of this article is to show you how you can connect using managed identities instead, which was left as an exercise to the reader in the previous article.

I recommend you to go through this article first if you don’t have a solid understanding of Logic Apps, or if you want to follow along as an exercise. It’s not necessarily a prerequisite to understand the concepts of this article and if you’re just interested in learning how managed identities work for Logic Apps, then keep on reading.

Click through to learn more about managed identities in Azure and how they can be so useful.

Comments closed

Working with Always Encrypted Data in SSIS

Published 2024-09-17 by Kevin Feasel

Rod Edwards continues a series on Always Encrypted:

So now, lets see how it plays with another one of those common toolsets that you may use alongside your Encrypted data. In this post, i’ll be talking about accessing and importing data using SSIS, nothing fancy, just reading data from an Excel sheet, and piping into our Always Encrypted table, encrypting as we go.

I’m not saying to use Excel for housing confidential data either!… as no one does that…oh no, not anywhere, ever….</sarcasm>.

As previously, this focuses on using Azure Key Vault for securing Encryption keys required.

Considering that all corporate data is in Excel someplace (some variant of which may eventually become Feasel’s Second Law), of course that sensitive and confidential data will be in a plain Excel file that people e-mail around.

Comments closed

A Reminder for Server Consistency

Published 2024-09-12 by Kevin Feasel

Chad Callihan resolves an issue:

I connected to the latest SQL Server, opened SSMS, and tried to restore from there. Sure enough, I was presented with the error:

Cannot access the specified path or file on the server. Verify that you have the necessary security privileges and that the path or file exists.

If you know that the service account can access a specific file, type in the full path for the file in the File Name control in the Locate dialog box.

Read on for the solution, which was easy enough, but serves as a reminder that having (and occasionally running!) idempotent configuration scripts can be quite useful.

Comments closed

Reading Always Encrypted Data in Power BI

Published 2024-09-11 by Kevin Feasel

Rod Edwards wants to make use of encrypted data:

This is where things start to get a little more interesting compared to Pt1, as now we have a different application in the mix for reading the data. So how can that application retrieve the key needed to successfully decrypt?

Read on to see how it all works. There are a lot of working parts here, though some of it pertains to using an on-premises gateway versus Always Encrypted as such, so you get even more bang for your buck.

Comments closed

Using Entra ID Groups with Azure Database for Postgres

Published 2024-09-09 by Kevin Feasel

Josephine Bush joins a group:

My company is moving from an Azure PostgreSQL single server to a flexible server. We want to set up managed identity/Entra access instead of having roles with passwords for every person/app. In particular, we want to use Entra groups.

Read on for some notes on why, as well as how to use Entra ID groups for management and some of the rough edges that remain.

Comments closed

Granting Entra ID Guest Users Access to a Semantic Model via Excel

Published 2024-09-05 by Kevin Feasel

Gilbert Quevauvilliers notes an implication:

Yes, you read that right, it is possible where you have shared Power BI semantic model with an external (guest user in Entra ID) they can now connect to the semantic model using Excel.

This has been around for quite a while I just did not know about it, here is the Microsoft documentation: Semantic model connectivity and management with the XMLA endpoint in Power BI – Power BI | Microsoft Learn

The first thing to note is that this currently only works in the Excel Desktop App.

I did try using Excel on the Web and unfortunately that did not work.

I then created my Excel file, uploaded to SharePoint Online and tried to interact with the Excel Pivot table and that too did not work.

Ok enough of the limitations let me show you how to get it working.

Click through to see how. Gilbert also has an important note about row-level security, co read the whole thing.

Comments closed

SPNs, Linked Server Security, and the Double-Hop Problem

Published 2024-09-03 by Kevin Feasel

Greg Dodd enables another hop:

The main issue with the security is when you map a login on the source server to a destination server. When you do this, you provide anyone who can access the source server access to the linked server. Sure, you can lock it down with different logins in the top section there, but whenever I’ve seen this, people take the lazy option and choose “Be made using this security context:” and fill in an account that has quite privileged access on the linked server. Hopefully you can see the security issue here…

Read on for Greg’s recommendations around this. I mean, it’s just so much easier to give everybody the sa account (and make the password something they can remember like “sa”). That solves all of these silly security issues no problem.

Hang on, someone just dropped an important table on accident again. Be right back.

Comments closed

Authentication Monitoring in Postgres

Published 2024-08-22 by Kevin Feasel

Rafia Sabih announces a new extension:

How about a situation when you want to log all the login attempts made to your PostgreSQL server. Yes, one way would be to read your log files and find out all the information related to login attempts and then transfer to them some other file, etc. to further use this information. Now, this is one way of doing it but it might pose some challenges like time and memory consumption in reading from those long files, additionally this is going to incur a lot of I/O which might be a serious issue when you are on cloud. During my time working for Zalando, we came across this problem and decided to write a Postgres extension to handle this efficiently.

Click through to learn more about the pg_auth_mon extension and how it works, including a link to the GitHub repository.

Comments closed

Always Encrypted and Key Vault

Published 2024-08-22 by Kevin Feasel

Rod Edwards starts a series on Always Encrypted:

For the purposes of this post, i’m going to show how to set up Always Encrypted for column data held in an OnPrem SQL Server (which could be MI, or Azure SQL DB ) using keys stored in Azure Key Vault. And showing you some of the many potential issues that you need to be aware of along the way.

I’m not going to talk about the Secure Enclaves flavour here, just the ‘common or garden’ Always Encrypted.

Read on to learn more.

Comments closed

M	T	W	T	F	S	S
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

Category: Security