Please note that when employing Entra ID authentication while adding a new server to SQL Diagnostic Manager, you must select or configure an Azure Profile.

Components of Azure Profile are responsible for building a valid connection.

What are the service account requirements?

First of all, review the following information regarding your account requirements and ensure you meet them.

Account Permissions

The minimum permission required for Azure SQL Database is Microsoft Entra admin configured in Entra ID service principal so that full access is available for monitoring.

However, you must grant the Azure SQL Database permissions to read the Microsoft Entra ID. For more information regarding this matter, please refer to the Azure portal section of the Authorize server and database access using logins and user accounts article.

Multi-Factor Authentication

Connecting SQL Diagnostic Manager to your environment does not support service accounts requiring Multi-Factor Authentication (MFA), as continuous connection is required for service collection accounts. 
It is recommended to use generalized service accounts for configuring connection credentials rather than accounts directly linked to users. 

For environments that require MFA for Entra ID users, a service account can be excluded from the MFA requirement by using an exclusion for conditional access. For guidance on how to set up exclusions for MFA, review the Use access reviews to manage users excluded from Conditional Access Policies article on Microsoft Docs.

Firewall

Keep in mind that the Microsoft Azure SQL Database is protected by a firewall, safeguarding access to your data when you create a new Azure Database. For more information on Azure SQL Firewall and how to configure it, please refer to this Microsoft documentation.
That is why it is important to allowlist the IP address of the server hosting the SQL Diagnostic Manager monitoring service via the Azure Portal.

How to select an Azure Profile?

Select your Azure Profile by following the next steps:

  1. Click the Azure Discovery Settings button.
  2. In case you have already created an Azure profile, select it from the Select an Azure Profile dropdown. Otherwise, create a new one.
  3. Click OK to save your configuration.
  4. Select a server to monitor.
  5. Select the instances to monitor.

How to create a new Azure Profile?

Create a new Azure profile by clicking Manage Azure Profile from the Azure Application Configuration wizard.

When the Azure Profiles Configuration Wizard opens, you have two sections:

To add a new Azure profile, please follow the steps below:

  1. Click the New button in the Application Profiles section.
  2. Choose a Profile Name and Description for your Azure profile from the Azure Application Profile wizard.
  3. Select an Azure Subscription from the subscription dropdown, otherwise, click New and complete the following fields with the application information:
    1. Subscription ID*
    2. Description

      (*) This information is mandatory. To get it from your application, follow the steps outlined in the How to get Azure Profile components? section.

  4. Click OK to save your Subscription information.
  5. Select an Azure Application from the application dropdown, otherwise, click New and complete the following fields with the application information:
    1. Application name
    2. Tenant ID*
    3. Client ID* 
    4. Secret value*
    5. Description of the Azure application

      (*) This information is mandatory. To get it from your application, follow the steps outlined in the How to get Azure Profile components? section.

  6. Click OK to save your Subscription information. Review all your information. When you finish, the wizard should look like this image.
  7. Click OK to save your Azure Application Profile.
  8. Click Close to close the Azure Profiles Configuration wizard.
  9. In the Azure Application configuration, select the Azure Profile you just created from the Select Azure Profile dropdown.
  10. Select the instances to monitor.

How to get Azure Profile components?

If you do not know how to obtain your application information, such as your subscription ID, tenant ID, client ID, and secret value, we have outlined the following steps to get them.

Get your Subscription ID

  1. Log in to the Azure Portal.
  2. Get the Subscription ID by searching Subscriptions in the search bar.
  3. Copy and save the Subscription ID in a notepad or secure file.

Get your Tenant ID

  1. Log in to the Azure Portal.
  2. Select the Microsoft Entra ID service.
  3. Copy and save the Tenant ID from the Overview tab.

Get your Client ID and Secret Value

  1. Log in to the Azure Portal.
  2. Select the Microsoft Entra ID service.

  3. Navigate to the Manage node from the left side menu and select App Registration.

  4. After the creation of the app, we need to apply the Reader role to the app under Subscription > IAM > Role Assignment.

  5. If you have already created your Owned App, select it, and the Overview page will display the Client ID.

  6. Copy and save it.

  7. Click the secret hyperlink to obtain your Secret value if you have already created it. In case you need a secret value, you can create a new one.

  8. Copy and save your Secret Value.

  9. Otherwise, you can create a new one.

Create a Client Secret

In case you do not have the Secret ID or you have lost it, follow the steps below: 

  1. Navigate through the Manage node to the Certificates & secrets option from the Overview tab of your Owned App.
  2. Click the New client secret option.
  3. Choose a description, select an expiration time from the dropdown menu, and click Add.
  4. Copy and save the Secret ID.

You must save the Secret value once you create the Client Secret; otherwise, the next time you log in to the Azure Portal to check this value, it will be masked.

If you lost or did not save the Secret value and you need it, create a new Client Secret and use the new Secret value instead.