Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
794 questions
Level 2 AD Group & SQL server Microsoft Entra admin group & usage of IS_MEMBER for Row Level Security
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 45%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Sandeep Kumar
0
Reputation points
Currently we are running into an issue developing Row Level Security since the IS_MEMBER does not work for the Microsoft Entra Admin group setup for that SQL server. (https://learn.microsoft.com/en-us/sql/t-sql/functions/is-member-transact-sql?view=sql-server-ver16)
When the SQL Server is provisioned the Product Parent AD Group APP-XXX-PP-XXXX-DEV gets set as the Microsoft Entra Admin for that server.
So now we can't have users of our system (apps/frontend) also belong to the APP-XXX-PP-XXXX-DEV group otherwise the RLS will fail.
Any experiences with this?
{count} votes
-
James Hamil 24,481 Reputation points Microsoft Employee2024-09-13T21:12:54.3466667+00:00 Hi @Sandeep Kumar , try separating the Admin and User roles. Make sure that users who need to access the system (apps/frontend) do not belong to the APP-XXX-PP-XXXX-DEV group.
You could also try using custom roles. Instead of relying on the
IS_MEMBERfunction, you can create custom roles and use them to manage access control. This should help you avoid conflicts with the Microsoft Entra Admin group.Please let me know if this helps.
Best,
James
Sign in to comment
Sign in to answer