Category Archives: Azure Managed Instance

Standard

Posted by

Posted on

February 27, 2025

Posted under

Azure Managed Instance

Comments

Leave a comment

Azure SQL Managed Instance Series: Understanding Extension-Based Hybrid Workers in Azure Automation

Watch the step by step implementation as a You tube Video.

Config Table script

USE [JB_Config_DB]
GO

CREATE TABLE [dbo].[Tbl_Instance_List](
[Tbl_Instance_List_ID] [int] IDENTITY(1,1) NOT NULL,
[SQLServerInstance] nvarchar NULL,
[SQLServerInstance_Type] nvarchar NULL,
PRIMARY KEY CLUSTERED
(
[Tbl_Instance_List_ID] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON, OPTIMIZE_FOR_SEQUENTIAL_KEY = OFF) ON [PRIMARY]
) ON [PRIMARY]
GO

Powershel Modules to be installed on Hybrid Worker Virtual Machine

Install-Module -Name Az -Scope AllUsers -Force

Install-Module -Name SqlServer -Scope AllUsers -Force

Powershell Script to be used within the runbook

Write-Output "SQL Hardening Script - Started"

# Connect to Azure using Managed Identity
Connect-AzAccount -Identity

# Get Access Token for Azure SQL Managed Instance
$token = (Get-AzAccessToken -ResourceUrl https://database.windows.net).Token

# Initialize SQL Connection
$sqlConnection = New-Object System.Data.SqlClient.SqlConnection
$sqlConnection.ConnectionString = "Data Source=jbmi.688acec0d83c.database.windows.net;Initial Catalog=JB_Config_DB;Connect Timeout=60"
$sqlConnection.AccessToken = $token

# Open SQL Connection
$sqlConnection.Open()

# Fetch List of Managed Instances from Database
$sqlCommand = New-Object System.Data.SqlClient.SqlCommand
$sqlCommand.CommandTimeout = 0
$sqlCommand.Connection = $sqlConnection
$sqlCommand.CommandText = "SELECT [SQLServerInstance] FROM [dbo].[Tbl_Instance_List] WHERE [SQLServerInstance_Type] = 'Azure'"

# Read Results
$sqlReader = $sqlCommand.ExecuteReader()
$result = @()

while ($sqlReader.Read()) {
    $result += [PSCustomObject]@{
        SQLServerInstance = $sqlReader["SQLServerInstance"]
    }
}

$sqlReader.Close()
$sqlConnection.Close()

# SQL Query to Execute on Each Instance
$sqlQuery = @"
USE master;
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
"@

# Loop Through Each Managed Instance
foreach ($miName in $result) {
    try {
        $serverName = $miName.SQLServerInstance
        Write-Output "Executing query on: $serverName"

        # Create Connection for Each Managed Instance
        $miConnection = New-Object System.Data.SqlClient.SqlConnection
        $miConnection.ConnectionString = "Data Source=$serverName;Initial Catalog=master;Connect Timeout=60"
        $miConnection.AccessToken = $token
        $miConnection.Open()

            $miCommand = New-Object System.Data.SqlClient.SqlCommand
            $miCommand.CommandTimeout = 0
            $miCommand.Connection = $miConnection
            $miCommand.CommandText = $sqlQuery

            # Execute the Query
            $miCommand.ExecuteNonQuery()
            Write-Host "Query executed successfully on $serverName"
    
        # Close Connection
        $miConnection.Close()
    } catch {
        Write-Host "Failed to execute query on $serverName. Error: $_"
    }
}

Write-Output " SQL Hardening Script - completed"

Thank You,
Vivek Janakiraman

Disclaimer:
The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.

Standard

Posted by

Posted on

September 3, 2024

Posted under

Azure Managed Instance

Comments

Leave a comment

Creating JobSchedule Failed on Azure SQL Managed Instance

Introduction

Azure SQL Managed Instance (MI) is a powerful cloud-based database service that provides near-complete compatibility with SQL Server, along with the benefits of a managed platform. However, while working with SQL Managed Instances, you may occasionally encounter errors due to differences between on-premises SQL Server and Azure SQL environments.

In this blog post, we’ll explore a specific error encountered when attempting to create a JobSchedule in SQL Server Management Studio (SSMS) on an Azure SQL Managed Instance. We’ll break down the error, identify the root cause, and guide you through the steps to resolve it. Additionally, we’ll discuss important lessons learned to prevent similar issues in the future.

Issue

When trying to create a new JobSchedule named ‘DBA – Database Copy Only backup’ in SSMS on an Azure SQL Managed Instance, the following error message was encountered:

TITLE: Microsoft SQL Server Management Studio

Create failed for JobSchedule ‘DBA – Database Copy Only backup’. (Microsoft.SqlServer.Smo)

For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&ProdVer=14.0.17289.0+((SSMS_Rel_17_4).181117-0805)&EvtSrc=Microsoft.SqlServer.Management.Smo.ExceptionTemplates.FailedOperationExceptionText&EvtID=Create+JobSchedule&LinkId=20476

ADDITIONAL INFORMATION:

An exception occurred while executing a Transact-SQL statement or batch. (Microsoft.SqlServer.ConnectionInfo)

SQL Server Agent feature Schedule job ONIDLE is not supported in SQL Database Managed Instance. Review the documentation for supported options. (Microsoft SQL Server, Error: 41914)

For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&ProdVer=12.00.2000&EvtSrc=MSSQLServer&EvtID=41914&LinkId=20476

BUTTONS:
OK

Understanding the Error:

The error message indicates that the JobSchedule creation failed because the ONIDLE scheduling feature is not supported in Azure SQL Managed Instances.

Key points from the error message:

  • The failure occurred during the execution of a Transact-SQL statement.
  • The ONIDLE feature, which may be supported in on-premises SQL Server instances, is not available in Azure SQL Managed Instances.
  • The version of SSMS used might not be fully compatible with Azure SQL Managed Instance features.

Possible Causes:

  1. Outdated SSMS Version: Using an older version of SSMS that lacks the necessary updates for working with Azure SQL Managed Instances.
  2. Unsupported Feature Usage: Attempting to use a scheduling feature (ONIDLE) that isn’t supported in the Azure SQL environment.
  3. Compatibility Issues: Mismatch between the SSMS client version and the Azure SQL Managed Instance, leading to unsupported operations.

Resolution

To resolve this issue, the primary solution is to update SSMS to the latest version. This ensures compatibility with Azure SQL Managed Instance and the supported feature set.

Step-by-Step Guide to Resolve the Issue:

Step 1: Verify Current SSMS Version

Before updating, check the current version of SSMS installed.

How to Check:

  1. Open SSMS.
  2. Click on “Help” in the top menu.
  3. Select “About”.
  4. Note the version number displayed.

Step 2: Download the Latest SSMS Version

Download the latest version of SSMS from the official Microsoft link.

Download Link: Download SQL Server Management Studio (SSMS)

Instructions:

  1. Click on the above link or paste it into your web browser.
  2. The download should start automatically. If not, click on the provided download button on the page.
  3. Save the installer (SSMS-Setup-ENU.exe) to a convenient location on your computer.

Step 3: Install the Latest SSMS Version

Proceed with installing the downloaded SSMS setup file.

Installation Steps:

  1. Close any running instances of SSMS.
  2. Locate the downloaded installer and double-click to run it.
  3. Follow the on-screen prompts:
    • Accept the license agreement.
    • Choose the installation directory (default is recommended).
    • Click “Install” to begin the installation process.
  4. Wait for the installation to complete. This may take several minutes.
  5. Once installed, click “Close” to exit the installer.

Note: The latest SSMS version as of now supports all recent features and ensures better compatibility with Azure SQL Managed Instances.

Step 4: Reattempt Creating the JobSchedule

After updating SSMS, retry creating the JobSchedule.

Steps:

  1. Open the newly installed SSMS.
  2. Connect to your Azure SQL Managed Instance.
  3. Navigate to SQL Server Agent > Jobs.
  4. Right-click on Jobs and select “New Job…”.
  5. Configure the job properties as required.
  6. Navigate to the Schedules page and create a new schedule without using unsupported features like ONIDLE.
  7. Click “OK” to save and create the JobSchedule.

Expected Outcome: The JobSchedule should now be created successfully without encountering the previous error.

Step 5: Validate the JobSchedule

Ensure that the JobSchedule is functioning as intended.

Validation Steps:

  1. Verify that the job appears under the Jobs section in SSMS.
  2. Check the job’s history after execution to confirm it runs without errors.
  3. Monitor the job over a period to ensure consistent performance.

Additional Considerations:

  • If the error persists, review the job’s configuration to ensure no unsupported features are being used.
  • Consult the official Microsoft documentation for any environment-specific limitations or additional updates required.

Points Learned

  1. Importance of Keeping Software Updated:
    • Regularly updating tools like SSMS ensures compatibility with the latest features and prevents unexpected errors.
    • Updates often include bug fixes, performance improvements, and support for new functionalities.
  2. Understanding Environment Compatibility:
    • Azure SQL Managed Instance differs from on-premises SQL Server in terms of supported features. Always verify feature support based on the specific environment to prevent configuration issues.
  3. Effective Error Analysis:
    • Carefully reading and understanding error messages can quickly point to the root cause and appropriate solutions.
    • Utilizing provided help links and official documentation aids in resolving issues efficiently.
  4. Proactive Maintenance Practices:
    • Regularly auditing and updating database management tools is a best practice to maintain smooth operations.
    • Implementing monitoring and validation steps post-configuration changes ensures system reliability.
  5. Utilizing Official Resources:
    • Relying on official download links and documentation ensures the authenticity and security of the tools being used.
    • Community forums and support channels can provide additional assistance when facing uncommon issues.

Conclusion

Encountering errors in Azure SQL Managed Instances can be challenging, but with a systematic approach to diagnosing and resolving issues, such obstacles can be efficiently overcome. In this case, updating SSMS to the latest version resolved the compatibility issue causing the JobSchedule creation error. This experience underscores the critical importance of maintaining up-to-date software and understanding the specific features supported by different SQL Server environments, especially when working with cloud-based services like Azure SQL Managed Instance.

By adhering to best practices in software maintenance and error resolution, database administrators and developers can ensure robust and uninterrupted database operations, thereby supporting the critical applications and services that rely on them.

Thank You,
Vivek Janakiraman

Disclaimer:
The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.

Standard

Posted by

Posted on

August 19, 2024

Posted under

Azure, Azure Managed Instance, Azure SQL Database, Azure Synapse Analytics

Comments

Leave a comment

Azure Series: Resolving RBAC Errors When Creating Keys in Azure Key Vault

Resolving the RBAC Error When Creating a Key in Azure Key Vault

Azure Key Vault is a powerful service for securely managing keys, secrets, and certificates. However, you might occasionally encounter errors while performing operations, such as creating a key. One common issue is the error message: “The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.”

Error information

CODE
Forbidden

MESSAGE
The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.

RAW ERROR
Caller is not authorized to perform action on resource. If role assignments, deny assignments or role definitions were changed recently, please observe propagation time. Caller: appid=3686488a-04fc-4d8a-b967-61f98ec41efe;oid=59347bed-6be5-4c44-be30-7cf210e473f7;iss=https://sts.windows.net/16b3c013-d300-468d-ac64-7eda0820b6d3/ Action: ‘Microsoft.KeyVault/vaults/keys/create/action’ Resource: ‘/subscriptions/ea72f050-0699-4b00-a43c-aba6cd2743df/resourcegroups/jbmysql/providers/microsoft.keyvault/vaults/jbmysqlkeyvault/keys/jbmysqlkey’ Assignment: (not found) DenyAssignmentId: null DecisionReason: null Vault: jbmysqlkeyvault;location=eastus

This blog will walk you through understanding this error and provide a step-by-step guide to resolve it.

Understanding the Error

The error message indicates that the operation you’re trying to perform (in this case, creating a key) is not permitted due to Role-Based Access Control (RBAC) settings. This issue typically arises because of one or more of the following reasons:

  • Insufficient Permissions: The user or service principal doesn’t have the required permissions to perform the operation.
  • Recent Role Assignments: Recent changes to role assignments might not have been propagated yet.
  • Incorrect Role or Scope: The assigned role might not have the necessary permissions, or it might be scoped incorrectly.

Scenario Demonstration

To illustrate the issue, let’s attempt to create a key in Azure Key Vault and reproduce the error:

Open Azure CLI or PowerShell.

Run the following command to create a key in your Key Vault:

    az keyvault key create --vault-name <YourKeyVaultName> --name <YourKeyName> --protection software

    Observe the Error Message:

    The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.

    Steps to Resolve the Error

    1. Verify Role Assignments

    Objective: Ensure that the correct roles are assigned to the user or service principal.

    Azure Portal:

    1. Navigate to the Azure Portal.
    2. Go to your Key Vault.
    3. Select Access control (IAM).
    4. Review the role assignments to ensure that the user or service principal has the Key Vault Contributor or Key Vault Administrator role.

    Azure CLI:

    az role assignment list --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name> --output table

    Azure PowerShell:

    Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>

    2. Update Role Assignments

    Objective: Add or update the necessary role assignments.

    Azure Portal:

    1. Go to your Key Vault in the Azure Portal.
    2. Navigate to Access control (IAM).
    3. Click Add role assignment.
    4. Assign the Key Vault Contributor role to the user or service principal.

    Azure CLI:

    az role assignment create --role "Key Vault Contributor" --assignee <UserOrServicePrincipal> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>

    Azure PowerShell:

    New-AzRoleAssignment -RoleDefinitionName "Key Vault Contributor" -ServicePrincipalName <UserOrServicePrincipal> -Scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>

    3. Wait for Propagation

    Objective: Allow time for role assignment changes to propagate.

    • Wait Time: Changes in role assignments can take a few minutes to become effective. Be patient and wait for a few minutes before retrying the key creation operation.

    4. Retry Key Creation

    Objective: Attempt to create the key again after ensuring correct role assignments.

    • Azure CLI:
    az keyvault key create --vault-name <YourKeyVaultName> --name <YourKeyName> --protection software

    Additional Troubleshooting Tips

    • Check Subscription or Resource Group Issues: Ensure there are no broader issues with your subscription or resource group that might affect permissions.
    • Consult Azure Documentation: Refer to Azure’s official documentation for more detailed information on RBAC and Key Vault operations.
    • Contact Azure Support: If the issue persists, consider reaching out to Azure Support for further assistance.

    Business Use Case

    Consider a scenario where your company needs to manage sensitive keys for encryption and decryption operations. You recently migrated your key management to Azure Key Vault and assigned roles to various team members. After a role assignment change, you encounter the RBAC error while trying to create new keys.

    By following the steps outlined above, you ensure that all team members have the necessary permissions and can manage keys without interruptions. Properly handling RBAC settings ensures secure and efficient key management, crucial for maintaining the integrity of your company’s encryption practices.

    Conclusion

    Encountering RBAC errors when creating keys in Azure Key Vault can be frustrating, but understanding the root cause and following the resolution steps can help you overcome these issues. By verifying and updating role assignments, waiting for propagation, and retrying the operation, you can ensure smooth key management in Azure Key Vault.

    If you have any questions or need further assistance, feel free to leave a comment below or check out additional resources on Azure Key Vault and RBAC.

    For more tutorials and tips on SQL Server, including performance tuning and database management, be sure to check out our JBSWiki YouTube channel.

    Thank You,
    Vivek Janakiraman

    Disclaimer:
    The views expressed on this blog are mine alone and do not reflect the views of my company or anyone else. All postings on this blog are provided “AS IS” with no warranties, and confers no rights.