The monitoring service requires the server admin account for Azure SQL Database and Azure Synapse SQL Pool targets.
The credentials provided for an Azure SQL Database target must be the server account configured in the Azure Portal for the Azure SQL Server so that full access is available for monitoring.
The following authentication methods are supported when adding Azure SQL Database target types:
- SQL Server
- Azure Active Directory - Password
- Azure Active Directory - Integrated
Using service accounts that require Multi-Factor Authentication (MFA) is not currently supported for connecting the SQL Sentry monitoring service to Azure SQL Database targets. It is recommended that generalized service accounts are used for configuring connection credentials rather than accounts that are directly linked to users. For environments that require MFA for Azure Active Directory users, a service account can be excluded from the MFA requirement by using an exclusion for conditional access.
The Microsoft Azure SQL Database and Azure Synapse SQL Pools services are protected by a firewall because both services are exposed on the internet. The Azure SQL Firewall is in place to help protect access to your data. When creating a new Azure SQL Database or Azure Synapse SQL Pools target, the connectivity verification ensures that an Azure SQL Firewall rule is correctly configured and indicates a warning if it's not.
It is important to allowlist the IP address of the server hosting the SQL Sentry monitoring service via the Azure Portal. Depending on the software version, this may be called the SentryOne monitoring service.
The Azure SQL Firewall settings are configured using the Azure Portal, through the command line utilities on PowerShell, or through the Cross Platform CLI tool. For more information about the Azure SQL Firewall and configuring it, see the How to configure an Azure SQL database firewall documentation from Microsoft.
While the firewall is blocking the monitoring service, no data is retrieved from the target.