Azure SQL Database - User Guide

In this article, you will understand step by step how to easily integrate with Azure SQL Database

The Azure SQL Database integration allows Scytale to monitor your SQL databases and validate that they are encrypted. Encryption is an important key aspect in order to ensure that access to these databases is protected.

In addition, the integration will indicate the following:

  • Whether the database is replicated across multiple regions or instances, and
  • The storage of sensitive information should be encrypted and backed up.

The above two points are very important information that needs to be collected in order to ensure that controls supporting the security and availability of the product are in place.

Step 1: Register an application

  • Log in to the Azure portal and then navigate to Azure Active Directory.
  • On the left menu, click on App registrations
  • On the screen that loads, click on New registration and fill in the following details:
    • Name - you can choose a name (save this name for step 4).
    • Supported account types - the first option must be selected - "Accounts in this organizational directory only (Default Directory only - Single tenant)".
    • Redirect URI - select Web from the drop-down menu, and in the text box paste the following:
    • Click on Register.


  • In the overview tab of the application, refer to the information under "Essentials", copy:
    • (A) - Application (Client) ID; and
    • (B) - Directory (tenant) ID (You'll need this to connect the integration in step 3).

Step 2: Create a new client secret for the app

  • Go to App registrations.

  • Go to "Certificates & secrets"

  • Click on New client secret

    • Description - scytale-key

    • Expires - we recommend selecting 24 months. (We cannot collect data after the key expires.)

    • Click on Add

  • Click on the copy sign on the (C) - "Value" column. (You'll need this to connect the integration in step 3)


Step 3: Create a custom role in the subscriptions

  • Go to subscriptions. 
  • Copy the relevant subscription ID (you'll need to paste it into the scytale integration connection).

  • Click on the relevant subscription. 
  • Navigate in the subscription menu to 'Access control (IAM)'.
  • Select +Add and select the 'Add custom role' option. 

  • Under the basic tab, choose a name for the 'Custom role name.'
  • Click on 'Next'.

  • Go to the JSON tab and click on 'Edit'.
  • Add the following permissions list to the Custom Role JSON under "actions" section (see the attached screenshot below).
    • "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Sql/servers/read",
    • "Microsoft.Sql/servers/databases/read",
    • "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies/read",
    • "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read",
    • "Microsoft.Sql/managedInstances/encryptionProtector/read",
    • "Microsoft.Sql/servers/databases/replicationLinks/read"
  • Click on 'Save',  then 'Review + create', and then 'Create'.

Step 4: Create a role assignment

  • Return again in the subscription menu to 'Access control (IAM)'.
  • Select +Add and select the 'Add role assignment' option. 

  • In the role tab, search for the custom role you created in step 3.
  • Click on the role and then select 'Next'. 

  • In the members tab, on the Members section, click on '+select members'. 
  • Search the application name you created in step 1 and click on it. 
  • Click on 'Select'. 
  • Click on 'Review + assign'.


Step 5: Log in to the Scytale web app

  • Click on the "Integrations" menu screen to the left.
  • Click on the Connect button under the Azure SQL Database icon.
  • Now, paste the following details into the connection screen:
    • Application ID -  (from step 1 above)
    • Secret Value - (from step 2 above)
    • Directory ID - (from step 1 above)
    • Subscription ID - (from step 3 above)
  • Connection Name - is used to differentiate between your connections.
    For instance, if you manage multiple accounts or would like to connect multiple times to the integration. It's automatically titled (Connection 1,2,3 etc), but you can change it to a custom name to make it easier to identify.
    For example: scytale-production-env.
    Click on Connect
  • Click Connect to complete the integration process within the tool.

  • To approve the application's permissions, you will be redirected to a Microsoft page. 


All the permissions that are required for the integration with Azure SQL Database are read-only permissions and do not allow Scytale to perform any actions within your Azure account.

  • "Microsoft.Resources/subscriptions/resourceGroups/read" "Microsoft.Sql/servers/read"
  • "Microsoft.Sql/servers/databases/read"
  • "Microsoft.Sql/managedInstances/databases/backupShortTermRetentionPolicies/read"
  • "Microsoft.Sql/managedInstances/databases/transparentDataEncryption/read"
  • "Microsoft.Sql/managedInstances/encryptionProtector/read"
  • "Microsoft.Sql/servers/databases/replicationLinks/read"