Stay organized with collectionsSave and categorize content based on your preferences.
This topic shows you how to add accounts so you can use Microsoft SQL Server
with Managed Service for Microsoft Active Directory. You can use the following procedure for a
Compute Engine instance running SQL Server or a self-managed instance.
By default, SQL Server grants thesysadminrole to all members ofUsers. Initially, theAuthenticated Usersgroup is the only member ofUsers. However, when a computer joins the domain, theDomain Usersgroup is
automatically added to theUsersgroup on the computer.
To improve security, you should consider restricting thesysadminrole
to a smaller set of users. Learn aboutRoles in SQL Server.
Joining the SQL Server instance to the domain
Next, join the instance that is running SQL Server to the
Managed Microsoft AD domain. If the instance is already joined, you can skip
toadding logins.
To join the instance to the domain, complete the following steps:
Use the local administrator account to connect to the instance with Remote
Desktop Protocol (RDP).
Note that after you complete joining the instance to the domain, the local
administrator account will no longer work for Windows Authentication to SQL
unless you explicitly allow it.
Adding logins
Use thelocal administratoraccount to connect to the SQL
Server instance using RDP.
OpenMicrosoft SQL Server Management Studio (SSMS).
ForAuthentication, selectWindows Authenticationto log in with the
built-in local administrator account.
SelectConnect.
InObject Explorer, selectSecurity.
Right-clickLogins, and then selectNew Loginfrom the menu.
ForLogin name, selectWindows authentication, and then enterdomain-name\username.usernamecan
be an Active Directory username, group name or built-in security principal.
On theServer Rolespage, select the server roles to grant to the Active
Directory user.
Select theGeneralpage, and then clickOk.
These new logins now work when you use Windows Authentication with SSMS.
Adding RDP permissions
Add the new logins to the localRemote Desktop Usersgroup to grant them
permission to RDP into the SQL Server instance. Learn how toallow log on through Remote Desktop Services.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Connect Microsoft SQL Server\n\nThis topic shows you how to add accounts so you can use Microsoft SQL Server\nwith Managed Service for Microsoft Active Directory. You can use the following procedure for a\nCompute Engine instance running SQL Server or a self-managed instance.\n\nCreate local administrator account\n----------------------------------\n\nTo set up the SQL Server integration, create a local administrator account and\ntemporarily grant it the `sysadmin` role. Learn\n[how to configure Windows Service Accounts and Permissions](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver15).\n\nBy default, SQL Server grants the `sysadmin` role to all members of\n`Users`. Initially, the `Authenticated Users` group is the only member of\n`Users`. However, when a computer joins the domain, the `Domain Users` group is\nautomatically added to the `Users` group on the computer.\n\nTo improve security, you should consider restricting the `sysadmin` role\nto a smaller set of users. Learn about\n[Roles in SQL Server](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/server-and-database-roles-in-sql-server).\n\nJoining the SQL Server instance to the domain\n---------------------------------------------\n\nNext, join the instance that is running SQL Server to the\nManaged Microsoft AD domain. If the instance is already joined, you can skip\nto [adding logins](#adding-logins).\n\nTo join the instance to the domain, complete the following steps:\n\n1. Use the local administrator account to connect to the instance with Remote Desktop Protocol (RDP).\n2. [Join the instance to the domain](/managed-microsoft-ad/docs/quickstart-domain-join-windows).\n3. Restart the instance.\n\nNote that after you complete joining the instance to the domain, the local\nadministrator account will no longer work for Windows Authentication to SQL\nunless you explicitly allow it.\n\nAdding logins\n-------------\n\n1. Use the [local administrator](#local-admin) account to connect to the SQL Server instance using RDP.\n2. Open **Microsoft SQL Server Management Studio (SSMS)**.\n3. For **Authentication** , select **Windows Authentication** to log in with the built-in local administrator account.\n4. Select **Connect**.\n5. In **Object Explorer** , select **Security**.\n6. Right-click **Logins** , and then select **New Login** from the menu.\n7. For **Login name** , select **Windows authentication** , and then enter \u003cvar translate=\"no\"\u003edomain-name\u003c/var\u003e\\\\\u003cvar translate=\"no\"\u003eusername\u003c/var\u003e. \u003cvar translate=\"no\"\u003eusername\u003c/var\u003e can be an Active Directory username, group name or built-in security principal.\n8. On the **Server Roles** page, select the server roles to grant to the Active Directory user.\n9. Select the **General** page, and then click **Ok**.\n\nThese new logins now work when you use Windows Authentication with SSMS.\n\nAdding RDP permissions\n----------------------\n\nAdd the new logins to the local `Remote Desktop Users` group to grant them\npermission to RDP into the SQL Server instance. Learn how to\n[allow log on through Remote Desktop Services](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services)."]]
