Stay organized with collections
Save and categorize content based on your preferences.
This topic shows you how to add accounts so you can use Microsoft SQL Server
with Managed Service for Microsoft Active Directory. You can use the following procedure for a
Compute Engine instance running SQL Server or a self-managed instance.
By default, SQL Server grants the sysadmin role to all members of
Users. Initially, the Authenticated Users group is the only member of
Users. However, when a computer joins the domain, the Domain Users group is
automatically added to the Users group on the computer.
To improve security, you should consider restricting the sysadmin role
to a smaller set of users. Learn about
Roles in SQL Server.
Joining the SQL Server instance to the domain
Next, join the instance that is running SQL Server to the
Managed Microsoft AD domain. If the instance is already joined, you can skip
to adding logins.
To join the instance to the domain, complete the following steps:
Use the local administrator account to connect to the instance with Remote
Desktop Protocol (RDP).
Note that after you complete joining the instance to the domain, the local
administrator account will no longer work for Windows Authentication to SQL
unless you explicitly allow it.
Adding logins
Use the local administrator account to connect to the SQL
Server instance using RDP.
Open Microsoft SQL Server Management Studio (SSMS).
For Authentication, select Windows Authentication to log in with the
built-in local administrator account.
Select Connect.
In Object Explorer, select Security.
Right-click Logins, and then select New Login from the menu.
For Login name, select Windows authentication, and then enter
domain-name\username. username can
be an Active Directory username, group name or built-in security principal.
On the Server Roles page, select the server roles to grant to the Active
Directory user.
Select the General page, and then click Ok.
These new logins now work when you use Windows Authentication with SSMS.
Adding RDP permissions
Add the new logins to the local Remote Desktop Users group to grant them
permission to RDP into the SQL Server instance. Learn how to
allow log on through Remote Desktop Services.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Connect Microsoft SQL Server\n\nThis topic shows you how to add accounts so you can use Microsoft SQL Server\nwith Managed Service for Microsoft Active Directory. You can use the following procedure for a\nCompute Engine instance running SQL Server or a self-managed instance.\n\nCreate local administrator account\n----------------------------------\n\nTo set up the SQL Server integration, create a local administrator account and\ntemporarily grant it the `sysadmin` role. Learn\n[how to configure Windows Service Accounts and Permissions](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/configure-windows-service-accounts-and-permissions?view=sql-server-ver15).\n\nBy default, SQL Server grants the `sysadmin` role to all members of\n`Users`. Initially, the `Authenticated Users` group is the only member of\n`Users`. However, when a computer joins the domain, the `Domain Users` group is\nautomatically added to the `Users` group on the computer.\n\nTo improve security, you should consider restricting the `sysadmin` role\nto a smaller set of users. Learn about\n[Roles in SQL Server](https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/sql/server-and-database-roles-in-sql-server).\n\nJoining the SQL Server instance to the domain\n---------------------------------------------\n\nNext, join the instance that is running SQL Server to the\nManaged Microsoft AD domain. If the instance is already joined, you can skip\nto [adding logins](#adding-logins).\n\nTo join the instance to the domain, complete the following steps:\n\n1. Use the local administrator account to connect to the instance with Remote Desktop Protocol (RDP).\n2. [Join the instance to the domain](/managed-microsoft-ad/docs/quickstart-domain-join-windows).\n3. Restart the instance.\n\nNote that after you complete joining the instance to the domain, the local\nadministrator account will no longer work for Windows Authentication to SQL\nunless you explicitly allow it.\n\nAdding logins\n-------------\n\n1. Use the [local administrator](#local-admin) account to connect to the SQL Server instance using RDP.\n2. Open **Microsoft SQL Server Management Studio (SSMS)**.\n3. For **Authentication** , select **Windows Authentication** to log in with the built-in local administrator account.\n4. Select **Connect**.\n5. In **Object Explorer** , select **Security**.\n6. Right-click **Logins** , and then select **New Login** from the menu.\n7. For **Login name** , select **Windows authentication** , and then enter \u003cvar translate=\"no\"\u003edomain-name\u003c/var\u003e\\\\\u003cvar translate=\"no\"\u003eusername\u003c/var\u003e. \u003cvar translate=\"no\"\u003eusername\u003c/var\u003e can be an Active Directory username, group name or built-in security principal.\n8. On the **Server Roles** page, select the server roles to grant to the Active Directory user.\n9. Select the **General** page, and then click **Ok**.\n\nThese new logins now work when you use Windows Authentication with SSMS.\n\nAdding RDP permissions\n----------------------\n\nAdd the new logins to the local `Remote Desktop Users` group to grant them\npermission to RDP into the SQL Server instance. Learn how to\n[allow log on through Remote Desktop Services](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services)."]]
