Single User Enterprise cloud connections

[suiciety]

I have a single user academic enterprise license and wanted to use the Cloud Explorer functions. However whenever I try to log in using my azure credentials I get a license exceeded error and can't proceed.

Is there a way to link the only account to my Azure identity to make this work or is that just a limitation of the Academic single license version?

[LonwoLonwo]

Hello @suiciety

Could you please provide the error text? You can find it in the log viewer.

[suiciety]

When trying to use the Federated login I get the following:

io.cloudbeaver.DBWebException: Failed to perform federated authentication: You exceed the limit of the active users number for your license (1)
at io.cloudbeaver.service.auth.impl.WebServiceAuthImpl.authUpdateStatus(WebServiceAuthImpl.java:126)

So I have to log in locally, but when I do and use the Cloud explorer it can authenticate there but gives the following error:

Azure authentication is available in Azure AD session only
org.jkiss.dbeaver.DBException: Azure authentication is available in Azure AD session only
at com.dbeaver.net.auth.azure.AuthModelAzureCredentials.getAccessCredentials(AuthModelAzureCredentials.java:184)
at com.dbeaver.net.auth.azure.AuthModelAzureCredentials.authenticateWithToken(AuthModelAzureCredentials.java:125)
at com.dbeaver.cloud.azure.sql.AzureCloudSQLServerInstance.list(AzureCloudSQLServerInstance.java:51)
at com.dbeaver.cloud.azure.AzureCloudExplorer.getDatabaseInstances(AzureCloudExplorer.java:57)
at com.dbeaver.cloud.model.navigator.DBNCloudServiceNode.readServiceInstances(DBNCloudServiceNode.java:92)
at com.dbeaver.cloud.model.navigator.DBNCloudServiceNode.getChildren(DBNCloudServiceNode.java:79)
at org.jkiss.dbeaver.model.navigator.DBNUtils.getNodeChildrenFiltered(DBNUtils.java:91)
at io.cloudbeaver.service.navigator.impl.WebServiceNavigator.getNavigatorNodeChildren(WebServiceNavigator.java:103)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:568)

[EvgeniaBzzz]

Hi @suiciety
If I got it ritght, you already have one user (local auth) and trying to login with the second user (microsoft entra).

Please try to specify the Azure username (e.g., email) as admin during the initial server configuration.
So you can use Azure username with password for local auth. And then configure Azure identitiy provider and login with federated provider. It will be the same user for CloudBeaver.

[EvgeniaBzzz]

Hi @suiciety
Did you manage to log in?

[suiciety]

Hi,
I've reset the configuration a few times and tried with both my upn and email address as the primary account but with no luck. It still errors out with the same exceeded limit message.

[EvgeniaBzzz]

@suiciety
Please, try this:

• login to the CloudBeaver with your local user;
• check, that Azure provider is configured and enabled in admin panel;
• on the main page of the application press Connection - Cloud connection and select Azure
• try to expand Azure in Cloud explorer
  • here you should see Additional auth window
• login with your Azure user
  So there will be additional authentication that allows you to use cloud connections even if you logged in to the application as local user.

[EvgeniaBzzz]

Hi @suiciety
Any news here?

[EvgeniaBzzz]

I suppose you have a summer break now :)
Additional authentication should work for your case.
I'm closing this issue, but feel free to reopen it if you encounter any futher difficulties.

[suiciety]

Hi,

Sorry for the late reply, I can authenticate to Azure and see this list but whenever I try to expand the selection I get the same error.

org.jkiss.dbeaver.DBException: Azure authentication is available in Azure AD session only
	at com.dbeaver.net.auth.azure.AuthModelAzureCredentials.getAccessCredentials(AuthModelAzureCredentials.java:184)
	at com.dbeaver.net.auth.azure.AuthModelAzureCredentials.authenticateWithToken(AuthModelAzureCredentials.java:125)
	at com.dbeaver.cloud.azure.sql.AzureCloudSQLServerInstance.list(AzureCloudSQLServerInstance.java:51)
	at com.dbeaver.cloud.azure.AzureCloudExplorer.getDatabaseInstances(AzureCloudExplorer.java:57)
	at com.dbeaver.cloud.model.navigator.DBNCloudServiceNode.readServiceInstances(DBNCloudServiceNode.java:92)
	at com.dbeaver.cloud.model.navigator.DBNCloudServiceNode.getChildren(DBNCloudServiceNode.java:79)
	at org.jkiss.dbeaver.model.navigator.DBNUtils.getNodeChildrenFiltered(DBNUtils.java:91)
	at io.cloudbeaver.service.navigator.impl.WebServiceNavigator.getNavigatorNodeChildren(WebServiceNavigator.java:103)
	at jdk.internal.reflect.GeneratedMethodAccessor133.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)

[EvgeniaBzzz]

@suiciety
It may be related to the Azure authentication feature. Some functions require multifactor authentication.
Probably you can find such an error in server log:

ERROR i.c.a.p.m.e.o.WebMicrosoftEntraIDUtils - Error getting oauth token from response: invalid_grant;AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access

Please, try to enable this option in Identity provider

The steps should look like this:

• login as local user
• press Connection - Cloud explorer
  -> cloud explorer window appears
• expand Azure folder
  -> additional authentication window appears with Azure provider in the list
• press on Azure in the list
  -> you will be redirected to microsoft service where you'll have to pass 2FA (e.g. code to email and code to authenticator app on the phone)
• if additional authentication is successful, a list of drivers will appear. Expand and create needed driver.

[EvgeniaBzzz]

I would be grateful for the feedback 🦫

[suiciety]

I am also the Azure admin of the domain in question, are you saying that I need to enforce MFA using conditional access for Cloudbeaver specifically or for Azure?

[EvgeniaBzzz]

For some actions Microsoft Entra ID require MFA. It became mandatory in July 2024.

So first you should enable and set MFA in Azure.
And then enable 'Provide access to databases from Azure Cloud' in your configured Microsoft Entra provider on CloudBeaver.

[EvgeniaBzzz]

Hi @suiciety
How's it going?

[EvgeniaBzzz]

Will close it for now. Please feel free to ask to reopen the ticket if it is still actual for you.