1. Deploy Oracle Exadata Database Service on Oracle Database Service for Microsoft Azure
  2. Link the Microsoft Azure and Oracle Accounts

Link the Microsoft Azure and Oracle Accounts

A Microsoft Azure administrator must first onboard, or link, an Azure environment with Oracle Database Service for Microsoft Azure (OracleDB for Azure). Once that process completes, the administrator and database administrators or developers use the OracleDB for Azure Portal to provision Oracle Cloud Infrastructure (OCI) database products for use in the onboarded Azure environment.

During account linking, OracleDB for Azure creates the configuration that connects an Azure tenancy to an OCI tenancy. You must complete this step before accessing the OracleDB for Azure Portal. Account linking accomplishes the following:

  • Creates OracleDB for Azure groups in the Azure Active Directory.
  • Creates an Oracle Database Service Enterprise Application and custom roles in the Azure tenant’s Azure Active Directory.
The following options are available to link Azure with OCI.
  • Automated Configuration: You consent to a compete set of permissions and the workflow is fully automated to configure the Oracle Database Service for Microsoft Azure (OracleDB for Azure) Portal, including Identity Federation. The Azure user onboarding to OracleDB for Azure must be an Administrator in Azure and is assigned as an Owner for each Azure subscription linked to OracleDB for Azure.
  • Guided Configuration: You can choose to automate Roles and Subscription setup and Identity Federation independently.

Use Automated Configuration to Link the Accounts

If you have an OCI tenancy, then a Microsoft Azure administrator can sign up for Oracle Database Service for Microsoft Azure (OracleDB for Azure) and use the automated configuration to onboard and link an Azure environment with OracleDB for Azure.

  1. As an Azure Administrator, go to the sign up website at https://signup.multicloud.oracle.com/azure
  2. Sign into your Azure account using your Azure credentials.
  3. Grant OracleDB for Azure the permissions it needs to initiate the account link with Azure.
  4. On the Welcome to Oracle Database Service for Microsoft Azure page, read the information provided, then click Start fully automated configuration.
  5. Read the Permissions requested and click Accept to grant the permissions.
    These permissions are needed for the account linking and service configuration tasks that are done on your behalf during the fully-automated sign up.
  6. Select one or more Azure subscriptions to link to OCI through OracleDB for Azure, then click Continue.
  7. Enter your Oracle Cloud account name on the Sign in to your Oracle Cloud account page.
  8. Read and agree to the terms of the Linking Azure and Oracle Cloud accounts document. Click the link for the document to read it, then select the check box beside the link to agree to the terms. Click Continue.
  9. Enter your OCI User Name and Password on the Oracle Cloud Account Sign In page, then click Sign in.
  10. Click Continue.
    The automated accounting linking process begins and usually takes 3-5 minutes to complete.

When the automated service configuration completes successfully, you're directed to the OracleDB for Azure Portal.

Enable Identity Federation

Enable identity federation between Azure and OCI to allow OracleDB for Azure users to use a single set of credentials to log into both cloud environments to perform tasks.

When using identity federation with Oracle Cloud Infrastructure Identity and Access Management, Azure users must have last names and email addresses in the Azure Active Directory.

Automated Configuration creates identity federation for you. Identity federation is optional with Guided Account Linking.

Add Oracle Users in Microsoft Azure

Oracle Database Service for Microsoft Azure creates user groups in Azure Active Directory (AAD) during the initial account linking stage of your OracleDB for Azure sign up.

Upon completion of the cloud linking, two new tiles appear at the top of the OracleDB for Azure Portal, to assign roles and link your subscriptions.

To complete the sign up process for OracleDB for Azure, you will need an Azure user account with administration privileges and ownership of the Azure subscriptions you want to link to OCI.

The following Azure roles have sufficient privileges to sign up and can be removed once sign up is complete:
  • Global Administrator
  • Application Administrator
  • Cloud Application Administrator
  • Privileged Role Administrator

Perform the following tasks sequentially:

  1. Assign OracleDB for Azure Enterprise Application Azure Resource Manager (ARM) roles to users in Azure Active Directory.

    You can assign Azure users to the appropriate OracleDB for Azure user groups in Azure Active Directory to enable access to database and infrastructure resources at a granular level. By doing so, users are assigned to the OracleDB for Azure Enterprise Application and to the related ARM role for the Oracle Database Service enterprise application.

    1. In the Azure Portal, search for the Enterprise Application Oracle Database Service, then select it from the list.
      This takes you to the Enterprise Application Oracle Database Service Overview page.
    2. In the list of enterprise applications, click Oracle Database Service to view the application's Overview page.
    3. Click Assign users and groups, then click + Add user/group.
      The Add Assignment page is displayed.
    4. Select the applicable users in the Users panel, find the users you want to assign, then click Select. Under Select a role, click None Selected, then select the ARM role you are assigning to the user.
  2. Assign OracleDB for Azure ARM roles to users within an Azure subscription.
    OracleDB for Azure users require the Contributor ARM role for each subscription in which they will be managing OracleDB for Azure resources, as well as the ARM roles for OracleDB for Azure for networking, events and monitoring metrics found in the documentation. Assign the user the Contributor role with the subscriptions that the user will be accessing OracleDB for Azure. As a contributor, the user has full access to manage OracleDB for Azure resources including databases, database system infrastructure, and networking, but cannot assign roles in Azure role-based access control (RBAC) to other Azure users.
    1. Sign in to the Azure portal.
    2. Under Azure services, click Subscriptions.
      If you don't see Subscriptions here, use the search box to find it and navigate to the Subscriptions page.
    3. In the list of subscriptions, click the name of the subscription you want to manage to see details about the subscription.
    4. Click Access control (IAM) in the left panel.
    5. Click + Add, then click Add role assignment.
    6. Find the Contributor role and click View to see the role details.
    7. Click Members.
    8. In the Select members panel, select the Oracle Database Service enterprise application.
    9. In the Assign access to field, select User, group, or service principal.
    10. Click Review + assign and review the assignment details.
    11. Click the Review + assign button to confirm the assignment.
    12. Repeat these steps for the Network Contributor, Monitoring Metrics Publisher, and EventGrid Data Sender roles.
  3. Assign users to the appropriate OracleDB for Azure user groups.

    The user groups in this task are pre-configured during the OracleDB for Azure deployment. You are not responsible for creating the OracleDB for Azure user groups.

  4. In Azure Active Directory, add users to the OracleDB for Azure Groups.
    See the Microsoft Azure documentation for how to add users to groups.