Within Azure, an Entra App was created and configured as described
Within Teleskope, you have a Teleskope Account with the Admin role
Permissions
1
Grant the Teleskope App the following roles:
Grant the Teleskope app the following role:
SQL Server Contributor
SQL Managed Instance Contributor
2
Create a Teleskope user on each database
Teleskope Database User
For each SQL instance you would like to scan using Teleskope, you will need to create/provide credentials for a database user, and grant that user permissions.
Create Teleskope User
Create Database User (Without IAM Authentication)
CREATE LOGIN teleskope WITH PASSWORD = '****PASSWORD****';
CREATE USER teleskope FOR LOGIN teleskope;
Grant Read Access to Teleskope user
GRANT VIEW ANY DATABASE TO teleskope_ro;
DECLARE @sql NVARCHAR(MAX);
SET @sql = '';
-- Generate the dynamic SQL for each database
SELECT @sql += 'USE [' + name + ']; GRANT SELECT TO teleskope_ro;' + CHAR(13)
FROM sys.databases
WHERE state = 0 AND name NOT IN ('master', 'tempdb', 'model', 'msdb'); -- Exclude system databases
-- Execute the generated SQL
EXEC sp_executesql @sql;
Grant Write Access to Teleskope user (optional)
DECLARE @sql NVARCHAR(MAX);
SET @sql = '';
-- Generate the dynamic SQL for each database
SELECT @sql +=
'USE [' + name + '];
GRANT UPDATE TO teleskope_ro;
GRANT DELETE TO teleskope_ro;' + CHAR(13)
FROM sys.databases
WHERE state = 0 AND name NOT IN ('master', 'tempdb', 'model', 'msdb'); -- Exclude system databases
-- Execute the generated SQL
EXEC sp_executesql @sql;