Azure · jsntcy · Dec 23, 2020 · Apr 27, 2020 · Apr 28, 2020 · Apr 30, 2020
@@ -3,8 +3,8 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-def cf_synapse(cli_ctx, *_):
 
+def cf_synapse(cli_ctx, *_):
     from azure.cli.core.commands.client_factory import get_mgmt_service_client
     from azure.mgmt.synapse import SynapseManagementClient
     return get_mgmt_service_client(cli_ctx, SynapseManagementClient)
@@ -14,6 +14,10 @@ def cf_synapse_client_workspace_factory(cli_ctx, *_):
     return cf_synapse(cli_ctx).workspaces
 
 
+def cf_synapse_client_workspace_aad_admins_factory(cli_ctx, *_):
+    return cf_synapse(cli_ctx).workspace_aad_admins
+
+
 def cf_synapse_client_bigdatapool_factory(cli_ctx, *_):
     return cf_synapse(cli_ctx).big_data_pools
 
@@ -42,6 +46,10 @@ def cf_synapse_client_sqlpool_blob_auditing_policies_factory(cli_ctx, *_):
     return cf_synapse(cli_ctx).sql_pool_blob_auditing_policies
 
 
+def cf_synapse_client_sqlserver_blob_auditing_policies_factory(cli_ctx, *_):
+    return cf_synapse(cli_ctx).workspace_managed_sql_server_blob_auditing_policies
+
+
 def cf_synapse_client_ipfirewallrules_factory(cli_ctx, *_):
     return cf_synapse(cli_ctx).ip_firewall_rules
 

@@ -159,6 +159,96 @@
 short-summary: Manage SQL pools.
 """
 
+helps['synapse sql ad-admin'] = """
+type: group
+short-summary: Manage SQL Active Directory administrator.
+"""
+
+helps['synapse sql ad-admin show'] = """
+type: command
+short-summary: Get the SQL Azure Active Directory administrator.
+examples:
+  - name: Get the SQL Azure Active admin.
+    text: |-
+        az synapse sql ad-admin show --workspace-name testsynapseworkspace --resource-group rg
+"""
+
+helps['synapse sql ad-admin create'] = """
+type: command
+short-summary: Create the SQL Azure Active Directory administrator.
+examples:
+  - name: Create the SQL Azure Active admin.
+    text: |-
+        az synapse sql ad-admin create --workspace-name testsynapseworkspace --resource-group rg \\
+        --display-name youraccount@yourdomain --object-id 00000000-0000-0000-0000-000000000000
+"""
+
+helps['synapse sql ad-admin update'] = """
+type: command
+short-summary: Update the SQL Azure Active Directory administrator.
+examples:
+  - name: Update the SQL Azure Active admin.
+    text: |-
+        az synapse sql ad-admin update --workspace-name testsynapseworkspace --resource-group rg \\
+        --display-name youraccount@yourdomain --object-id 00000000-0000-0000-0000-000000000000
+"""
+
+helps['synapse sql ad-admin delete'] = """
+type: command
+short-summary: Delete the SQL Azure Active Directory administrator.
+examples:
+  - name: Delete the SQL Azure Active admin.
+    text: |-
+        az synapse sql ad-admin delete --workspace-name testsynapseworkspace --resource-group rg
+"""
+
+helps['synapse sql ad-admin wait'] = """
+type: command
+short-summary: Place the CLI in a waiting state until a condition is met.
+"""
+
+helps['synapse sql audit-policy'] = """
+type: group
+short-summary: Manage SQL auditing policy.
+"""
+
+helps['synapse sql audit-policy show'] = """
+type: command
+short-summary: Get a SQL's auditing policy.
+examples:
+  - name: Get a SQL's auditing policy.
+    text: |-
+        az synapse sql audit-policy show --workspace-name testsynapseworkspace --resource-group rg
+"""
+
+helps['synapse sql audit-policy update'] = """
+type: command
+short-summary: Update a SQL's auditing policy.
+long-summary: If the policy is being enabled, `--storage-account` or both `--storage-endpoint` and `--storage-key` must be specified.
+examples:
+  - name: Enable by storage account name.
+    text: |-
+        az synapse sql audit-policy update --workspace-name testsynapseworkspace --resource-group rg \\
+        --state Enabled --storage-account mystorageaccount
+  - name: Enable by storage endpoint and key.
+    text: |-
+        az synapse sql audit-policy update --workspace-name testsynapseworkspace --resource-group rg \\
+        --state Enabled --storage-endpoint https://mystorage.blob.core.windows.net --storage-key MYKEY==
+  - name: Set the list of audit actions.
+    text: |
+        az synapse sql audit-policy update --workspace-name testsynapseworkspace --resource-group rg \\
+        --actions FAILED_DATABASE_AUTHENTICATION_GROUP 'UPDATE on database::mydb by public'
+  - name: Disable an auditing policy.
+    text: |-
+        az synapse sql audit-policy update --workspace-name testsynapseworkspace --resource-group rg \\
+        --state Disabled
+"""
+
+helps['synapse sql audit-policy wait'] = """
+type: command
+short-summary: Place the CLI in a waiting state until a condition is met.
+"""
+
 helps['synapse sql pool'] = """
 type: group
 short-summary: Manage SQL pools.
@@ -469,6 +559,16 @@
         --resource-group rg --start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255
 """
 
+helps['synapse workspace firewall-rule update'] = """
+type: command
+short-summary: Update a firewall rule.
+examples:
+  - name: Update a firewall rule.
+    text: |-
+        az synapse workspace firewall-rule update --name allowAll --workspace-name testsynapseworkspace \\
+        --resource-group rg --start-ip-address 172.0.0.0
+"""
+
 helps['synapse workspace firewall-rule show'] = """
 type: command
 short-summary: Get a firewall rule.

@@ -2,12 +2,13 @@
 # Copyright (c) Microsoft Corporation. All rights reserved.
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
-# pylint: disable=too-many-statements, line-too-long
+# pylint: disable=too-many-statements, line-too-long, too-many-branches
 from knack.arguments import CLIArgumentType
 from argcomplete import FilesCompleter
 from azure.mgmt.synapse.models import TransparentDataEncryptionStatus, SecurityAlertPolicyState, BlobAuditingPolicyState
 from azure.cli.core.commands.parameters import name_type, tags_type, get_three_state_flag, get_enum_type, \
-    get_resource_name_completion_list
+    get_resource_name_completion_list, get_location_type
+from azure.cli.core.commands.validators import get_default_location_from_resource_group
 from azure.cli.core.util import get_json_object, shell_safe_json_parse
 from ._validators import validate_storage_account, validate_statement_language
 from ._completers import get_role_definition_name_completion_list
@@ -58,6 +59,7 @@ def load_arguments(self, _):
             c.argument('tags', arg_type=tags_type)
 
     with self.argument_context('synapse workspace create') as c:
+        c.argument('location', get_location_type(self.cli_ctx), validator=get_default_location_from_resource_group)
         c.argument("storage_account", validator=validate_storage_account,
                    help='The data lake storage account name or resource id.')
         c.argument('file_system', help='The file system of the data lake storage account.')
@@ -232,6 +234,7 @@ def load_arguments(self, _):
                    help='Threat detection policy state',
                    arg_type=get_enum_type(SecurityAlertPolicyState))
         c.argument('retention_days',
+                   type=int,
                    arg_group=policy_arg_group,
                    help='The number of days to retain threat detection logs.')
         c.argument('disabled_alerts',
@@ -251,29 +254,45 @@ def load_arguments(self, _):
     with self.argument_context('synapse sql pool audit-policy') as c:
         c.argument('sql_pool_name', arg_type=name_type, id_part='child_name_1', help='The SQL pool name.')
 
-    with self.argument_context('synapse sql pool audit-policy update') as c:
-        _configure_security_or_audit_policy_storage_params(c)
-        c.argument('storage_account_subscription_id', arg_group=storage_arg_group,
-                   options_list=['--storage-subscription'],
-                   help='The subscription id of storage account')
-        c.argument('is_storage_secondary_key_in_use', arg_group=storage_arg_group,
-                   arg_type=get_three_state_flag(), options_list=['--use-secondary-key'],
-                   help='Indicates whether using the secondary storeage key or not')
-        c.argument('is_azure_monitor_target_enabled', options_list=['--enable-azure-monitor'],
-                   help='Whether enabling azure monitor target or not.',
-                   arg_type=get_three_state_flag())
-        c.argument('state',
-                   arg_group=policy_arg_group,
-                   help='Auditing policy state',
-                   arg_type=get_enum_type(BlobAuditingPolicyState))
-        c.argument('audit_actions_and_groups',
-                   options_list=['--actions'],
-                   arg_group=policy_arg_group,
-                   help='List of actions and action groups to audit.',
-                   nargs='+')
-        c.argument('retention_days',
-                   arg_group=policy_arg_group,
-                   help='The number of days to retain audit logs.')
+    for scope in ['synapse sql pool audit-policy', 'synapse sql audit-policy']:
+        with self.argument_context(scope + ' update') as c:
+            _configure_security_or_audit_policy_storage_params(c)
+            c.argument('storage_account_subscription_id', arg_group=storage_arg_group,
+                       options_list=['--storage-subscription'],
+                       help='The subscription id of storage account')
+            c.argument('is_storage_secondary_key_in_use', arg_group=storage_arg_group,
+                       arg_type=get_three_state_flag(), options_list=['--use-secondary-key'],
+                       help='Indicates whether using the secondary storeage key or not')
+            c.argument('is_azure_monitor_target_enabled', options_list=['--enable-azure-monitor'],
+                       help='Whether enabling azure monitor target or not.',
+                       arg_type=get_three_state_flag())
+            c.argument('state',
+                       arg_group=policy_arg_group,
+                       help='Auditing policy state',
+                       arg_type=get_enum_type(BlobAuditingPolicyState))
+            c.argument('audit_actions_and_groups',
+                       options_list=['--actions'],
+                       arg_group=policy_arg_group,
+                       help='List of actions and action groups to audit.',
+                       nargs='+')
+            c.argument('retention_days',
+                       type=int,
+                       arg_group=policy_arg_group,
+                       help='The number of days to retain audit logs.')
+
+    with self.argument_context('synapse sql audit-policy update') as c:
+        c.argument('queue_delay_milliseconds', type=int,
+                   options_list=['--queue-delay-time', '--queue-delay-milliseconds'],
+                   help='The amount of time in milliseconds that can elapse before audit actions are forced to be processed')
+
+    with self.argument_context('synapse sql ad-admin') as c:
+        c.argument('workspace_name', help='The workspace name.')
+    for scope in ['create', 'update']:
+        with self.argument_context('synapse sql ad-admin ' + scope) as c:
+            c.argument('login_name', options_list=['--display-name', '-u'],
+                       help='Display name of the Azure AD administrator user or group.')
+            c.argument('object_id', options_list=['--object-id', '-i'],
+                       help='The unique ID of the Azure AD administrator.')
 
     # synapse workspace firewall-rule
     with self.argument_context('synapse workspace firewall-rule') as c:
@@ -282,14 +301,15 @@ def load_arguments(self, _):
     with self.argument_context('synapse workspace firewall-rule list') as c:
         c.argument('workspace_name', id_part=None, help='The workspace name.')
 
-    for scope in ['show', 'create', 'delete']:
+    for scope in ['show', 'create', 'update', 'delete']:
         with self.argument_context('synapse workspace firewall-rule ' + scope) as c:
             c.argument('rule_name', arg_type=name_type, id_part='child_name_1', help='The IP firewall rule name')
 
-    with self.argument_context('synapse workspace firewall-rule create') as c:
-        c.argument('start_ip_address', help='The start IP address of the firewall rule. Must be IPv4 format.')
-        c.argument('end_ip_address', help='The end IP address of the firewall rule. Must be IPv4 format. '
-                                          'Must be greater than or equal to startIpAddress.')
+    for scope in ['create', 'update']:
+        with self.argument_context('synapse workspace firewall-rule ' + scope) as c:
+            c.argument('start_ip_address', help='The start IP address of the firewall rule. Must be IPv4 format.')
+            c.argument('end_ip_address', help='The end IP address of the firewall rule. Must be IPv4 format. '
+                                              'Must be greater than or equal to startIpAddress.')
 
     # synapse spark job
     for scope in ['job', 'session', 'statement']:

@@ -4,6 +4,7 @@
 # --------------------------------------------------------------------------------------------
 
 # pylint: disable=line-too-long
+from knack.util import CLIError
 from msrestazure.tools import is_valid_resource_id
 
 
@@ -42,3 +43,11 @@ def validate_statement_language(namespace):
         'sql': 'sql'
     }
     namespace.language = statement_language.get(namespace.language.lower())
+
+
+def validate_audit_policy_arguments(namespace):
+    blob_storage_arguments_provided = any(
+        [namespace.storage_account, namespace.storage_endpoint, namespace.storage_account_access_key,
+         namespace.retention_days])
+    if not namespace.state and not blob_storage_arguments_provided:
+        raise CLIError('Either state or blob storage arguments are missing')
@@ -3,6 +3,7 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 from azure.cli.core.commands import CliCommandType
+from ._validators import validate_audit_policy_arguments
 
 
 # pylint: disable=line-too-long, too-many-statements, too-many-locals
@@ -17,6 +18,8 @@ def load_command_table(self, _):
     from ._client_factory import cf_synapse_client_sqlpool_transparent_data_encryptions_factory
     from ._client_factory import cf_synapse_client_sqlpool_security_alert_policies_factory
     from ._client_factory import cf_synapse_client_sqlpool_blob_auditing_policies_factory
+    from ._client_factory import cf_synapse_client_workspace_aad_admins_factory
+    from ._client_factory import cf_synapse_client_sqlserver_blob_auditing_policies_factory
 
     def get_custom_sdk(custom_module, client_factory):
         return CliCommandType(
@@ -36,6 +39,10 @@ def get_custom_sdk(custom_module, client_factory):
         operations_tmpl='azure.mgmt.synapse.operations#BigDataPoolsOperations.{}',
         client_factory=cf_synapse_client_bigdatapool_factory)
 
+    synapse_workspace_aad_admin_sdk = CliCommandType(
+        operations_tmpl='azure.mgmt.synapse.operations#WorkspaceAadAdminsOperations.{}'
+    )
+
     synapse_sqlpool_sdk = CliCommandType(
         operations_tmpl='azure.mgmt.synapse.operations#SqlPoolsOperations.{}',
         client_factory=cf_synapse_client_sqlpool_factory)
@@ -55,7 +62,7 @@ def get_custom_sdk(custom_module, client_factory):
         operations_tmpl='azure.mgmt.synapse.operations#SqlPoolTransparentDataEncryptionsOperations.{}',
         client_factory=cf_synapse_client_sqlpool_transparent_data_encryptions_factory)
 
-    # Threat Policy operation
+    # Threat policy operation
     synapse_sqlpool_security_alert_policies_sdk = CliCommandType(
         operations_tmpl='azure.mgmt.synapse.operations#SqlPoolSecurityAlertPoliciesOperations.{}',
         client_factory=cf_synapse_client_sqlpool_security_alert_policies_factory)
@@ -65,6 +72,11 @@ def get_custom_sdk(custom_module, client_factory):
         operations_tmpl='azure.mgmt.synapse.operations#SqlPoolBlobAuditingPoliciesOperations.{}',
         client_factory=cf_synapse_client_sqlpool_blob_auditing_policies_factory)
 
+    # Workspace managed sql server audit policy operation
+    synapse_workspace_managed_sqlserver_blob_auditing_policies_sdk = CliCommandType(
+        operations_tmpl='azure.mgmt.synapse.operations#WorkspaceManagedSqlServerBlobAuditingPoliciesOperations.{}',
+        client_factory=cf_synapse_client_sqlserver_blob_auditing_policies_factory)
+
     synapse_firewallrules_sdk = CliCommandType(
         operations_tmpl='azure.mgmt.synapse.operations#IpFirewallRulesOperations.{}',
         client_factory=cf_synapse_client_ipfirewallrules_factory)
@@ -198,7 +210,31 @@ def get_custom_sdk(custom_module, client_factory):
                                                                cf_synapse_client_sqlpool_blob_auditing_policies_factory),
                             client_factory=cf_synapse_client_sqlpool_blob_auditing_policies_factory) as g:
         g.show_command('show', 'get')
-        g.generic_update_command('update', custom_func_name='sqlpool_blob_auditing_policy_update')
+        g.generic_update_command('update', custom_func_name='sqlpool_blob_auditing_policy_update',
+                                 validator=validate_audit_policy_arguments)
+
+    # Management Plane Commands --Sql Ad-Admin
+    with self.command_group('synapse sql ad-admin', command_type=synapse_workspace_aad_admin_sdk,
+                            custom_command_type=get_custom_sdk('workspacesqlaadadmin',
+                                                               cf_synapse_client_workspace_aad_admins_factory),
+                            client_factory=cf_synapse_client_workspace_aad_admins_factory) as g:
+        g.show_command('show', 'get')
+        g.custom_command('create', 'create_workspace_sql_aad_admin', supports_no_wait=True)
+        g.generic_update_command('update', custom_func_name='update_workspace_sql_aad_admin',
+                                 setter_arg_name='aad_admin_info', supports_no_wait=True)
+        g.command('delete', 'delete', confirmation=True, supports_no_wait=True)
+        g.wait_command('wait')
+
+    # Management Plane Commands --Sql audit-policy
+    with self.command_group('synapse sql audit-policy',
+                            command_type=synapse_workspace_managed_sqlserver_blob_auditing_policies_sdk,
+                            custom_command_type=get_custom_sdk('sqlpoolblobauditingpolicy',
+                                                               cf_synapse_client_sqlserver_blob_auditing_policies_factory),
+                            client_factory=cf_synapse_client_sqlserver_blob_auditing_policies_factory) as g:
+        g.show_command('show', 'get')
+        g.generic_update_command('update', custom_func_name='sqlserver_blob_auditing_policy_update',
+                                 supports_no_wait=True, validator=validate_audit_policy_arguments)
+        g.wait_command('wait')
 
     # Management Plane Commands --FirewallRule
     with self.command_group('synapse workspace firewall-rule', command_type=synapse_firewallrules_sdk,
@@ -207,6 +243,7 @@ def get_custom_sdk(custom_module, client_factory):
         g.command('list', 'list_by_workspace')
         g.show_command('show', 'get')
         g.custom_command('create', 'create_firewall_rule', supports_no_wait=True)
+        g.custom_command('update', 'update_firewall_rule', supports_no_wait=True)
         g.command('delete', 'delete', confirmation=True, supports_no_wait=True)
         g.wait_command('wait')
 

@@ -11,6 +11,7 @@
 SPARK_DOTNET_ASSEMBLY_SEARCH_PATHS_KEY = 'spark.yarn.appMasterEnv.DOTNET_ASSEMBLY_SEARCH_PATHS'
 SPARK_DOTNET_UDFS_FOLDER_NAME = 'udfs'
 SPARK_SERVICE_ENDPOINT_API_VERSION = '2019-11-01-priview'
+AdministratorType = "activeDirectory"
 
 
 class SynapseSqlCreateMode(str, Enum):