Skip to content

Managed identity#

Security · SQL Managed Instance · Rule · 2023_03 · Important

Ensure managed identity is used to allow support for Azure AD authentication.

Description#

A managed identity is required for allowing support for Azure AD authentication in SQL Managed Instance.

You must enable the instance identity (SMI or UMI) to allow support for Azure AD authentication in SQL Managed Instance.

Additionally, a managed identity is required for transparent data encryption with customer-managed key.

Recommendation#

Consider configure a managed identity to allow support for Azure AD authentication.

Examples#

Configure with Bicep#

To deploy SQL Managed Instances that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
  • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet
resource managedInstance 'Microsoft.Sql/managedInstances@2023-08-01' = {
  name: name
  location: location
  identity: {
    type: 'SystemAssigned'
  }
  sku: {
    name: 'GP_Gen5'
  }
  properties: {
    administrators: {
      administratorType: 'ActiveDirectory'
      azureADOnlyAuthentication: true
      login: login
      sid: sid
      principalType: 'Group'
      tenantId: tenant().tenantId
    }
    maintenanceConfigurationId: maintenanceWindow.id
  }
}

Configure with Azure template#

To deploy SQL Managed Instances that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
  • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet
{
  "type": "Microsoft.Sql/managedInstances",
  "apiVersion": "2023-08-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned"
  },
  "sku": {
    "name": "GP_Gen5"
  },
  "properties": {
    "administrators": {
      "administratorType": "ActiveDirectory",
      "azureADOnlyAuthentication": true,
      "login": "[parameters('login')]",
      "sid": "[parameters('sid')]",
      "principalType": "Group",
      "tenantId": "[tenant().tenantId]"
    },
    "maintenanceConfigurationId": "[subscriptionResourceId('Microsoft.Maintenance/publicMaintenanceConfigurations', 'SQL_WestEurope_MI_1')]"
  }
}

Notes#

To grant permissions to access Microsoft Graph through an SMI or a UMI, you need to use PowerShell. You can't grant these permissions by using the Azure portal.

Comments