Managed identity#
Security · SQL Managed Instance · Rule · 2023_03 · Important
Ensure managed identity is used to allow support for Azure AD authentication.
Description#
A managed identity is required for allowing support for Azure AD authentication in SQL Managed Instance.
You must enable the instance identity (SMI or UMI) to allow support for Azure AD authentication in SQL Managed Instance.
Additionally, a managed identity is required for transparent data encryption with customer-managed key.
Recommendation#
Consider configure a managed identity to allow support for Azure AD authentication.
Examples#
Configure with Azure template#
To deploy SQL Managed Instances that pass this rule:
- Set
identity.typetoSystemAssignedorUserAssignedorSystemAssigned,UserAssigned. - If
identity.typeisUserAssignedorSystemAssigned,UserAssigned, reference the identity withidentity.userAssignedIdentities.
For example:
{
"type": "Microsoft.Sql/managedInstances",
"apiVersion": "2022-05-01-preview",
"name": "[parameters('managedInstanceName')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned",
"userAssignedIdentities": {}
},
"properties": {}
}
Configure with Bicep#
To deploy SQL Managed Instances that pass this rule:
- Set
identity.typetoSystemAssignedorUserAssignedorSystemAssigned,UserAssigned. - If
identity.typeisUserAssignedorSystemAssigned,UserAssigned, reference the identity withidentity.userAssignedIdentities.
For example:
resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {
name: appName
location: location
name: managedInstanceName
location: location
identity: {
type: 'SystemAssigned'
userAssignedIdentities: {}
}
properties: {}
}
Notes#
To grant permissions to access Microsoft Graph through an SMI or a UMI, you need to use PowerShell. You can't grant these permissions by using the Azure portal.
Links#
- Use identity-based authentication
- Managed identities in Azure AD for Azure SQL Managed Instance
- Azure deployment reference