Skip to content

Managed identity#

Security · SQL Managed Instance · Rule · 2023_03

Ensure managed identity is used to allow support for Azure AD authentication.

Description#

A managed identity is required for allowing support for Azure AD authentication in SQL Managed Instance.

You must enable the instance identity (SMI or UMI) to allow support for Azure AD authentication in SQL Managed Instance.

Additionally, a managed identity is required for transparent data encryption with customer-managed key.

Recommendation#

Consider configure a managed identity to allow support for Azure AD authentication.

Examples#

Configure with Azure template#

To deploy SQL Managed Instances that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
  • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Template snippet
{
  "type": "Microsoft.Sql/managedInstances",
  "apiVersion": "2022-05-01-preview",
    "name": "[parameters('managedInstanceName')]",
  "location": "[parameters('location')]",
  "identity": {
    "type": "SystemAssigned",
    "userAssignedIdentities": {}
  },
  "properties": {}
}

Configure with Bicep#

To deploy SQL Managed Instances that pass this rule:

  • Set identity.type to SystemAssigned or UserAssigned or SystemAssigned,UserAssigned.
  • If identity.type is UserAssigned or SystemAssigned,UserAssigned, reference the identity with identity.userAssignedIdentities.

For example:

Azure Bicep snippet
resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {
  name: appName
  location: location
  name: managedInstanceName
  location: location
  identity: {
    type: 'SystemAssigned'
    userAssignedIdentities: {}
  }
  properties: {}
}

Notes#

To grant permissions to access Microsoft Graph through an SMI or a UMI, you need to use PowerShell. You can't grant these permissions by using the Azure portal.

Comments