Overview
Some of you have probably ran into the issue of losing administrative access to Azure SQL Managed Instance because the SQL login(s) are disabled, or because the login is no longer a member of the sysadmin fixed server role. Since we have received some cases on the matter, I'll be explaining one possible way to recover access in this scenario by using a Microsoft Entra administrator. Azure SQL Managed Instance supports both SQL logins and Microsoft Entra authentication, and the Microsoft Entra administrator for the managed instance can be set from the Azure portal, PowerShell, Azure CLI, or REST API.
Symptom
Customers might see an error similar to the following when trying to connect with the SQL login:
Login failed for user 'sqlmiadmin'. Reason: The account is disabled. (Microsoft SQL Server, Error: 18470)
Connection ID: 'XYZ'
Scenario Details
In the scenario discussed here, the SQL login(s) on the managed instance were either disabled, or their membership in the sysadmin fixed server role was removed. As a result, there was no remaining SQL principal available with sufficient permissions to reverse the change directly. One possible recovery method is to configure, or reconfigure, a Microsoft Entra administrator for the managed instance and use that path to regain administrative access. Setting the Microsoft Entra administrator enables Microsoft Entra authentication for Azure SQL Managed Instance.
Root Cause
The issue occurs because the required T-SQL statements can only be executed by principals that already have sufficient server-level permissions:
- ALTER LOGIN ... ENABLE requires ALTER ANY LOGIN. If the target login is a member of sysadmin, enabling or disabling that login also requires CONTROL SERVER.
- ALTER SERVER ROLE [sysadmin] ADD MEMBER ... can only be executed by a principal that is already a member of sysadmin or of that same fixed server role. CONTROL SERVER and ALTER ANY SERVER ROLE are not sufficient for adding members to a fixed server role.
Because of this, when no existing SQL principal can perform these actions or all logins gets disabled, an alternate administrative way is needed.
Resolution
One possible way to resolve the issue is to configure a Microsoft Entra administrator for the managed instance by following the steps in Configure Microsoft Entra Authentication - Azure SQL Database & SQL Managed Instance & Azure Synapse Analytics | Microsoft Learn. In the Azure portal, go to the SQL managed instance resource, open Microsoft Entra ID under Settings, choose Set admin, select the required user or group, and then select Save. The same article also documents that you can remove the current Microsoft Entra admin and set it again if needed.
After the Microsoft Entra administrator is configured, connect to the managed instance by using a supported Microsoft Entra authentication method, such as Microsoft Entra Password or Microsoft Entra MFA.
If the issue is that the SQL login is disabled, run the following T-SQL after connecting with a principal that has the required permissions:
ALTER LOGIN [sqlmiadmin] ENABLE;
GO
If the issue is that the login is no longer a member of sysadmin, run the following T-SQL:
ALTER SERVER ROLE [sysadmin] ADD MEMBER [sqlmiadmin];
GO
Note
If the Microsoft Entra administrator was already configured and the Microsoft Entra login was also disabled. In such cases, you can remove the Microsoft Entra administrator from the Azure portal and set it again. This refreshes the Microsoft Entra administrator configuration for the managed instance and restores the Microsoft Entra authentication path.
Additional Resources
ALTER LOGIN (Transact-SQL) - SQL Server | Microsoft Learn
ALTER SERVER ROLE (Transact-SQL) - SQL Server | Microsoft Learn
Disclaimer
Please note that products, features, and configuration options discussed in this article are subject to change. This article reflects the state of Azure SQL Managed Instance as of April 2026.
I hope you found this article helpful. Please feel free to share your feedback in the comments section.
Microsoft