This preview makes the SQL migration path simpler and more secure by letting Import/Export run with managed identity with no embedded secrets.
Today we’re announcing a public preview that lets Azure SQL Database Import & Export services authenticate with user-assigned managed identity. Now Azure SQL Databases can perform import and export operations with no passwords, storage keys or SAS tokens.
With this preview, customers can choose to use either a single user-assigned managed identity (UAMI) for both SQL and Storage permissions or assign separate UAMIs, one for the Azure SQL logical server and another for the Storage account, for full separation of duties.
At a glance:
- Run Import/Export using a user-assigned managed identity (UAMI).
- Use one identity for both SQL and Storage, or split them if you prefer tighter scoping.
- Works in the portal, REST, Azure CLI, and PowerShell.
Why this matters:
Managed identity support makes SQL migrations simpler and safer, no passwords, storage keys, or SAS tokens. By leveraging managed identity when integrating Import/Export into a pipeline, you streamline access management and enhance security: permissions are granted directly to the identity, reducing manual credential handling and the risk of exposing sensitive information. This keeps operations efficient and secure, without secrets embedded in scripts
You’ve got two straightforward options:
- One UAMI for everything (simplest setup).
- Two UAMIs, one for SQL and one for Storage, recommended if you wish to maintain more strictly defined permissions.
Getting started:
- Create a user-assigned managed identity (UAMI)
Decide up front whether you want one identity end-to-end, or two identities (SQL vs Storage) for separation of duties.
- Attach the UAMI to the Azure SQL logical server
On the server Identity blade, add the UAMI so the Import/Export job can run as that identity.
- Set the server’s Microsoft Entra ID admin to the UAMI
In Microsoft Entra ID > Set admin, select the UAMI. This is what lets the workflow authenticate to SQL without a password.
- Grant Storage access
Use Storage Blob Data Reader for import and Storage Blob Data Contributor for export, assigned in Access control (IAM). If you can, scope the assignment to the container that holds the .bacpac.
- Pass resource IDs (not names) in your calls
In REST/CLI/PowerShell, you pass the UAMI resource ID as the value of administratorLogin (SQL identity) and storageKey (Storage identity), and set authenticationType / storageKeyType to ManagedIdentity.
-
administratorLogin → UAMI resource ID used for SQL auth
-
storageKey → UAMI resource ID used for Storage
-
authauthenticationType / storageKeyType → ManagedIdentity
-
- Run the import/export job
Kick it off from the portal, REST, Azure CLI, or PowerShell. From there, the service uses the identity you selected to reach both SQL and Storage.
Portal experience
In the Azure portal, you can choose Authentication type = Managed identity and select the user-assigned managed identity to use for the operation.
Figure 1: Azure portal Import/Export experience with Managed identity authentication selected.
Notes
- This preview supports user-assigned managed identities (UAMIs).
- For least privilege, scope Storage roles to the specific container used for the .bacpac file and use two user-assigned managed identities (UAMIs), one for SQL and one for the storage.
Sample 1: REST API — Export using one UAMI:
$exportBody = "{
`n `"storageKeyType`": `"ManagedIdentity`",
`n `"storageKey`": `"${managedIdentityServerResourceId}`",
`n `"storageUri`": `"${storageUri}`",
`n `"administratorLogin`": `"${managedIdentityServerResourceId}`",
`n `"authenticationType`": `"ManagedIdentity`"
`n}"
$export = Invoke-AzRestMethod -Method POST -Path "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Sql/servers/${serverName}/databases/${databaseName}/export?api-version=2024-05-01-preview" -Payload $exportBody
# Poll operation status
Invoke-AzRestMethod -Method GET $export.Headers.Location.AbsoluteUriSample 2: REST API — Import to a new server using one UAMI:
$serverName = "sql-mi-demo-target"
$databaseName = "sqldb-mi-demo-target"
# Same UAMI for SQL auth + Storage access
$importBody = "{
`n `"operationMode`": `"Import`",
`n `"administratorLogin`": `"${managedIdentityServerResourceId}`",
`n `"authenticationType`": `"ManagedIdentity`",
`n `"storageKeyType`": `"ManagedIdentity`",
`n `"storageKey`": `"${managedIdentityServerResourceId}`",
`n `"storageUri`": `"${storageUri}`",
`n `"databaseName`": `"${databaseName}`"
`n}"
$import = Invoke-AzRestMethod -Method POST -Path "/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}/providers/Microsoft.Sql/servers/${serverName}/databases/${databaseName}/import?api-version=2024-05-01-preview" -Payload $importBody
# Poll operation status
Invoke-AzRestMethod -Method GET $import.Headers.Location.AbsoluteUriSample 3: PowerShell — Export using two UAMIs:
# Server UAMI for SQL auth, Storage UAMI for storage access
New-AzSqlDatabaseExport -ResourceGroupName $resourceGroupName -DatabaseName $databaseName -ServerName $serverName -StorageKeyType ManagedIdentity -StorageKey $managedIdentityStorageResourceId -StorageUri $storageUri -AuthenticationType ManagedIdentity -AdministratorLogin $managedIdentityServerResourceIdSample 4: PowerShell — Import to a new server using two UAMIs:
New-AzSqlDatabaseImport -ResourceGroupName $resourceGroupName -DatabaseName $databaseName -ServerName $serverName -DatabaseMaxSizeBytes $databaseSizeInBytes -StorageKeyType "ManagedIdentity" -StorageKey $managedIdentityStorageResourceId -StorageUri $storageUri -Edition $edition -ServiceObjectiveName $serviceObjectiveName -AdministratorLogin $managedIdentityServerResourceId -AuthenticationType ManagedIdentitySample 5: Azure CLI — Export using two UAMIs:
az sql db export -s $serverName -n $databaseName -g $resourceGroupName --auth-type ManagedIdentity -u $managedIdentityServerResourceId --storage-key $managedIdentityStorageResourceId --storage-key-type ManagedIdentity --storage-uri $storageUriSample 6: Azure CLI — Import to a new server using two UAMIs:
az sql db import -s $serverName -n $databaseName -g $resourceGroupName --auth-type ManagedIdentity -u $managedIdentityServerResourceId --storage-key $managedIdentityStorageResourceId --storage-key-type ManagedIdentity --storage-uri $storageUribFor more information and samples, please check Tutorial: Use managed identity with Azure SQL import and export (preview)
Microsoft