Failover Clustering has a strong quorum model that is always used to prevent partition in space (AKA Split Brain, Network partition, Cluster partition). We require a cluster quorum resource (cluster witness) to be used on each failover cluster. Using a cluster quorum resource not only adds protection but also means that small two-node clusters can provide high availability for Hyper-V VMs, SQL Server Availability Sets, SQL Server Failover Cluster Instance, Scale-out File Server (SoFS), etc. workloads.

The Cloud Witness quorum resource was first introduced in the Failover Clustering feature in Windows Server 2016. It was a low-cost variation of the File Share Witness quorum resource that enabled effective low-cost two node failover clusters in scenarios where connectivity to Azure is reliable. The implementation of both the Cloud Witness quorum resource and the File Share Witness quorum resource is a Paxos tag, the date-time stamp of the Paxos tag, and filename is the GUID for the cluster is used. No other information is needed. While the Disk Witness quorum resource contains a full copy of the cluster database, the File Share Witness quorum resource and the Cloud Witness quorum resource only contain the Paxos tag, which is used as a tiebreaker when there is a partition in space, so that the cluster can continue to function.

The Cloud Witness quorum resource is created in an Azure storage account, and originally secured using a SAS token, called the StorageAccountAccessKey:

Set-ClusterQuorum -CloudWitness -AccountName <StorageAccountName> -AccessKey <StorageAccountAccessKey>

Previously, the SAS Token (StorageAccountAccessKey) for the Azure Storage Account was stored in the cluster database so that the cluster could access the for storage account. For details, see https://learn.microsoft.com/en-us/windows-server/failover-clustering/deploy-quorum-witness.

As a best practice, we are now recommending that the Azure storage account should be accessed using a Managed Identity instead of instead of using a SAS token. Only the name of the Managed Identity will be stored in the cluster database, making this practice more secure.

Steps to create a Cloud Witness quorum resource using managed identity while creating a new cluster:

1. Before creating the cluster, create a storage account resource, in this case we will create a storage account called cloudwitnessdemo.
2. Using the Azure Portal, create VMs in Azure IaaS running Windows Server 2025, and add the Failover Clustering feature. For physical on-premises servers running Windows Server 2025, add the Failover Clustering feature.
3. Install the latest updates for Windows Server 2025 from Windows Update on each server (AKA cluster node).
4. Connect each server (AKA cluster node) to Azure Arc – this will create a Managed Identity for the servers:

1. Using the Azure Portal Access Control pages, assign the Storage Blob Data Contributor role to node's managed identities:

1. Create the cluster using the New-Cluster cmdlet, for example:

New-Cluster -Name ExampleCluster -Node TOAD03H09-VM24,TOAD03H09-VM25,TOAD03H09-VM26,TOAD03H09-VM27 -NOSTORAGE

1. Create cloud witness using the cluster nodes’ managed identity:

Set-ClusterQuorum -CloudWitness -AccountName cloudwitnessdemo -UseManagedIdentity -Cluster ExampleCluster

Cluster              QuorumResource

-------              --------------

ExampleCluster          Cloud Witness

Steps to create a Cloud Witness quorum resource using managed identity to an existing cluster:

1. Using the Azure Portal, create a storage account resource, in this case we will create a storage account called cloudwitnessdemo.
2. Install the latest updates for Windows Server 2025 from Windows Update on each server (AKA cluster node).
3. Connect each server (AKA cluster node) to Azure Arc – this will create a Managed Identity for the servers:
4. Assign Storage Blob Data Contributor role to node's managed identities.

1.  Create cloud witness using the cluster nodes managed identities. This will delete the existing cloud witness and create the new one with managed identities configuration.

Set-ClusterQuorum -CloudWitness -AccountName cloudwitnessdemo -UseManagedIdentity -Cluster ExampleCluster

Cluster              QuorumResource

-------              --------------

ExampleCluster          Cloud Witness

5. (Optional) Check the witness assignment and the use of Azure Managed Identity:

Get-ClusterResource -Cluster ExampleCluster -Name "Cloud Witness" | Get-ClusterParameter

Object        Name              Value              Type

------        ----              -----              ----

Cloud Witness AccountName       cloudwitnessdemo  String

Cloud Witness EndpointInfo      core.windows.net   String

Cloud Witness ContainerName     msft-cloud-witness String

Cloud Witness IsManagedIdentity 1                  UInt32