In the contemporary IT landscape, robust and efficient data management is vital. Hybrid environments are prevalent, and Microsoft solutions such as Azure Arc for SQL Server integrate the familiarity of on-premises SQL Server with the agility and security of Azure.
This blog will discuss the newly added, “Primary managed identity” in Arc enabled SQL Server 2025 by Microsoft Entra, which enables credential free authentication for both inbound & outbound communications.
The Primary Managed Identity pertains to the identity of the Arc machine, which is registered by the Arc machine agent with Microsoft Entra. SQL Server can utilize this identity to authenticate with other Azure services.
Associate a “Primary managed identity” to the SQL Server: Arc enabled windows machine, have a managed identity created for them. SQL Server 2025 can now use that identity to establish a trust relationship with Microsoft Entra. You can attach this identity to SQL Server by opting for it from the Azure portal.
To activate the primary managed identity from Azure, as a pre-requisite, you need the latest Azure extension for SQL Server release.
Note: We keep improving the Azure portal user experience and you might see slight differences depending on when you are reading this blog post.
A primary managed identity is necessary for both outbound and inbound communication.
Alternatively, you can just Arc enable the host machine and use the manual set up for the managed identity feature. This eliminates the need for the Azure extension for SQL Server, which you must uninstall. With this approach you will not be able to use the Azure portal for Microsoft Entra features.
Outbound Communication: You can now use this Primary managed identity to connect the SQL Server 2025 to Azure resources like Azure Storage and Azure Key vault. Follow this to set up the backup to an Azure storage URL, and EKM with Azure key vault.
Inbound Communication: You can also use the primary managed identity to create Entra based users and logins to connect to SQL Server 2025. For this you will need to grant these graph API permissions.
- User.Read.All,
- GroupMember.Read.All, and
- Application.Read.All
Read more here for the details and limitations on this managed identity setup.
For Arc-enabled SQL Server 2025, we recommend using managed identity as it is more secure than the credential-based setup from SQL Server 2022. Although you can still register your SQL Server 2025 with Microsoft Entra for inbound communication only, the Azure portal for SQL 2025 will no longer support the App-registration method.
Next steps: To proceed, please obtain your SQL Server 2025 from here to explore all the SQL Server 2025 features available in the public preview version.
If you are using an antivirus software, please refer to these instructions.
Updated Jun 10, 2025
Version 3.0
PDasgupta
Microsoft
Microsoft