Create and Assign Managed Identity using Powershell to SQL MI

Published Jan 28 2022 08:26 AM 1,215 Views
Microsoft

Problem Statement:

Provide functionality during creation of Managed Identity to assign the UAMI to SQL Managed Instance. We are executing all tasks using separate steps.

 

Resolution:

 

The following request has been made to fulfill this requirement. Below is the single piece of powershell code would help you perform the below tasks.

 

1) Connect to Azure Subscription.

2) Create UAMI.

3) Assign role to UAMI.

4) Assign a delete lock to UAMI to prevent accidental deletion.

5) Final Step, Assign UAMI to SQL Managed Instance.

 

$role1 = "Provide the Role Name here"
$userAssignedManagedIdentity = "Provide the UAMI Name here"
$resourceGroup = "Resource group name for UAMI"
$MIresourceGroup = "Resource group name for SQL MI"
$ManagedInstance = "SQL Managed instance Name"
$SubscriptionID="SubscriptionID"


# Connect to Azure Subscription

Connect-AzAccount -Subscription $SubscriptionID


# Create UAMI

New-AzUserAssignedIdentity -ResourceGroupName $resourceGroup -Name $userAssignedManagedIdentity

# Assign Role to UAMI

$UAMI = (Get-AzUserAssignedIdentity -ResourceGroupName $resourceGroup -Name $userAssignedManagedIdentity).PrincipalId
New-AzRoleAssignment -ObjectId $UAMI -ResourceGroupName $resourceGroup -RoleDefinitionName $role1

# Assign Lock to UAMI

New-AzResourceLock -LockName LockUAMI -LockLevel CanNotDelete -ResourceGroupName $resourceGroup -ResourceName $userAssignedManagedIdentity -ResourceType "Microsoft.ManagedIdentity/userAssignedIdentities"

# Assign UAMI to Managed Instance.

# Note: Ensure to pass -AssignIdentity parameter and the service principal should have AAD reader permission before executing the below command.

Set-AzSqlInstance -ResourceGroupName $MIresourceGroup -Name $ManagedInstance -AssignIdentity -IdentityType "UserAssigned" -UserAssignedIdentityId "/subscriptions/$SubscriptionID/resourceGroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedManagedIdentity" -PrimaryUserAssignedIdentityId "/subscriptions/$SubscriptionID/resourceGroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$userAssignedManagedIdentity" -Force

 

Reference Article

User-assigned managed identity in Azure AD for Azure SQL - Azure SQL Database & Azure SQL Managed In...

Cannot find the Azure Active Directory object '' when perform management operations on SQL Managed I...

%3CLINGO-SUB%20id%3D%22lingo-sub-3071119%22%20slang%3D%22en-US%22%3ECreate%20and%20Assign%20Managed%20Identity%20using%20Powershell%20to%20SQL%20MI%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3071119%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EProblem%20Statement%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EProvide%20functionality%20during%20creation%20of%20Managed%20Identity%20to%20assign%20the%20UAMI%20to%20SQL%20Managed%20Instance.%20We%20are%20executing%20all%20tasks%20using%20separate%20steps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EResolution%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20following%20request%20has%20been%20made%20to%20fulfill%20this%20requirement.%20Below%20is%20the%20single%20piece%20of%20powershell%20code%20would%20help%20you%20perform%20the%20below%20tasks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1)%20Connect%20to%20Azure%20Subscription.%3C%2FP%3E%0A%3CP%3E2)%20Create%20UAMI.%3C%2FP%3E%0A%3CP%3E3)%20Assign%20role%20to%20UAMI.%3C%2FP%3E%0A%3CP%3E4)%20Assign%20a%20delete%20lock%20to%20UAMI%20to%20prevent%20accidental%20deletion.%3C%2FP%3E%0A%3CP%3E5)%20Final%20Step%2C%20Assign%20UAMI%20to%20SQL%20Managed%20Instance.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24role1%20%3D%20%22Provide%20the%20Role%20Name%20here%22%3CBR%20%2F%3E%24userAssignedManagedIdentity%20%3D%20%22Provide%20the%20UAMI%20Name%20here%22%3CBR%20%2F%3E%24resourceGroup%20%3D%20%22Resource%20group%20name%20for%20UAMI%22%3CBR%20%2F%3E%24MIresourceGroup%20%3D%20%22Resource%20group%20name%20for%20SQL%20MI%22%3CBR%20%2F%3E%24ManagedInstance%20%3D%20%22SQL%20Managed%20instance%20Name%22%3CBR%20%2F%3E%24SubscriptionID%3D%22SubscriptionID%22%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%23%20Connect%20to%20Azure%20Subscription%3C%2FP%3E%0A%3CP%3EConnect-AzAccount%20-Subscription%20%24SubscriptionID%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%23%20Create%20UAMI%3C%2FP%3E%0A%3CP%3ENew-AzUserAssignedIdentity%20-ResourceGroupName%20%24resourceGroup%20-Name%20%24userAssignedManagedIdentity%3C%2FP%3E%0A%3CP%3E%23%20Assign%20Role%20to%20UAMI%3C%2FP%3E%0A%3CP%3E%24UAMI%20%3D%20(Get-AzUserAssignedIdentity%20-ResourceGroupName%20%24resourceGroup%20-Name%20%24userAssignedManagedIdentity).PrincipalId%3CBR%20%2F%3ENew-AzRoleAssignment%20-ObjectId%20%24UAMI%20-ResourceGroupName%20%24resourceGroup%20-RoleDefinitionName%20%24role1%3C%2FP%3E%0A%3CP%3E%23%20Assign%20Lock%20to%20UAMI%3C%2FP%3E%0A%3CP%3ENew-AzResourceLock%20-LockName%20LockUAMI%20-LockLevel%20CanNotDelete%20-ResourceGroupName%20%24resourceGroup%20-ResourceName%20%24userAssignedManagedIdentity%20-ResourceType%20%22Microsoft.ManagedIdentity%2FuserAssignedIdentities%22%3C%2FP%3E%0A%3CP%3E%23%20Assign%20UAMI%20to%20Managed%20Instance.%3C%2FP%3E%0A%3CP%3E%23%20Note%3A%20Ensure%20to%20pass%20-AssignIdentity%20parameter%20and%20the%20service%20principal%20should%20have%20%3CSPAN%3EAAD%20reader%20permission%20before%20executing%20the%20below%20command.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESet-AzSqlInstance%20-ResourceGroupName%20%24MIresourceGroup%20-Name%20%24ManagedInstance%20-AssignIdentity%20-IdentityType%20%22UserAssigned%22%20-UserAssignedIdentityId%20%22%2Fsubscriptions%2F%24SubscriptionID%2FresourceGroups%2F%24resourceGroup%2Fproviders%2FMicrosoft.ManagedIdentity%2FuserAssignedIdentities%2F%24userAssignedManagedIdentity%22%20-PrimaryUserAssignedIdentityId%20%22%2Fsubscriptions%2F%24SubscriptionID%2FresourceGroups%2F%24resourceGroup%2Fproviders%2FMicrosoft.ManagedIdentity%2FuserAssignedIdentities%2F%24userAssignedManagedIdentity%22%20-Force%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReference%20Article%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-sql%2Fdatabase%2Fauthentication-azure-ad-user-assigned-managed-identity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20style%3D%22font-size%3A%2011.0pt%3B%20font-family%3A%20'Calibri'%2Csans-serif%3B%22%3EUser-assigned%20managed%20identity%20in%20Azure%20AD%20for%20Azure%20SQL%20-%20Azure%20SQL%20Database%20%26amp%3B%20Azure%20SQL%20Managed%20Instance%20%7C%20Microsoft%20Docs%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-database-support-blog%2Fset-azsqlinstance-cannot-find-the-azure-active-directory-object%2Fba-p%2F3011635%22%20target%3D%22_blank%22%3E%3CSPAN%20style%3D%22font-size%3A%2011.0pt%3B%20font-family%3A%20'Calibri'%2Csans-serif%3B%22%3ECannot%20find%20the%20Azure%20Active%20Directory%20object%20''%20when%20perform%20management%20operations%20on%20SQL%20Managed%20Instance%20by%20using%20Azure%20Automation%20account.%20(microsoft.com)%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Jan 25 2022 03:07 AM
Updated by: