"Invalid Managed Identity" error in vulnerability assessments for SQL Managed Instance

On a recent case, a customer received the error "Invalid Managed Identity" when trying to scan a database.

The error suggests that there is an issue with the managed identity or the RBAC permissions required, but the same error occurs when there is a connectivity issue between SQL Managed Instance and the storage account selected.

Checking RBAC permissions

The RBAC permissions can be manually checked in Azure Portal, or you can use the below script in Azure CLI, providing the resource details.

#SQL Managed Instance Details
$serverResourceGroup = ''
$serverName = ''
#Storage Account Details
$storageAccountResourceGroup = ''
$storageAccount = ''
##############################################################################################################################
$sqlIdentity = ((az sql mi show -g $serverResourceGroup -n $serverName | ConvertFrom-Json).Identity).principalId
$storageId = (az storage account show -g $storageAccountResourceGroup -n $storageAccount  | ConvertFrom-Json).id
$permissions = $NULL
$permissions = az role assignment list --all --assignee $sqlIdentity | ConvertFrom-Json | Where-Object {$_.scope -eq $storageId -and $_.roleDefinitionName -eq 'Storage Blob Data Contributor'}
if ($permissions -eq $NULL) {Write-Host "RBAC permissions do not exist"} else {Write-Host "RBAC Permissions exist"}

It will return a simple message to confirm if the permissions exist.

Connectivity issues

If the permissions do exist, then it may be due to connectivity issues between SQL Managed Instance and the storage account. Listed below are ways to check this.

Storage account networking configuration

The storage account can be configured to allow the following access:

• Public - All
• Public - Selected networks
• Private

If the access is set to Selected Networks, make sure the SQL Managed Instance subnet is in the list. If the access is private only, then the SQL Managed Instance would need to be able to resolve the Private IP in DNS.

NSG/Firewall rules and routing

Check that there are no rules blocking connections between each resource and that the routing is configured correctly.

DNS settings

If the DNS settings are custom or a private endpoint is being used, the DNS configuration for the SQL Managed Instance virtual network may need to be configured, for example, adding a private DNS zone.

Network Peering

If the connectivity is through a private endpoint in a different virtual network, check that there is communication between them, such as network peering.

Disclaimer
Please note that products and options presented in this article are subject to change. This article reflects the documentation in January 2026.

I hope this article was helpful for you, please feel free to share your feedback in the comments section.