Auditing for Azure SQL database has started supporting User Managed Identity. Auditing can be configured to Storage account using two authentication methods, managed identity and storage access keys. For managed identity you can use system managed identity or user managed identity. To know more about UMI in azure refer here
To configure writing audit logs to a storage account, select Storage when you get to the Auditing section. Select the Azure storage account where logs will be saved, you can use two storage authentication types i.e., managed identity and storage access keys.
For managed identity, we support system and user managed identity.
By default, it picks primary user identity that is assigned to the server, if there is no user identity then it will create system assigned identity and use it for authentication purpose.
select the retention period by opening Advanced properties. Then click Save. Logs older than the retention period is deleted.
Note
The user managed identity authentication type for enabling auditing to storage behind VNet/Firewall through Azure portal is not currently supported.
Review the identity blade for your Azure database, you can see there is one primary identity configured
To configure Auditing using User managed Identity, follow the below steps
- Create a user managed identity and assign it to the server (User-assigned managed identity in Azure AD for Azure SQL - Azure SQL Database & Azure SQL Managed In...)
- Go to the desired storage account where auditing needs to send logs to and assign the 'Storage Blob Data Contributor' RBAC to the user managed identity previously assigned to the server.
Assign Azure roles using the Azure portal - Azure RBAC | Microsoft Docs - Only after the above-mentioned role is assigned to the user managed identity, enable auditing using the Storage Authentication Type as managed identity
If there is no user managed identity created, then by default it will use system identity. For system managed identity, when you configure auditing to storage account and select managed identity it will create system managed identity and grant required permissions to access storage account, no user action required.