The Problem with Credentials in SQL Server
For an On-Premises SQL Server to access Azure services, you traditionally need to store secrets:
Common Scenarios Requiring Credentials
|
Scenario |
Required Credential |
|
Backup to URL (Azure Blob) |
Storage account key or SAS token |
|
Extensible Key Management (Azure Key Vault) |
Service principal + secret |
|
Calling Azure OpenAI from T-SQL |
API key |
|
PolyBase to Azure Data Lake |
Service principal or key |
Associated Risks
Manual Rotation
Secrets expire. You need to plan and execute rotation and not forget to update all references.
Secure Storage
Where to store these secrets? In SQL Server via CREATE CREDENTIAL? In a config file? Each option has its risks.
Attack Surface
A compromised secret gives access to associated Azure resources. The more secrets you have, the larger the attack surface.
Complex Auditing
Who has access to these secrets? When were they used? Tracking is difficult.
The Solution: Azure Arc + Managed Identity
SQL Server 2025 connected to Azure Arc can geta Managed Identity :
This identity:
- Is managed by Microsoft Entra ID
- Has no secret to store or rotate
- Can receive RBAC permissions on Azure resources
- Is centrally audited in Entra ID
How It Works
- SQL Server 2025 On-Prem
- Azure Arc Agent installed on the server
- Managed Identity (automatically created in Entra ID)
- RBAC assignment on Azure resources
- -free access to Blob Storage, Key Vault, etc
- RBAC assignment on Azure resources
- Managed Identity (automatically created in Entra ID)
- Azure Arc Agent installed on the server
Step-by-Step Configuration
Step 1: Enable Azure Arc on the Server and/or Register SQL Server in Azure Arc
Follow the procedure describes in this article to onboard your server in Azure Arc.
Connect Your SQL Server to Azure Arc
Remember that you can also evaluate Azure Arc on a Azure VM (test use only)
How to evaluate Azure Arc-enabled servers with an Azure virtual machine
Step 2: Retrieve the Managed Identity
The Managed Identity can be enabled and retrieved from Azure Arc | SQL Servers > “SQL Server instance” > Settings > Microsoft Entra ID
Note: The Managed Identity is server-wide (not at the instance level)
Step 3: Assign RBAC Roles
Granting access to a Storage Account for backups
$sqlServerId = (az resource show --resource-group "MyRG" --name "ServerName" --resource-type "Microsoft.HybridCompute/machines" --query identity.principalId -o tsv)
az role assignment create --role "Storage Blob Data Contributor" `
--assignee-object-id $sqlServerId `
--scope "/subscriptions/xxx/resourceGroups/MyRG/providers/Microsoft.Storage/storageAccounts/mybackupaccount"
Ex:
Backup to URL Without Credential
- Before (with SAS token)
-- Create a credential with a SAS token (expires, must be rotated)
CREATE CREDENTIAL [https://mybackup.blob.core.windows.net/backups]
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = 'sv=2022-11-02&ss=b&srt=sco&sp=rwdlacup...'
BACKUP DATABASE [MyDB]
TO URL = 'https://mybackup.blob.core.windows.net/backups/MyDB.bak'
WITH COMPRESSION
- After (with Managed Identity
--No secret anymore
CREATE CREDENTIAL [https://mybackup.blob.core.windows.net/backups]
WITH IDENTITY = 'Managed Identity'
BACKUP DATABASE [MyDB]
TO URL = 'https://mybackup.blob.core.windows.net/backups/MyDB.bak'
WITH COMPRESSION
Extensible Key Management with Key Vault
- EKM Configuration with Managed Identity
CREATE CREDENTIAL [MyAKV.vault.azure.net]
WITH IDENTITY = 'Managed Identity'
FOR CRYPTOGRAPHIC PROVIDER AzureKeyVault_EKM_Prov;How Copilot Can Help
Infrastructure Configuration
Walk me through setting up Azure Arc for SQL Server 2025 to use Managed Identity for backups to Azure Blob Storage
@mssql Generate the PowerShell commands to register my SQL Server with Azure Arc and configure RBAC for Key Vault access
Identify Existing Credentials to Migrate
List all credentials in my SQL Server that use SHARED ACCESS SIGNATURE or contain secrets, so I can plan migration to Managed Identity
Migration Scripts
I have backup jobs using SAS token credentials. Generate a migration script to convert them to use Managed Identity
Troubleshooting
My backup WITH MANAGED_IDENTITY fails with "Authorization failed". What are the steps to diagnose RBAC permission issues?
@mssql The Azure Arc agent shows "Disconnected" status. How do I troubleshoot connectivity and re-register the server?
Audit and Compliance
Generate a report showing all Azure resources my SQL Server's Managed Identity has access to, with their RBAC role assignments
Prerequisites and Limitations
Prerequisites
Azure Arc agent installed and connected SQL Server 2025, running on Windows
Azure Extension for SQL Server.
Current Limitations
- Failover cluster instances isn't supported.
- Disabling not recommended
- Only system-assigned managed identities are supported
- FIDO2 method not currently supported
- Azure public cloud access required
Documentation
- Overview
- Managed identity overview
- Set Up Managed Identity and Microsoft Entra Authentication for SQL Server Enabled by Azure Arc
- Set up Transparent Data Encryption (TDE) Extensible Key Management with Azure Key Vault
Microsoft