"Invalid Managed Identity" error in vulnerability assessments for SQL Managed Instance
On a recent case, a customer received the error "Invalid Managed Identity" when trying to scan a database. The error suggests that there is an issue with the managed identity or the RBAC permissions required, but the same error occurs when there is a connectivity issue between SQL Managed Instance and the storage account selected. Checking RBAC permissions The RBAC permissions can be manually checked in Azure Portal, or you can use the below script in Azure CLI, providing the resource details. #SQL Managed Instance Details $serverResourceGroup = '' $serverName = '' #Storage Account Details $storageAccountResourceGroup = '' $storageAccount = '' ############################################################################################################################## $sqlIdentity = ((az sql mi show -g $serverResourceGroup -n $serverName | ConvertFrom-Json).Identity).principalId $storageId = (az storage account show -g $storageAccountResourceGroup -n $storageAccount | ConvertFrom-Json).id $permissions = $NULL $permissions = az role assignment list --all --assignee $sqlIdentity | ConvertFrom-Json | Where-Object {$_.scope -eq $storageId -and $_.roleDefinitionName -eq 'Storage Blob Data Contributor'} if ($permissions -eq $NULL) {Write-Host "RBAC permissions do not exist"} else {Write-Host "RBAC Permissions exist"} It will return a simple message to confirm if the permissions exist. Connectivity issues If the permissions do exist, then it may be due to connectivity issues between SQL Managed Instance and the storage account. Listed below are ways to check this. Storage account networking configuration The storage account can be configured to allow the following access: Public - All Public - Selected networks Private If the access is set to Selected Networks, make sure the SQL Managed Instance subnet is in the list. If the access is private only, then the SQL Managed Instance would need to be able to resolve the Private IP in DNS. NSG/Firewall rules and routing Check that there are no rules blocking connections between each resource and that the routing is configured correctly. DNS settings If the DNS settings are custom or a private endpoint is being used, the DNS configuration for the SQL Managed Instance virtual network may need to be configured, for example, adding a private DNS zone. Network Peering If the connectivity is through a private endpoint in a different virtual network, check that there is communication between them, such as network peering. Disclaimer Please note that products and options presented in this article are subject to change. This article reflects the documentation in January 2026. I hope this article was helpful for you, please feel free to share your feedback in the comments section.Data Migration - Azure SQL MI and Azure SQL DB
Data Migration Between Azure SQL Managed Instance and Azure SQL Database: Methods and Considerations As of this writing, Azure Database Migration Service (DMS) doesn't support SQL MI nor SQL DB as the source database (Supported migration scenarios). As an alternative to use DMS, one of the common support requests we receive from Azure SQL customers is about the best ways to migrate data between Azure SQL Managed Instance (SQL MI) and Azure SQL Database (SQL DB), or vice versa. This post outlines the primary methods available, their pros and cons, and key considerations to help you choose the right approach for your scenario. 1. BACPAC Export/Import Overview: This is a straightforward method where you export your database schema and data to a BACPAC file, then import it into the target environment. Key Points: Simplicity: Easy to use for small to medium-sized databases. Limitations: The BACPAC file size is limited to 200GB when exporting to Azure Blob Storage. Considerations: Larger databases may require splitting or alternative methods. Some features and objects (like certain types of indexes or security settings) may not be fully supported in BACPAC exports/imports. 2. Transactional Replication Overview: If your business requires data to be online during the migration, transactional replication may be your choice. Key Points: Online Migration: Enables near real-time data replication, making it suitable for scenarios where minimal downtime is required. Initialization Challenges: Large tables (having size of hundreds of GBs or more) can make the initial snapshot and data transfer challenging. One-way Only: This method only supports migration from SQL MI to SQL DB, not the other way around. SQL DB cannot act as a publisher due to the lack of Replication Agent (SQL Server Agent) support. 3. Azure Data Factory (ADF) Overview: ADF is a flexible, cloud-based ETL service that can orchestrate data movement between SQL MI and SQL DB. Key Points: Flexibility: Supports both offline and (with limitations) online migrations. Learning Curve: Some initial setup and learning may be required if you’re new to ADF. Online Migration Limitations: Online migration using ADF requires configuring Change Data Capture (CDC) on the source, which is not supported for SQL DB as a source. This means online migration is only feasible from SQL MI to SQL DB, not the reverse Here’s a sample decision matrix to help you choose the best migration method between SQL MI and SQL DB Criteria / Scenario BACPAC Export/Import Transactional Replication Azure Data Factory Direction: SQL MI -> SQL DB ✔️ ✔️ ✔️ Direction: SQL DB -> SQL MI ✔️ ❌ ✔️ Database Size < 200GB ✔️ ✔️ ✔️ Database Size > 200GB ❌ ✔️ ✔️ Minimal Downtime Needed ❌ ✔️ Partial* Online Migration ❌ ✔️ Partial* Learning Curve Low Medium Medium *ADF can support near-online migration if Change Data Capture (CDC) is enabled on the source, but CDC is not supported for SQL DB as a source.
