| title | Managed identity overview | |
|---|---|---|
| description | Learn about managed identity with SQL Server 2025 enabled by Azure Arc. | |
| author | PratimDasgupta | |
| ms.author | prdasgu | |
| ms.reviewer | mikeray, randolphwest, mathoma, vanto | |
| ms.date | 11/18/2025 | |
| ms.service | sql | |
| ms.topic | concept-article | |
| ms.custom |
|
|
| monikerRange | >=sql-server-ver17 |
[!INCLUDE sqlserver2025]
[!INCLUDE sssql25-md] includes managed identity support for SQL Server on Windows. Use a managed identity to interact with resources in Azure by using Microsoft Entra authentication.
[!INCLUDE sssql25-md] introduces support for Microsoft Entra managed identities. Use managed identities to authenticate to Azure services without needing to manage credentials. Managed identities are automatically managed by Azure and can be used to authenticate to any service that supports Microsoft Entra authentication. With [!INCLUDE sssql25-md], you can use managed identities both to authenticate inbound connections, and also to authenticate outbound connections to Azure services.
When you connect your SQL Server instance to Azure Arc, a system-assigned managed identity is automatically created for the SQL Server hostname. After the managed identity is created, you must associate the identity with the SQL Server instance and the Microsoft Entra tenant ID by updating the registry.
For step-by-step setup instructions, see Set up managed identity for SQL Server enabled by Azure Arc.
When using managed identity with SQL Server enabled by Azure Arc, consider the following:
- The managed identity is assigned at the Azure Arc server level.
- Only system-assigned managed identities are supported.
- SQL Server uses this Azure Arc server level managed identity as the primary managed identity.
- SQL Server can use this primary managed identity in either
inboundand/oroutboundconnections.Inbound connectionsare logins and users connecting to SQL Server. Inbound connections can also be achieved by using App registration, starting in [!INCLUDE sssql22-md].Outbound connectionsare SQL Server connections to Azure resources, like backup to URL, or connecting to Azure Key Vault.
- App Registration can't enable a SQL Server to make outbound connections. Outbound connections need a primary managed identity assigned to the SQL Server.
- For SQL Server 2025 and later, we recommend that you use managed identity based Microsoft Entra setup, as detailed in this article. Alternatively, you can configure an app registration for SQL Server 2025.
Before you can use a managed identity with SQL Server enabled by Azure Arc, ensure that you meet the following prerequisites:
- Connect your SQL Server to Azure Arc.
- The latest version of the Azure Extension for SQL Server.
For detailed setup instructions, see Set up managed identity for SQL Server enabled by Azure Arc.
Consider the following limitations when using a managed identity with SQL Server 2025:
- The managed identity setup for Microsoft Entra authentication is only supported with Azure Arc-enabled SQL Server 2025, running on Windows Server.
- SQL Server needs access to Azure public cloud to use Microsoft Entra authentication.
- Using Microsoft Entra authentication with failover cluster instances isn't supported.
- Once Microsoft Entra authentication is enabled, disabling isn't advisable. Disabling Microsoft Entra authentication forcefully by deleting registry entries can result in unpredictable behavior with SQL Server 2025.
- Authenticating to SQL Server on Arc machines through Microsoft Entra authentication using the FIDO2 method isn't currently supported.
- OPENROWSET BULK operations can also read the tokens folder
C:\ProgramData\AzureConnectedMachineAgent\Tokens\. TheBULKoption requires eitherADMINISTER BULK OPERATIONSorADMINISTER DATABASE BULK OPERATIONSpermissions. These permissions should be treated as equivalent to sysadmin.