Add script, add error 13822, and permission reference (#35676)

JamesFerebee · web-flow · commit 048e20cc7875 · 2025-10-30T14:57:58.000-06:00
diff --git a/docs/relational-databases/polybase/managed-identity.md b/docs/relational-databases/polybase/managed-identity.md
@@ -1,53 +1,91 @@
 ---
-title: "Configure PolyBase Support for Managed Identity"
-description: "Explains how to configure PolyBase to query resources in Azure with managed identity."
+title: Configure PolyBase Support for Managed Identity
+description: Learn to configure PolyBase to query Azure resources by using managed identity.
 author: MikeRayMSFT
 ms.author: mikeray
-ms.date: 08/08/2025
+ms.reviewer: randolphwest
+ms.date: 10/30/2025
 ms.service: sql
 ms.topic: concept-article
 ---
 
-# Connect to Azure storage with managed identity from PolyBase
+# Connect to Azure Storage with managed identity from PolyBase
 
-Beginning with [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] you can use managed identities to access:
+[!INCLUDE [sqlserver2025-and-later](../../includes/applies-to-version/sqlserver2025-and-later.md)]
 
-- Microsoft Azure Blob Storage
-- Microsoft Azure Data Lake
+Starting with [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)], you can use [managed identity](../../sql-server/azure-arc/managed-identity.md) to access the following Azure resources:
+
+- Azure Blob Storage
+- Azure Data Lake
 
 ## Prerequisites
 
 - [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)]
 - [SQL Server enabled by Azure Arc](../../sql-server/azure-arc/managed-identity.md)
-- Enable `sp_configure 'allow server scoped db credentials'`
+- Enable the `allow server scoped db credentials` server configuration option
+- Give the managed identity access to the Azure Blob Storage resource.
 
 ## Update the registry
 
 > [!WARNING]  
-> Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend you back up any valued data on the computer.
+> [!INCLUDE [ssnoteregistry-md](../../includes/ssnoteregistry-md.md)]
 
-Update the registry subkey `\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL17.MSSQLSERVER\MSSQLServer\FederatedAuthentication`. Add the following entries for your data storage types.
+Update the registry subkey `\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL17.MSSQLSERVER\MSSQLServer\FederatedAuthentication`. Add the following entries for your data storage types:
 
 | Entry | Value |
 | --- | --- |
 | `AADDataLakeEndPoint` | `datalake.azure.net` |
-| `AADAzureStorageEndPoint` | `storage.azure.com` |
+| `AADAzureStorageEndpoint` | `storage.azure.com` |
+
+### Registry example
+
+The following example script inserts the registry keys for a [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] named instance called `SQL25Inst`, if it doesn't already exist:
+
+```powershell
+$yourinstance = "MSSQL17.SQL25Inst"
+
+# Define the registry path
+$regPath = "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($yourinstance)\MSSQLServer\FederatedAuthentication"
+Write-Host "Path to be updated: $regPath"
+
+# Ensure the path exists
+if (-not (Test-Path $regPath)) {
+    New-Item -Path $regPath -Force | Out-Null
+}
+
+# Define the values to create
+$values = @{
+    "AADDataLakeEndPoint" = "datalake.azure.net"
+    "AADAzureStorageEndpoint" = "storage.azure.com"
+}
+
+foreach ($name in $values.Keys) {
+    $existing = Get-ItemProperty -Path $regPath -Name $name -ErrorAction SilentlyContinue
+    if ($null -eq $existing) {
+        New-ItemProperty -Path $regPath -Name $name -Value $values[$name] -PropertyType String -Force
+        Write-Host "Created registry value '$name' with '$($values[$name])'"
+    }
+    else {
+        Write-Host "Registry value '$name' already exists. Skipping..."
+    }
+}
+```
 
-These keys are in addition to the registry keys required as described in [Managed identity (preview) for SQL Server enabled by Azure Arc](../../sql-server/azure-arc/managed-identity.md?tabs=manual#update-the-registry).
+Add these keys along with the keys described in [Managed identity (preview) for SQL Server enabled by Azure Arc](../../sql-server/azure-arc/managed-identity.md?tabs=manual#update-the-registry).
 
 ## Create database scoped credentials
 
 Add a database scoped credential for managed identity.
 
-1. Allow server scoped database credentials. Run the following command.
+1. Allow server scoped database credentials. Run the following Transact-SQL query:
 
    ```sql
-   EXECUTE sp_configure 'allow server scoped db credentials',1;
+   EXECUTE sp_configure 'allow server scoped db credentials', 1;
    GO
    RECONFIGURE;
    ```
 
-1. Create a database scoped credential. The example uses the name `managed_id`.
+1. Create a database scoped credential. This example uses the name `managed_id`:
 
    ```sql
    CREATE DATABASE SCOPED CREDENTIAL [managed_id]
@@ -56,18 +94,49 @@ Add a database scoped credential for managed identity.
 
 ## Create external data source
 
-Create the external data source.
+Create the external data source with the following settings.
+
+### [Azure Storage account (V2)](#tab/asav2)
+
+- **Connector location prefix**
+  - `abs`
+
+- **Location path**
+  - `abs://<container_name>@<storage_account_name>.blob.core.windows.net/`, or
+  - `abs://<storage_account_name>.blob.core.windows.net/<container_name>`
+
+- **Supported locations by product / service**
+  - [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] enabled by Azure Arc
+  - [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)]: Hierarchical namespace supported
+
+- **Authentication**
+  - Shared access signature (SAS), or
+  - Managed identity
 
-| External data source | Connector location prefix | Location path | Supported locations by product / service | Authentication |
-| --- | --- | --- | --- | --- |
-| Azure Storage Account (V2) | `abs` | `abs://<container_name>@<storage_account_name>.blob.core.windows.net/`<br />or<br />`abs://<storage_account_name>.blob.core.windows.net/<container_name>` | - [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)]: Hierarchical Namespace supported<br />- [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] enabled by Azure Arc | Shared access signature (SAS)<br />or<br />Managed Identity |
-| Azure Data Lake Storage | `adls` | `adls://<container_name>@<storage_account_name>.dfs.core.windows.net/`<br />or<br />`adls://<storage_account_name>.dfs.core.windows.net/<container_name>` | - [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)]<br />- [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] enabled by Azure Arc | Shared access signature (SAS)<br />or<br />Managed Identity |
+### [Azure Data Lake Storage](#tab/adls)
+
+- **Connector location prefix**
+  - `adls`
+
+- **Location path**
+  - `adls://<container_name>@<storage_account_name>.dfs.core.windows.net/`, or
+  - `adls://<storage_account_name>.dfs.core.windows.net/<container_name>`
+
+- **Supported locations by product / service**
+  - [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] enabled by Azure Arc
+  - [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)]
+
+- **Authentication**
+  - Shared access signature (SAS), or
+  - Managed identity
+
+---
 
-## Query a parquet file in Azure Blob Storage
+## Query a Parquet file in Azure Blob Storage
 
-[!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] supports for Manage Identity through Azure Arc. For instructions, review [Managed identity (preview) for SQL Server enabled by Azure Arc](../../sql-server/azure-arc/managed-identity.md).
+[!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] supports for managed identity through Azure Arc. For instructions, see [Managed identity (preview) for SQL Server enabled by Azure Arc](../../sql-server/azure-arc/managed-identity.md).
 
-The following example queries a parquet file in Azure Blob Storage
+The following example queries a Parquet file in Azure Blob Storage:
 
 ```sql
 EXECUTE sp_configure 'allow server scoped db credentials', 1;
@@ -86,32 +155,38 @@ WITH (
 
 ## Errors and solutions
 
-[!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] enabled by Azure Arc fails to authenticate using Managed Identity.
+### External table isn't accessible (Error 16562)
 
-To use managed identity, [!INCLUDE [sssql25-md](../../includes/sssql25-md.md)] must be enabled by Azure Arc. For instructions on how to enable by Azure Arc, review [Managed identity (preview) for SQL Server enabled by Azure Arc](../../sql-server/azure-arc/managed-identity.md).
-
-Enable `sp_configure 'allow server scoped db credentials'`.
-
-If any of the following are true, the PolyBase query fails:
-
-- The SQL Server instance isn't properly configured for Azure Arc
-- Registry entries are missing
-- `allow server scoped db credentials` is disabled
-
-The query will return one of the following errors when trying to access Azure Blob Storage or Azure Data Lake:
+You might encounter error 16562 when trying to access Azure Blob Storage or Azure Data Lake if you're missing prerequisites:
 
 ```output
 Msg 16562, Level 16, State 1, Line 79
 External table <name> is not accessible because location does not exist or it is used by another process.
 ```
 
-Or
+Check the following items:
+
+- The SQL Server instance is properly configured for Azure Arc. For more information, see [Managed identity (preview) for SQL Server enabled by Azure Arc](../../sql-server/azure-arc/managed-identity.md).
+
+- The required registry entries exist.
+
+- `allow server scoped db credentials` is enabled.
+
+### File can't be opened (Error 16562)
+
+You might encounter error 13822 when you access Azure Blob Storage or Azure Data Lake if the managed identity lacks permissions on the storage account, or network access to storage is blocked.
 
 ```output
-Msg 16562, Level 16, State 1, Line 79
-External table <name> is not accessible because location does not exist or it is used by another process.
+Msg 13822, Level 16, State 1, Line 9
+File <file> cannot be opened because it does not exist or it is used by another process.
 ```
 
+Check the following items:
+
+- Does the managed identity have permissions to the storage container?
+- Can the managed identity access the storage container outside SQL Server?
+- Is the file locked exclusively?
+
 ## Related content
 
 - [Managed identity (preview) for SQL Server enabled by Azure Arc](../../sql-server/azure-arc/managed-identity.md)
