Managed identity (preview) for SQL Server enabled by Azure Arc

2025-06-10

Applies to: SQL Server 2025 (17.x) Preview

This article describes how to configure a managed identity for SQL Server enabled by Azure Arc.

SQL Server 2025 (17.x) Preview includes managed identity support for SQL Server on Windows. Use a managed identity to interact with resources in Azure by using Microsoft Entra authentication.

Note

Using a managed identity with SQL Server 2025 is currently in preview.

Overview

SQL Server 2025 (17.x) Preview introduces support for Microsoft Entra managed identities. Use managed identities to authenticate to Azure services without needing to manage credentials. Managed identities are automatically managed by Azure and can be used to authenticate to any service that supports Microsoft Entra authentication. With SQL Server 2025 (17.x) Preview, you can use managed identities both to authenticate inbound connections, and also to authenticate outbound connections to Azure services.

When you connect your SQL Server instance to Azure Arc, a system-assigned managed identity is automatically created for the SQL Server hostname. After the managed identity is created, you must associate the identity with the SQL Server instance and the Microsoft Entra tenant ID by updating the registry.

When using managed identity with SQL Server enabled by Azure Arc, consider the following:

The managed identity is assigned at the Azure Arc server level.
Only system-assigned managed identities are supported.
SQL Server uses this Azure Arc server level managed identity as the primary managed identity.
SQL Server can use this primary managed identity in either inbound and/or outbound connections.
- Inbound connections are logins and users connecting to SQL Server. Inbound connections can also be achieved by using App Registration available from SQL Server 2022.
- Outbound connections are SQL Server connections to Azure resources, like backup to URL, or connecting to Azure Key Vault.
App Registration can't enable a SQL Server to make outbound connections. Outbound connections need a primary managed identity assigned to the SQL Server.

Prerequisites

Before you can use a managed identity with SQL Server enabled by Azure Arc, ensure that you meet the following prerequisites:

Connect the SQL Server instance to Azure Arc.
The latest version of the Azure Extension for SQL Server.

Enable the primary managed identity

If you've installed the Azure Extension for SQL Server to your server, you can enable the primary managed identity for your SQL Server instance directly from the Azure portal. It's also possible to enable the primary managed identity manually by updating the registry, but should be done with extreme caution.

Azure portal
Manually

To enable the primary managed identity in the Azure portal, follow these steps:

Go to your SQL Server enabled by Azure Arc resource in the Azure portal.
Under Settings, select Microsoft Entra ID and Purview to open the Microsoft Entra ID and Purview page.

Note

If you don't see the Enable Microsoft Entra ID authentication option, ensure that your SQL Server instance is connected to Azure Arc and that you have the latest SQL extension installed.
On the Microsoft Entra ID and Purview page, check the box next to Use a primary managed identity and then use Save to apply your configuration:

It's possible to manually enable the primary managed identity for your SQL Server instance by updating the registry, but should be done with extreme caution.

Grant permission to the Tokens folder

Grant Read & execute operating system permissions on the folder C:\ProgramData\AzureConnectedMachineAgent\Tokens\ to the SQL Server 2025 instance service account. By default, the service account is NT Service\MSSQLSERVER, or for named instances, NT Service\MSSQL$<instancename>.

Screenshot of Tokens folder Security properties tab.

You might need to grant admin permissions for the SQL Server service account on the AzureConnectedMachineAgent folder prior to the Tokens folder:

Screenshot of AzureConnectedMachineAgent folder Security properties tab.

Add SQL Server service account to the Hybrid agent extension applications group

Add the SQL Server service account (default: NT Service\MSSQLSERVER or for named instances, NT Service\MSSQL$instancename) to the Hybrid agent extension applications group.

Open Windows Computer Management.
Go to Local Users and Groups and select Groups.
Add the SQL Server service account to the Hybrid agent extension applications group.

Screenshot of Computer Management showing the hybrid agent extension application group.

Screenshot of the hybrid agent extension application group properties.

Update the registry

Warning

Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend you back up any valued data on the computer.

In the registry, update the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL17.MSSQLSERVER\MSSQLServer\FederatedAuthentication subkey.

Create the following entries:

Entry	Value
`ArcServerManagedIdentityClientId`	Empty (no value)
`HIMDSApiVersion`	`2020-06-01`
`HIMDSEndpoint`	`http://localhost:40342/metadata/identity/oauth2/token`
`ArcServerSystemAssignedManagedIdentityTenantId`	`Arc-AAD-Tenant-ID`
`ArcServerSystemAssignedManagedIdentityClientId`	`Arc-Machine-Client-Id`
`PrimaryAADTenant`	`Arc-AAD-Tenant-ID`
`AADChannelMaxBufferedMessageSize`	`200000`
`AADGraphEndPoint`	`graph.windows.net`
`AADGroupLookupMaxRetryAttempts`	`10`
`AADGroupLookupMaxRetryDuration`	`30000`
`AADGroupLookupRetryInitialBackoff`	`100`
`AADServerAdminSid`	`00000000-0000-0000-0000-000000000000`
`AuthenticationEndpoint`	`login.microsoftonline.com`
`CacheMaxSize`	`300`
`ClientCertBlackList`	Empty (no value)
`FederationMetadataEndpoint`	`login.windows.net`
`GraphAPIEndpoint`	`graph.windows.net`
`IssuerURL`	`https://sts.windows.net/`
`OnBehalfOfAuthority`	`https://login.windows.net/`
`STSURL`	`https://login.windows.net/`
`MsGraphEndPoint`	`graph.microsoft.com`
`SendX5c`	`false`
`ServicePrincipalName`	`https://database.windows.net/`
`ServicePrincipalNameForArcadia`	`https://sql.azuresynapse.net`
`ServicePrincipalNameForArcadiaDogfood`	`https://sql.azuresynapse-dogfood.net`
`ServicePrincipalNameNoSlash`	`https://database.windows.net`
`AADBecWSConnectionPoolMaxSize`	`500`

Back up and edit the registry

The following sections describe how to back up and edit the registry with Registry Editor.

Open the Registry Editor

Press Windows key + R to open the Run dialog box.
Type regedit and press Enter.
If prompted by User Account Control, select Yes.

Back up the registry key

This step backs up the registry before you make any changes. You can import this file back into the registry later if your changes cause a problem.

Select File from the menu.
Select Export.
In the Export Registry File dialog box, choose a ___location to save the backup.
Enter a name for the backup file in the File name field.
Ensure All is selected in the Export range.
Select Save.

Add entries

In this step, you'll add entries to the registry with Registry Editor.

Navigate this subkey: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL17.MSSQLSERVER\MSSQLServer\FederatedAuthentication.
Right-click on FederatedAuthentication and select String Value.
Repeat for each entry listed at Update the registry

This image demonstrates a correctly configured registry:

Restore the registry key (if needed)

If you need to restore to previous registry settings, follow these steps.

Open the Registry Editor as described above.
Select File from the menu.
Select Import.
Navigate to the ___location of your saved backup file.
Select the backup file and select Open.

For details, review How to add, modify, or delete registry subkeys and values by using a .reg file.

Grant application permissions to the identity

The system-assigned managed identity, which uses the Arc-enabled machine name, must have the following Microsoft Graph application permissions (app roles): User.Read.All, GroupMember.Read.All, and Application.Read.All.

You can use PowerShell to grant required permissions to the managed identity. Alternatively, you can create a role-assignable group. After the group is created, assign the Directory readers role to the group, and add all system-assigned managed identities for your Arc-enabled machines to the group.

The following PowerShell script grants the required permissions to the managed identity:

# Update these variables to match your Azure & Arc machine setup
$tenantID = '<Enter-Your-Azure-Tenant-Id>'
$managedIdentityName = '<Enter-Your-Arc-HostMachine-Name>'

# Install and connect to AzureAD
try {
    Install-Module -Name AzureAD -Force -Scope CurrentUser -ErrorAction Stop
    Import-Module AzureAD
    Connect-AzureAD -TenantId $tenantID
    Write-Output "Connected to AzureAD successfully."
} catch {
    Write-Error "Failed to install or connect to AzureAD: $_"
    return
}

# Get Microsoft Graph API service principal
$graphAppId = '00000003-0000-0000-c000-000000000000'
$graphSP = Get-AzureADServicePrincipal -Filter "appId eq '$graphAppId'"
if (-not $graphSP) {
    Write-Error "Microsoft Graph service principal not found."
    return
}

# Get the managed identity
$managedIdentity = Get-AzureADServicePrincipal -SearchString $managedIdentityName | Where-Object { $_.DisplayName -eq $managedIdentityName }

if (-not $managedIdentity) {
    Write-Error "Managed identity '$managedIdentityName' not found."
    return
}

# Define roles to assign
$requiredRoles = @(
    "User.Read.All",
    "GroupMember.Read.All",
    "Application.Read.All"
)

# Assign roles
foreach ($roleValue in $requiredRoles) {
    $appRole = $graphSP.AppRoles | Where-Object { $_.Value -eq $roleValue -and $_.AllowedMemberTypes -contains "Application" }
    if ($appRole) {
        try {
            New-AzureADServiceAppRoleAssignment `
                -ObjectId $managedIdentity.ObjectId `
                -PrincipalId $managedIdentity.ObjectId `
                -ResourceId $graphSP.ObjectId `
                -Id $appRole.Id
            Write-Output "Successfully assigned role '$roleValue' to '$managedIdentityName'."
        } catch {
            Write-Warning "Failed to assign role '$roleValue': $_"
        }
    } else {
        Write-Warning "Role '$roleValue' not found in Microsoft Graph AppRoles."
    }
}

Create logins and users

Follow the steps in the Microsoft Entra tutorial to create logins and users for the managed identity.

Limitations

Consider the following limitations when using a managed identity with SQL Server 2025:

Microsoft Entra authentication is only supported with Arc enabled SQL Server 2025 running on Windows Server.
Using Microsoft Entra authentication with failover cluster instances isn't supported.
The identity you choose to authenticate to SQL Server has to have either the Directory Readers role in Microsoft Entra ID or the following three Microsoft Graph application permissions (app roles): User.Read.All, GroupMember.Read.All, and Application.Read.All.
Once Microsoft Entra authentication is enabled, disabling isn't advisable. Disabling Microsoft Entra authentication forcefully by deleting registry entries can result in unpredictable behavior with SQL Server 2025.
Authenticating to SQL Server on Arc machines through Microsoft Entra authentication using the FIDO2 method isn't currently supported.

Share via