managed identity faq

Author: Cephas Lin

articles/app-service/tutorial-dotnetcore-sqldb-app.md

@@ -181,6 +181,9 @@ The creation wizard generated connection strings for the SQL database and the Re
     :::column-end:::
 :::row-end:::
 
+> [!TIP]
+> The SQL database connection string uses SQL authentication. For more secure, passwordless authentication, see [How do I change the SQL Database connection to use a managed identity instead?](#how-do-i-change-the-sql-database-connection-to-use-a-managed-identity-instead) 
+
 ## 3. Deploy sample code
 
 In this step, you configure GitHub deployment using GitHub Actions. It's just one of many ways to deploy to App Service, but also a great way to have continuous integration in your deployment process. By default, every `git push` to your GitHub repository kicks off the build and deploy action.
@@ -682,6 +685,29 @@ If a step fails in the autogenerated GitHub workflow file, try modifying the fai
 
 See [Set up GitHub Actions deployment from the Deployment Center](deploy-github-actions.md#set-up-github-actions-deployment-from-the-deployment-center).
 
+### How do I change the SQL Database connection to use a managed identity instead?
+
+The default connection string to the SQL database is managed by Service Connector, with the name *defaultConnector*, and it uses SQL authentication. To replace it with a connection that uses a managed identity, run the following commands in the [cloud shell](https://shell.azure.com):
+
+```azurecli-interactive
+az extension add --name serviceconnector-passwordless --upgrade
+az sql server update --enable-public-network true
+az webapp connection delete sql --connection defaultConnector --resource-group <resource-group> --name <app-name> # replace <app-name>
+az webapp connection create sql --connection defaultConnector --resource-group <resource-group> --name <app-name> --target-resource-group msdocs-core-sql-tutorial --server <sql-database-server-name> --database <database-name> --client-type dotnet --system-identity --config-connstr true # replace <app-name>, <sql-database-server-name>, and <database-name>
+az sql server update --enable-public-network false
+```
+
+By default, they command `az webapp connection create sql --client-type dotnet --system-identity --config-connstr` does the following:
+
+- Sets your user as the Entra ID administrator of the SQL database server.
+- Create a system-assigned managed identity and grants it access to the database.
+- Generates a passwordless connection string called `AZURE_SQL_CONNECTIONGSTRING`, which your app is already using at the end of the tutorial.
+
+Your app should now have connectivity to the SQL database. For more information, see [Tutorial: Connect to Azure databases from App Service without secrets using a managed identity](tutorial-connect-msi-azure-database.md).
+
+> [!TIP]
+> Don't want to enable public network connectivity? You can run it from an [Azure cloud shell that's integrated with your virtual network](../cloud-shell/vnet/deployment.md) if you have the **Owner** role assignment on your subscription.
+
 ### What can I do with GitHub Copilot in my codespace?
 
 You might have noticed that the GitHub Copilot chat view was already there for you when you created the codespace. For your convenience, we include the GitHub Copilot chat extension in the container definition (see *.devcontainer/devcontainer.json*). However, you need a [GitHub Copilot account](https://docs.github.com/copilot/using-github-copilot/using-github-copilot-code-suggestions-in-your-editor) (30-day free trial available).