You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/sql-server/azure-arc/managed-identity.md
+13-5Lines changed: 13 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -92,7 +92,7 @@ Add the SQL Server service account (default: `NT Service\MSSQLSERVER` or for nam
92
92
93
93
### Update the registry
94
94
95
-
> [!WARNING]
95
+
> [!WARNING]
96
96
> Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend you back up any valued data on the computer.
97
97
98
98
In the registry, update the **\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL17.MSSQLSERVER\MSSQLServer\FederatedAuthentication** subkey.
@@ -181,10 +181,17 @@ For details, review [How to add, modify, or delete registry subkeys and values b
181
181
---
182
182
183
183
## Grant application permissions to the identity
184
+
> [!IMPORTANT]
185
+
> Only a [Privileged Role Administrator](/entra/identity/role-based-access-control/permissions-reference#privileged-role-administrator) or higher role can grant these permissions.
184
186
185
-
The system-assigned managed identity, which uses the Arc-enabled machine name, must have the following Microsoft Graph application permissions (app roles): `User.Read.All`, `GroupMember.Read.All`, and `Application.Read.All`.
187
+
The system-assigned managed identity, which uses the Arc-enabled machine name, must have the following Microsoft Graph application permissions (app roles):
188
+
-[User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Microsoft Entra user information.
189
+
-[GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Microsoft Entra group information.
190
+
-[Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Microsoft Entra service principal (application) information.
186
191
187
-
You can use PowerShell to grant required permissions to the managed identity. Alternatively, you can [create a role-assignable group](/entra/identity/role-based-access-control/groups-create-eligible). After the group is created, assign the **Directory readers** role to the group, and add all system-assigned managed identities for your Arc-enabled machines to the group.
192
+
You can use PowerShell to grant required permissions to the managed identity. Alternatively, you can [create a role-assignable group](/entra/identity/role-based-access-control/groups-create-eligible). After the group is created, assign the **Directory readers** role or `User.Read.All`, `GroupMember.Read.All`, and `Application.Read.All` to the group, and [add all system-assigned managed identities for your Arc-enabled machines to the group](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-directory-readers-role-tutorial?view=azuresql). We do not recommend using Directory reader in the production.
193
+
194
+
Note
188
195
189
196
The following PowerShell script grants the required permissions to the managed identity. Make sure this script is run on PowerShell 7.5 or a later version, and has the `Microsoft.Graph` module 2.28 or later installed.
190
197
@@ -259,9 +266,9 @@ Follow the steps in the [Microsoft Entra tutorial](../../sql-server/azure-arc/en
259
266
260
267
Consider the following limitations when using a managed identity with SQL Server 2025:
261
268
262
-
- Microsoft Entra authentication is only supported with Arc enabled SQL Server 2025 running on Windows Server.
269
+
- The managed identity setup for Microsoft Entra authentication is only supported with Arc enabled SQL Server 2025, running on Windows Server.
270
+
- SQL Server needs access to Azure public cloud to use Microsoft Entra authentication.
263
271
- Using Microsoft Entra authentication with failover cluster instances isn't supported.
264
-
- The identity you choose to authenticate to SQL Server has to have either the **Directory Readers** role in Microsoft Entra ID or the following three Microsoft Graph application permissions (app roles): `User.Read.All`, `GroupMember.Read.All`, and `Application.Read.All`.
265
272
- Once Microsoft Entra authentication is enabled, disabling isn't advisable. Disabling Microsoft Entra authentication forcefully by deleting registry entries can result in unpredictable behavior with SQL Server 2025.
266
273
- Authenticating to SQL Server on Arc machines through Microsoft Entra authentication using the [FIDO2 method](/azure/active-directory/authentication/howto-authentication-passwordless-faqs) isn't currently supported.
267
274
-[OPENROWSET BULK](../../t-sql/functions/openrowset-bulk-transact-sql.md) operations can also read the tokens folder `C:\ProgramData\AzureConnectedMachineAgent\Tokens\`. The `BULK` option requires either `ADMINISTER BULK OPERATIONS` or `ADMINISTER DATABASE BULK OPERATIONS` permissions. These permissions should be treated as equivalent to **[sysadmin](../../relational-databases/security/authentication-access/server-level-roles.md)**.
@@ -271,3 +278,4 @@ Consider the following limitations when using a managed identity with SQL Server
271
278
-[Microsoft Entra authentication for SQL Server](../../relational-databases/security/authentication-access/azure-ad-authentication-sql-server-overview.md)
272
279
-[What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
273
280
-[Enable Microsoft Entra authentication for SQL Server on Azure VMs](/azure/azure-sql/virtual-machines/windows/configure-azure-ad-authentication-for-sql-vm)
0 commit comments