What are managed identities in SQL Server 2025? A complete guide

Love1
Comments 0

Share to social media

Share on X (Twitter) Share on LinkedIn Share on Mastodon Share on Facebook

Learn how managed identities in SQL Server 2025 enhance security by eliminating passwords and enabling seamless Microsoft Entra authentication for Azure resources.

Those who have worked with SQL Server will understand the need to avoid storing passwords for accessing resources. Windows-based identities are fine for on-premises SQL Server systems, including those on cloud-based virtual machines (VMs), but are of no use when you need to access cloud-based resources like those in Azure.

Some Azure-based resources (including storage accounts) offer other access methods, such as shared access signatures (SAS), but these aren’t much of a step-up from passwords.

What’s really needed is for SQL Server to have its own Microsoft Entra based identity. These can be used directly with Azure-based resources – and that’s exactly where managed identities come in.

What are managed identities?

A managed identity is a Microsoft Entra identity that Azure creates and manages for a resource. This allows the resource to obtain tokens for other Azure services without the need for storing passwords, client secrets, or certificates in code or configuration. Two types of managed identities are available.

First, a system-assigned managed identity, which is specific to a resource. For example, I could add a system-assigned managed identity to an Azure Data Factory (ADF). The ADF could then use the identity when making connections to, or accessing, other resources. When the ADF is deleted, the system-assigned managed identity is also removed.

Then there’s a user-assigned managed identity. This is created independently of any specific resource and can be applied to a resource, in addition to any system-assigned managed identity. User-assigned managed identities are very powerful because a single identity can be assigned to multiple resources.

For example, I might have a single identity for a group of data factories. This simplifies the configuration of access and, importantly, if I need to recreate the data factory, I can use the same identity. Even when all the data factories are deleted, the user-assigned managed identity can survive. Another common use for these is to assign the same identity to a group of web servers.

The official Microsoft documentation for managed identities can be found here.

Why managed identities are not just service principals

Under the covers, managed identities are a special kind of service principal, but there are important differences. The major one is that service principals expire, whereas Azure manages the lifecycle and credential rotation of managed identities for you.

I’m always concerned when I see solutions built using service principals without plans for what would happen when they expire. These are like time-bombs at many sites today, but using managed identities avoids these issues. The credential expires after 90 days and is rolled over after 45 days.

The biggest contrast is operational. With a service principal, someone must create an app registration, issue and protect a secret or certificate, and periodically rotate that credential. That might also require updating dependent systems.

Fast, reliable and consistent SQL Server development…

…with SQL Toolbelt Essentials. 10 ingeniously simple tools for accelerating development, reducing risk, and standardizing workflows.
Learn more & try for free

What’s needed to use a managed identity?

To be able to use managed identities, you need two things:

  • The ability to assign a managed identity to a resource or service
  • The ability to use the managed identity when making a connection from that resource or service.

You might think that anything that can have a managed identity could also use it for connections, but that’s not the case.

For example, you can assign either or both a system-assigned managed identity and a user-assigned managed identity to an Azure Analysis Services (AAS). However, AAS does not currently provide any way to use that identity when connecting to an Azure-based resource or service.

We currently have AAS servers making connections to Azure SQL Database using logins and passwords, but I wish we didn’t have to do this. It wouldn’t be required at all if we could just specify the managed identity in the connection details.

How do managed identities apply to SQL Server 2025?

It’s increasingly common for SQL Server to need to connect to Azure-based resources. This not only happens with SQL Server in Azure VMs, but also with on-premises SQL Server installations. However, SQL Server is not a native Azure resource or service.

From SQL Server 2025 onwards, it’s possible to both configure and use a system-assigned managed identity when SQL Server is enrolled in Azure Arc. To enable this, the SQL Server instance must be connected to Arc and run on Windows Server. It must also use the latest Azure Extension for SQL Server.

Currently, the documentation notes that SQL Server must have access to Azure public cloud for Microsoft Entra authentication, and that failover cluster instances are not supported for this managed-identity setup. We also can’t (yet) use user-assigned managed identities with SQL Server.

So, we only have part of what we need right now – but it’s a great start.

How to configure and use the managed identity in SQL Server 2025

Once the SQL Server instance is Arc-enabled, you can assign the server’s primary managed identity. You do this from the Azure portal while configuring the properties of the Arc-enabled SQL Server resource, under the Microsoft Entra ID and Purview settings. This primary managed identity is what SQL Server 2025 uses when making outbound connections to Azure-based resources.

You also need to grant the identity permission to the target resource in Azure. The role required is a role-based access control (RBAC) configuration, and will usually be different for each service type.

As part of making an outbound connection, you need to use a database-scoped credential like this:

Some credentials will also require you to specify a ‘secret’, for example when making a connection to an Azure OpenAI endpoint. Here, you not only specify IDENTITY = ‘Managed Identity’, but also a JSON secret identifying the token audience.

Note that it’s common to name the credential after the scope of the resource you’re accessing:

This credential can then be used when executing calls like CREATE EXTERNAL MODEL. Once this is done, calls to the external model can use that credential to authenticate without the need to supply an API key.

In summary: managed identities in SQL Server 2025

We still have limitations with how we can configure and use managed identities with SQL Server, but what’s been provided so far is a great start. It lets traditional on-premises (and cloud VM-based) SQL Server instances participate in modern Microsoft Entra-based authentication patterns, and in turn reduce potential issues like credential leakage.

Protect your data. Demonstrate compliance.

With Redgate, stay ahead of threats with real-time monitoring and alerts, protect sensitive data with automated discovery & masking, and demonstrate compliance with traceability across every environment.
Learn more

FAQs: Managed identities in SQL Server 2025

1. What is a managed identity in Azure?

A managed identity is a Microsoft Entra ID identity automatically created and managed by Azure. It allows services to securely access other Azure resources without storing passwords, secrets, or certificates.

2. What are the types of managed identities?

  • System-assigned managed identity – tied to a single resource and deleted with it
  • User-assigned managed identity – reusable across multiple resources and managed independently

3. Why use managed identities instead of service principals?

Managed identities eliminate the need to manage credentials manually. Unlike service principals, Azure automatically rotates and manages credentials, reducing security risks and maintenance overhead.

4. Can SQL Server 2025 use managed identities?

Yes. SQL Server 2025 supports system-assigned managed identities when connected via Azure Arc, enabling secure access to Azure resources.

5. What are the requirements to use managed identities in SQL Server 2025?

  • SQL Server must be Arc-enabled
  • Must run on Windows Server
  • Requires the latest Azure Extension for SQL Server
  • Needs access to Azure public cloud for authentication

6. Does SQL Server 2025 support user-assigned managed identities?

No, currently only system-assigned managed identities are supported.

7. How do managed identities improve security in SQL Server?

They remove the need to store credentials like passwords or API keys, reducing the risk of credential leaks and simplifying secure access to Azure services.

8. How are managed identities used in SQL Server connections?

They are configured via database-scoped credentials using IDENTITY = 'Managed Identity', allowing SQL Server to authenticate securely when accessing external Azure resources.

Article tags

Recommended

About the author

Dr Greg Low is a member of the Microsoft Regional Director program that Microsoft describe as “150 of the world's top technology visionaries chosen specifically for their proven cross-platform expertise, community leadership, and commitment to business results”. He is the founder and principal consultant at SQL Down Under, a boutique data-related consultancy operating from Australia. Greg is a long-term data platform MVP and a well-known data community leader and public speaker at conferences world-wide. He is known for his pragmatic attitude to business transformation and to solving issues for business of all sizes. Greg is the host of several data-related podcasts: SQL Down Under, Cosmos Down Under, PG Down Under, and Fabric Down Under, and produces the SDU Tools toolset.

Greg's contributions

Greg's latest contributions: