{"id":110113,"date":"2026-05-05T12:00:00","date_gmt":"2026-05-05T12:00:00","guid":{"rendered":"https:\/\/www.red-gate.com\/simple-talk\/?p=110113"},"modified":"2026-05-05T07:08:40","modified_gmt":"2026-05-05T07:08:40","slug":"managed-identities-in-sql-server-2025-a-complete-guide","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/managed-identities-in-sql-server-2025-a-complete-guide\/","title":{"rendered":"What are managed identities in SQL Server 2025? A complete guide"},"content":{"rendered":"\n<p><strong>Learn how managed identities in SQL Server 2025 enhance security by eliminating passwords and enabling seamless Microsoft Entra authentication for Azure resources.<\/strong><\/p>\n\n\n\n<p>Those who have worked with <a href=\"https:\/\/www.microsoft.com\/en-gb\/sql-server\" target=\"_blank\" rel=\"noreferrer noopener\">SQL Server<\/a> will understand the need to avoid storing passwords for accessing resources. Windows-based identities are fine for on-premises SQL Server systems, including those on cloud-based <a href=\"https:\/\/www.vmware.com\/topics\/virtual-machine\" target=\"_blank\" rel=\"noreferrer noopener\">virtual machines (VMs)<\/a>, but are of no use when you need to access cloud-based resources like those in <a href=\"https:\/\/azure.microsoft.com\/en-gb\" target=\"_blank\" rel=\"noreferrer noopener\">Azure<\/a>.<\/p>\n\n\n\n<p>Some Azure-based resources (including <a href=\"https:\/\/www.red-gate.com\/simple-talk\/cloud\/azure\/understanding-azure-storage-options\/\" target=\"_blank\" rel=\"noreferrer noopener\">storage<\/a> accounts) offer other access methods, such as <a href=\"https:\/\/learn.microsoft.com\/en-us\/shows\/inside-azure-for-it\/introduction-to-sas-shared-access-signature\" target=\"_blank\" rel=\"noreferrer noopener\">shared access signatures (SAS)<\/a>, but these aren&#8217;t much of a step-up from passwords. <\/p>\n\n\n\n<p>What&#8217;s really needed is for SQL Server to have its own <a href=\"https:\/\/www.microsoft.com\/en-gb\/security\/business\/microsoft-entra\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Entra<\/a> based identity. These <em>can<\/em> be used directly with Azure-based resources &#8211; and that&#8217;s exactly where managed identities come in.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-are-managed-identities\">What are managed identities?<\/h2>\n\n\n\n<p>A managed identity is a Microsoft Entra identity that Azure creates and manages for a resource. This allows the resource to obtain tokens for other Azure services without the need for storing passwords, client secrets, or certificates in code or configuration. Two types of managed identities are available.<\/p>\n\n\n\n<p>First, a system-assigned managed identity, which is specific to a resource. For example, I could add a system-assigned managed identity to an <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/bi-sql-server\/azure-data-factory-pipelines-filling-in-the-gaps\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Data Factory (ADF)<\/a>. The ADF could then use the identity when making connections to, or accessing, other resources. When the ADF is deleted, the system-assigned managed identity is also removed.<\/p>\n\n\n\n<p>Then there&#8217;s a user-assigned managed identity. This is created independently of any specific resource and can be applied to a resource, in addition to any system-assigned managed identity. User-assigned managed identities are very powerful because a single identity can be assigned to multiple resources.<\/p>\n\n\n\n<p>For example, I might have a single identity for a group of data factories. This simplifies the configuration of access and, importantly, if I need to recreate the data factory, I can use the same identity. Even when all the data factories are deleted, the user-assigned managed identity can survive. Another common use for these is to assign the same identity to a group of web servers.<\/p>\n\n\n\n<p><em>The official Microsoft documentation for managed identities can be found <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity\/managed-identities-azure-resources\/overview\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a>.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-why-managed-identities-are-not-just-service-principals\">Why managed identities are not <em>just<\/em> service principals<\/h2>\n\n\n\n<p>Under the covers, managed identities are a special kind of <a href=\"https:\/\/learn.microsoft.com\/en-us\/entra\/identity-platform\/app-objects-and-service-principals?tabs=browser\" target=\"_blank\" rel=\"noreferrer noopener\">service principal<\/a>, but there are important differences. The major one is that service principals expire, whereas Azure manages the lifecycle and credential rotation of managed identities for you. <\/p>\n\n\n\n<p>I&#8217;m always concerned when I see solutions built using service principals without plans for what would happen when they expire. These are like time-bombs at many sites today, but using managed identities avoids these issues. The credential expires after 90 days and is rolled over after 45 days.<\/p>\n\n\n\n<p>The biggest contrast is operational. With a service principal, someone must create an app registration, issue and protect a secret or certificate, and periodically rotate that credential. That might also require updating dependent systems.<\/p>\n\n\n\n<section id=\"my-first-block-block_35f539481db310c9d8ff2044c37cbfb9\" class=\"my-first-block alignwide\">\n    <div class=\"bg-brand-600 text-base-white py-5xl px-4xl rounded-sm bg-gradient-to-r from-brand-600 to-brand-500 red\">\n        <div class=\"gap-4xl items-start md:items-center flex flex-col md:flex-row justify-between\">\n            <div class=\"flex-1 col-span-10 lg:col-span-7\">\n                <h3 class=\"mt-0 font-display mb-2 text-display-sm\">Fast, reliable and consistent SQL Server development&#8230;<\/h3>\n                <div class=\"child:last-of-type:mb-0\">\n                                            &#8230;with SQL Toolbelt Essentials. 10 ingeniously simple tools for accelerating development, reducing risk, and standardizing workflows.                                    <\/div>\n            <\/div>\n                            <a href=\"https:\/\/www.red-gate.com\/products\/sql-toolbelt-essentials\/\" class=\"btn btn--secondary btn--lg\">Learn more &amp; try for free<\/a>\n                    <\/div>\n    <\/div>\n<\/section>\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-s-needed-to-use-a-managed-identity\">What&#8217;s needed to use a managed identity?<\/h2>\n\n\n\n<p>To be able to use managed identities, you need two things:<\/p>\n\n\n<div class=\"block-core-list\">\n<ul class=\"wp-block-list\">\n<li>The ability to assign a managed identity to a resource or service<br><\/li>\n\n\n\n<li>The ability to use the managed identity when making a connection from that resource or service.<\/li>\n<\/ul>\n<\/div>\n\n\n<p>You might think that anything that can have a managed identity could also use it for connections, but that&#8217;s not the case. <\/p>\n\n\n\n<p>For example, you can assign either or both a system-assigned managed identity and a user-assigned managed identity to an <a href=\"https:\/\/learn.microsoft.com\/en-us\/analysis-services\/azure-analysis-services\/analysis-services-overview?view=sql-analysis-services-2025\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Analysis Services (AAS)<\/a>. However, AAS does not currently provide any way to use that identity when connecting to an Azure-based resource or service. <\/p>\n\n\n\n<p>We currently have AAS servers making connections to Azure SQL Database using logins and passwords, but I wish we didn&#8217;t have to do this. It wouldn&#8217;t be required at all if we could just specify the managed identity in the connection details.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-do-managed-identities-apply-to-sql-server-2025\">How do managed identities apply to SQL Server 2025?<\/h2>\n\n\n\n<p>It&#8217;s increasingly common for SQL Server to need to connect to Azure-based resources. This not only happens with SQL Server in Azure VMs, but also with on-premises SQL Server installations. However, SQL Server is <em>not<\/em> a native Azure resource or service.<\/p>\n\n\n\n<p>From SQL Server 2025 onwards, it&#8217;s possible to both configure <em>and<\/em> use a system-assigned managed identity when SQL Server is enrolled in <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/azure-arc\/overview\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Arc<\/a>. To enable this, the SQL Server instance must be connected to Arc and run on Windows Server. It must also use the latest <a href=\"https:\/\/marketplace.microsoft.com\/en-us\/product\/microsoft.sqlserverarcextensionwindows?tab=overview\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Extension for SQL Server<\/a>.<\/p>\n\n\n\n<p>Currently, the documentation notes that SQL Server must have access to Azure public cloud for Microsoft Entra authentication, and that <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/sql-server\/learn\/dba-in-training-sql-server-high-availability-options\/#windows-server-failover-clustering-server-level-availability:~:text=how%20it%20works.-,Windows%20Server%20Failover%20Clustering%20%E2%80%93%20Server%2DLevel%20Availability,-Microsoft%20defines%20Windows\" target=\"_blank\" rel=\"noreferrer noopener\">failover cluster<\/a> instances are <em>not<\/em> supported for this managed-identity setup. We also can&#8217;t (yet) use user-assigned managed identities with SQL Server. <\/p>\n\n\n\n<p>So, we only have part of what we need right now &#8211; but it&#8217;s a great start.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-how-to-configure-and-use-the-managed-identity-in-sql-server-2025\">How to configure and use the managed identity in SQL Server 2025<\/h2>\n\n\n\n<p>Once the SQL Server instance is Arc-enabled, you can assign the server\u2019s primary managed identity. You do this from the Azure portal while configuring the properties of the Arc-enabled SQL Server resource, under the Microsoft Entra ID and <a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/purview\" target=\"_blank\" rel=\"noreferrer noopener\">Purview<\/a> settings. This primary managed identity is what SQL Server 2025 uses when making outbound connections to Azure-based resources.<\/p>\n\n\n\n<p>You also need to grant the identity permission to the target resource in Azure. The role required is a <a href=\"https:\/\/www.ibm.com\/think\/topics\/rbac\" target=\"_blank\" rel=\"noreferrer noopener\">role-based access control (RBAC)<\/a> configuration, and will usually be different for each service type.<\/p>\n\n\n\n<p>As part of making an outbound connection, you need to use a database-scoped credential like this:<\/p>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"lang:tsql decode:true \">EXECUTE sp_configure 'allow server scoped db credentials', 1;\nRECONFIGURE;\nGO\nCREATE DATABASE SCOPED CREDENTIAL [storage_credential]\nWITH IDENTITY = 'Managed Identity';\nGO<\/pre><\/div>\n\n\n\n<p>Some credentials will also require you to specify a &#8216;secret&#8217;, for example when making a connection to an <a href=\"https:\/\/www.red-gate.com\/simple-talk\/blogs\/azure-openai-and-rag-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure OpenAI endpoint<\/a>. Here, you not only specify <code>IDENTITY<\/code> = &#8216;Managed Identity&#8217;, but also a <a href=\"https:\/\/www.red-gate.com\/simple-talk\/databases\/oracle-databases\/json-for-absolute-beginners-part-1-introduction\/\" target=\"_blank\" rel=\"noreferrer noopener\">JSON<\/a> secret identifying the token audience. <\/p>\n\n\n\n<p>Note that it&#8217;s common to name the credential after the scope of the resource you&#8217;re accessing:<\/p>\n\n\n\n<div class=\"wp-block-urvanov-syntax-highlighter-code-block\"><pre class=\"lang:tsql decode:true \">CREATE DATABASE SCOPED CREDENTIAL\n[https:\/\/my-azure-openai-endpoint.cognitiveservices.azure.com\/]\nWITH IDENTITY = 'Managed Identity',\n     SECRET = {\"resourceid\":\"https:\/\/cognitiveservices.azure.com\"}';\nGO<\/pre><\/div>\n\n\n\n<p>This credential can then be used when executing calls like <code>CREATE EXTERNAL MODEL<\/code>. Once this is done, calls to the external model can use that credential to authenticate <em>without<\/em> the need to supply an <a href=\"https:\/\/www.red-gate.com\/simple-talk\/sysadmin\/general\/api-monitoring-key-metrics-and-best-practices\/\" target=\"_blank\" rel=\"noreferrer noopener\">API key<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-in-summary-managed-identities-in-sql-server-2025\">In summary: managed identities in SQL Server 2025<\/h2>\n\n\n\n<p>We still have limitations with how we can configure and use managed identities with SQL Server, but what&#8217;s been provided so far is a great start. It lets traditional on-premises (and cloud VM-based) SQL Server instances participate in modern Microsoft Entra-based authentication patterns, and in turn reduce potential issues like <a href=\"https:\/\/www.red-gate.com\/simple-talk\/devops\/securing-the-devops-pipeline-part-1-tools-and-strategies-for-safer-deployments\/#:~:text=unintentionally%20or%20maliciously.-,Credential%20leaks,-%E2%80%93%20Hardcoded%20secrets%20or\" target=\"_blank\" rel=\"noreferrer noopener\">credential leakage<\/a>.<\/p>\n\n\n\n<section id=\"my-first-block-block_e537e1df83be6d687b1e4af26783f19b\" class=\"my-first-block alignwide\">\n    <div class=\"bg-brand-600 text-base-white py-5xl px-4xl rounded-sm bg-gradient-to-r from-brand-600 to-brand-500 red\">\n        <div class=\"gap-4xl items-start md:items-center flex flex-col md:flex-row justify-between\">\n            <div class=\"flex-1 col-span-10 lg:col-span-7\">\n                <h3 class=\"mt-0 font-display mb-2 text-display-sm\">Protect your data. Demonstrate compliance.<\/h3>\n                <div class=\"child:last-of-type:mb-0\">\n                                            With Redgate, stay ahead of threats with real-time monitoring and alerts, protect sensitive data with automated discovery &#038; masking, and demonstrate compliance with traceability across every environment.                                    <\/div>\n            <\/div>\n                            <a href=\"https:\/\/www.red-gate.com\/solutions\/use-cases\/security-and-compliance\/\" class=\"btn btn--secondary btn--lg\">Learn more<\/a>\n                    <\/div>\n    <\/div>\n<\/section>\n\n\n<section id=\"faq\" class=\"faq-block my-5xl\">\n    <h2>FAQs: Managed identities in SQL Server 2025<\/h2>\n\n                        <h3 class=\"mt-4xl\">1. What is a managed identity in Azure?<\/h3>\n            <div class=\"faq-answer\">\n                <p data-start=\"61\" data-end=\"334\">A managed identity is a <span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">Microsoft Entra ID<\/span><\/span> identity automatically created and managed by Azure. It allows services to securely access other Azure resources without storing passwords, secrets, or certificates.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">2. What are the types of managed identities?<\/h3>\n            <div class=\"faq-answer\">\n                <ul>\n<li data-start=\"410\" data-end=\"498\" data-section-id=\"1mpj8fz\">System-assigned managed identity \u2013 tied to a single resource and deleted with it<\/li>\n<li data-start=\"499\" data-end=\"600\" data-section-id=\"10svptw\">User-assigned managed identity \u2013 reusable across multiple resources and managed independently<\/li>\n<\/ul>\n            <\/div>\n                    <h3 class=\"mt-4xl\">3. Why use managed identities instead of service principals?<\/h3>\n            <div class=\"faq-answer\">\n                <p>Managed identities eliminate the need to manage credentials manually. Unlike service principals, Azure automatically rotates and manages credentials, reducing security risks and maintenance overhead.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">4. Can SQL Server 2025 use managed identities?<\/h3>\n            <div class=\"faq-answer\">\n                <p data-start=\"870\" data-end=\"1110\">Yes. <span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">SQL Server 2025<\/span><\/span> supports system-assigned managed identities when connected via <span class=\"hover:entity-accent entity-underline inline cursor-pointer align-baseline\"><span class=\"whitespace-normal\">Azure Arc<\/span><\/span>, enabling secure access to Azure resources.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">5. What are the requirements to use managed identities in SQL Server 2025?<\/h3>\n            <div class=\"faq-answer\">\n                <ul>\n<li data-section-id=\"1l46j0j\" data-start=\"1193\" data-end=\"1227\">SQL Server must be Arc-enabled<\/li>\n<li data-section-id=\"3brgg5\" data-start=\"1228\" data-end=\"1258\">Must run on Windows Server<\/li>\n<li data-section-id=\"1vuru3o\" data-start=\"1259\" data-end=\"1313\">Requires the latest Azure Extension for SQL Server<\/li>\n<li data-section-id=\"ar39zw\" data-start=\"1314\" data-end=\"1371\">Needs access to Azure public cloud for authentication<\/li>\n<\/ul>\n            <\/div>\n                    <h3 class=\"mt-4xl\">6. Does SQL Server 2025 support user-assigned managed identities?<\/h3>\n            <div class=\"faq-answer\">\n                <p data-start=\"1373\" data-end=\"1513\">No, currently only system-assigned managed identities are supported.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">7. How do managed identities improve security in SQL Server?<\/h3>\n            <div class=\"faq-answer\">\n                <p data-start=\"1515\" data-end=\"1738\">They remove the need to store credentials like passwords or API keys, reducing the risk of credential leaks and simplifying secure access to Azure services.<\/p>\n            <\/div>\n                    <h3 class=\"mt-4xl\">8. How are managed identities used in SQL Server connections?<\/h3>\n            <div class=\"faq-answer\">\n                <p data-start=\"1740\" data-end=\"1984\">They are configured via database-scoped credentials using <code data-start=\"1866\" data-end=\"1897\">IDENTITY = 'Managed Identity'<\/code>, allowing SQL Server to authenticate securely when accessing external Azure resources.<\/p>\n            <\/div>\n            <\/section>\n","protected":false},"excerpt":{"rendered":"<p>Learn how managed identities in SQL Server 2025 enhance security by eliminating passwords and enabling seamless Microsoft Entra authentication for Azure resources.&hellip;<\/p>\n","protected":false},"author":346483,"featured_media":108032,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[137091,10,143523,53,143524],"tags":[5364,5336,4168,4150,4151,159319],"coauthors":[159368],"class_list":["post-110113","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-cloud","category-databases","category-featured","category-sql-server","tag-azure","tag-cloud","tag-database","tag-sql","tag-sql-server","tag-sqlserver2025publicpreview"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/110113","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/346483"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=110113"}],"version-history":[{"count":7,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/110113\/revisions"}],"predecessor-version":[{"id":110276,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/110113\/revisions\/110276"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/108032"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=110113"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=110113"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=110113"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=110113"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}