March 4, 2026 at 12:56 pm
I'm fairly certain I know the answer to this from digging into it yesterday, but would like a second opinion.
We're (finally) moving some applications to cloud-native, using Azure App Services and the developer would like to, if possible, use a Managed Identity and Key Vault for the application to connect to the SQL Server 2019 on an Azure VM in the same tenant.
Based on what I found yesterday, this is not possible, but I'd appreciate it if anyone who has tried this could confirm or deny that. If it *IS* possible, what needs to be done to get it to work.
And yes, I know the ideal solution would be to migrate to SQL 2022+ LoL
March 5, 2026 at 1:10 pm
Thanks for posting your issue and hopefully someone will answer soon.
This is an automated bump to increase visibility of your question.
March 5, 2026 at 5:38 pm
Is this having a managed service run a connection as a client that uses user/pwd? In other words, having the MSI act as you with a SQL auth connection?
Any context, on how you'd structure this? Is this the MSI running a process like sqlcmd?
March 6, 2026 at 11:56 am
I see where I made the question more confusing, I brought Key Vault into the mix. Apologies.
The developer was aiming to have their app in Azure App Services be given a Managed Identity and wanted to use that to connect to the current SQL Server 2019 instance on an Azure VM, to move away from the current SQL Login / pwd that we use.
As for the app itself, I believe it's a dotNET app running the queries, currently using login/pwd to connect (hosted on an IIS server for the moment.)
Going back and re-checking the information I was working from with my initial "no, that's not possible with SQL2019" to the dev, I've come across a page I didn't see the first time ("Tutorial: Use managed identity to connect an Azure web app to an Azure SQL database without secrets") which in the very first note indicates that "Microsoft Entra ID and managed identities aren't supported for on-premises SQL Server"
So looks like I was correct in telling them it wouldn't be possible (without, based on previous research, upgrading to SQL2022+)
Hopefully, this clarified things, at least a little bit. And, arguably, I could've (maybe, should've) put this in the Azure section, but it kind of fits both.
March 6, 2026 at 8:46 pm
That makes sense, and no, don't think this is going to be possible anytime soon. Maybe Entra to a MI or Azure SQL, but not on premises. Arc might help here, but not sure that's worth it.
User/pwd still works well in most cases 😉
And don't worry about sections. I really wish we had moved to tags and not sections/cats here.Maybe one day
March 9, 2026 at 12:02 pm
That's pretty much what I found, so for now, we're sticking with user / pwd.
The next step in the process is going to be migrating the database off SQL2019 and into Azure SQL, which from what I found WILL support logging in with a Managed Identity.
March 9, 2026 at 3:56 pm
Good luck and hope it goes well.
FWIW, if you want, both of these would make neat articles. Short, focused on making a connection from an app and what works/doesn't from a DBA perspective.
Viewing 7 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply