Authenticate to SQL Server with Azure app service managed identity through group
We have a Azure VM with SQL Server, and we also have an app service web application.
The app service has a managed identity since we toggled this on:
Now I want to authenticate this app service to SQL Server.
I can successfully do this by creating a SQL Server identity mapping to the managed identity itself.
Like this:
CREATE LOGIN [my-app-service]
FROM EXTERNAL PROVIDER;
and then give it database permissions.
The issue is that I don't see this very scalable. We have several applications that will require database access. Hence my plan is to create a group in Entra and add the managed identity to this group.
Working with regular users (developers) I have successfully achieved this.
For example in Entra:
And then in SQL Server:
CREATE LOGIN [Developers - internal]
FROM EXTERNAL PROVIDER;
and adding database permissions and so forth.
When trying to achieve this with managed identity I'm unsuccessful.
I have added the service principal to my group, but this doesn't work.
I have some suspicion that adding the managed identity as a regular member is not the correct thing to do. There is also a section called applications.
I'm able to add other enterprise applications to a group but when I navigate into my managed identity the button to add it to a group is disabled. I've also added all permissions I can think of (Cloud Application Administrator, Application Administrator according to this). Still can't make it to work.
Anyone know how to achieve the root issue? Authenticate to SQL server with managed identity through a group, not the identity itself?
Anyone know if it is possible to enable that "Add user/group"-button?
I've had that work way in the past at least with direct membership. Just having the service principal in group was enough.
You might also need to wait for some time (more than a day in worst case) for changes to apply to tokens.
This seems to have worked in this case. I'm not 100% sure how Azure SQL checks group memberships but I assume there is some kind of cache that requires waiting in order for changes to apply.
- I suspect "aud" invalid error is due to api entry point domain is different from one provided in aud claim
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
- AccountEnabled user property from Azure AD returning null
- Azure B2C user flow without an email
- How to use Azure Data Factory to take Business Central data and put into Azure SQL DB?
- Triggering a PowerAutomate desktop flow, using apis, fails due to access issues
- Azure - should the creator of a resource have owner rights?
- Scope is not being added to Access Token returned from Azure Ad
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- Exchanging azure AD token with Identity server token
- Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
- how to limit code verification email Spaming in Azure B2C
- Custom Claims in a Multitenant Microsoft Entra App
- Get error "You do not have elevated access" when try to postpone MFA enforcement
- How to bulk create/import users in Azure AD so that all of them can have single sign on to my SF sandbox?
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API
- Azure AD Authentication 401 error "the audience is invalid" AddAzureADBearer .Net Core Web Api
- AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- How to get users info list from Azure AD app by calling Microsoft Graph API from ASP.NET Core Web API?