severity | pillar | category | resource | online version |
---|---|---|---|---|
Important |
Security |
Authentication |
SQL Managed Instance |
Ensure managed identity is used to allow support for Azure AD authentication.
A managed identity is required for allowing support for Azure AD authentication in SQL Managed Instance.
You must enable the instance identity (SMI or UMI) to allow support for Azure AD authentication in SQL Managed Instance.
Additionally, a managed identity is required for transparent data encryption with customer-managed key.
Consider configure a managed identity to allow support for Azure AD authentication.
To deploy SQL Managed Instances that pass this rule:
- Set
identity.type
toSystemAssigned
orUserAssigned
orSystemAssigned,UserAssigned
. - If
identity.type
isUserAssigned
orSystemAssigned,UserAssigned
, reference the identity withidentity.userAssignedIdentities
.
For example:
{
"type": "Microsoft.Sql/managedInstances",
"apiVersion": "2022-05-01-preview",
"name": "[parameters('managedInstanceName')]",
"location": "[parameters('location')]",
"identity": {
"type": "SystemAssigned",
"userAssignedIdentities": {}
},
"properties": {}
}
To deploy SQL Managed Instances that pass this rule:
- Set
identity.type
toSystemAssigned
orUserAssigned
orSystemAssigned,UserAssigned
. - If
identity.type
isUserAssigned
orSystemAssigned,UserAssigned
, reference the identity withidentity.userAssignedIdentities
.
For example:
resource managedInstance 'Microsoft.Sql/managedInstances@2022-05-01-preview' = {
name: appName
location: location
name: managedInstanceName
location: location
identity: {
type: 'SystemAssigned'
userAssignedIdentities: {}
}
properties: {}
}
To grant permissions to access Microsoft Graph through an SMI or a UMI, you need to use PowerShell. You can't grant these permissions by using the Azure portal.