Set up managed identity and Microsoft Entra authentication for SQL Server enabled by Azure Arc

Applies to: SQL Server 2025 (17.x)

This article provides step-by-step instructions for setting up and configuring Microsoft Entra ID managed identity for SQL Server enabled by Azure Arc.

For an overview of managed identity with SQL Server, see Managed identity for SQL Server enabled by Azure Arc.

Prerequisites

Before you can use a managed identity with SQL Server enabled by Azure Arc, make sure that you meet the following prerequisites:

Supported for SQL Server 2025 and later, running on Windows.
Connect your SQL Server to Azure Arc.
The latest version of the Azure Extension for SQL Server.

Enable the primary managed identity

If you've installed the Azure Extension for SQL Server to your server, you can enable the primary managed identity for your SQL Server instance directly from the Azure portal. It's also possible to enable the primary managed identity manually by updating the registry, but should be done with extreme caution.

Azure portal
Manually

To enable the primary managed identity in the Azure portal, follow these steps:

Go to your SQL Server enabled by Azure Arc resource in the Azure portal.
Under Settings, select Microsoft Entra ID and Purview to open the Microsoft Entra ID and Purview page.

Note

If you don't see the Enable Microsoft Entra ID authentication option, ensure that your SQL Server instance is connected to Azure Arc and that you have the latest SQL extension installed.
On the Microsoft Entra ID and Purview page, check the box next to Use a primary managed identity and then use Save to apply your configuration:

It's possible to manually enable the primary managed identity for your SQL Server instance by updating the registry, but should be done with extreme caution.

Grant permission to the Tokens folder

Grant Read & execute operating system permissions on the folder C:\ProgramData\AzureConnectedMachineAgent\Tokens\ to the SQL Server 2025 instance service account. By default, the service account is NT Service\MSSQLSERVER, or for named instances, NT Service\MSSQL$<instancename>.

Screenshot of Tokens folder Security properties tab.

You might need to grant admin permissions for the SQL Server service account on the AzureConnectedMachineAgent folder before the Tokens folder:

Screenshot of AzureConnectedMachineAgent folder Security properties tab.

Add SQL Server service account to the Hybrid agent extension applications group

Add the SQL Server service account (default: NT Service\MSSQLSERVER or for named instances, NT Service\MSSQL$instancename) to the Hybrid agent extension applications group.

Open Windows Computer Management.
Go to Local Users and Groups and select Groups.
Add the SQL Server service account to the Hybrid agent extension applications group.

Screenshot of Computer Management showing the hybrid agent extension application group.

Screenshot of the hybrid agent extension application group properties.

Update the registry

Warning

Incorrectly editing the registry can severely damage your system. Before making changes to the registry, we recommend you back up any valued data on the computer.

In the registry, update the \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL17.MSSQLSERVER\MSSQLServer\FederatedAuthentication subkey.

Create the following entries:

Entry	Value
`ArcServerManagedIdentityClientId`	Empty (no value)
`HIMDSApiVersion`	`2020-06-01`
`HIMDSEndpoint`	`http://localhost:40342/metadata/identity/oauth2/token`
`ArcServerSystemAssignedManagedIdentityTenantId`	`Arc-AAD-Tenant-ID`
`ArcServerSystemAssignedManagedIdentityClientId`	`Arc-Machine-Client-Id`
`PrimaryAADTenant`	`Arc-AAD-Tenant-ID`
`AADChannelMaxBufferedMessageSize`	`200000`
`AADGraphEndPoint`	`graph.windows.net`
`AADGroupLookupMaxRetryAttempts`	`10`
`AADGroupLookupMaxRetryDuration`	`30000`
`AADGroupLookupRetryInitialBackoff`	`100`
`AADServerAdminSid`	`00000000-0000-0000-0000-000000000000`
`AuthenticationEndpoint`	`login.microsoftonline.com`
`CacheMaxSize`	`300`
`ClientCertBlackList`	Empty (no value)
`FederationMetadataEndpoint`	`login.windows.net`
`GraphAPIEndpoint`	`graph.windows.net`
`IssuerURL`	`https://sts.windows.net/`
`OnBehalfOfAuthority`	`https://login.windows.net/`
`STSURL`	`https://login.windows.net/`
`MsGraphEndPoint`	`graph.microsoft.com`
`SendX5c`	`false`
`ServicePrincipalName`	`https://database.windows.net/`
`ServicePrincipalNameForArcadia`	`https://sql.azuresynapse.net`
`ServicePrincipalNameForArcadiaDogfood`	`https://sql.azuresynapse-dogfood.net`
`ServicePrincipalNameNoSlash`	`https://database.windows.net`
`AADBecWSConnectionPoolMaxSize`	`500`

Back up and edit the registry

The following sections describe how to back up and edit the registry with Registry Editor.

Open the Registry Editor

Press Windows key + R to open the Run dialog box.
Type regedit and press Enter.
If prompted by User Account Control, select Yes.

Back up the registry key

This step backs up the registry before you make any changes. You can import this file back into the registry later if your changes cause a problem.

Select File from the menu.
Select Export.
In the Export Registry File dialog box, choose a location to save the backup.
Enter a name for the backup file in the File name field.
Ensure All is selected in the Export range.
Select Save.

Add entries

In this step, you add entries to the registry with Registry Editor.

Navigate this subkey: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL17.MSSQLSERVER\MSSQLServer\FederatedAuthentication.
Right-click on FederatedAuthentication and select String Value.
Repeat for each entry listed at Update the registry

This image demonstrates a correctly configured registry:

Restore the registry key (if needed)

If you need to restore to previous registry settings, follow these steps.

Open the Registry Editor as described previously.
Select File from the menu.
Select Import.
Navigate to the location of your saved backup file.
Select the backup file and select Open.

For details, review How to add, modify, or delete registry subkeys and values by using a .reg file.

Grant application permissions to the identity

Important

Only a Privileged Role Administrator or higher role can grant these permissions.

To enable Microsoft Entra authentication for SQL Server instances, each system-assigned managed identity requires User.Read.All, GroupMember.Read.All, and Application.Read.All permissions to query Microsoft Graph. For more information about these permissions, see:

User.Read.All: Allows access to Microsoft Entra user information.
GroupMember.Read.All: Allows access to Microsoft Entra group information.
Application.Read.All: Allows access to Microsoft Entra service principal (application) information.

These permissions are application-level permissions (app roles) and must be assigned directly to each managed identity. They can't be manually assigned to a Microsoft Entra security group and granted to members through group membership. For environments with many machines, an alternative is to assign the Directory Readers role to a role-assignable Microsoft Entra security group and add the managed identities as members. Unlike app role permissions, this Microsoft Entra role can be granted at the group level, simplifying management at scale. However, Directory Readers grants broad read access across all directory objects, significantly exceeding the three targeted Graph API permissions. The Directory Readers role isn't recommended for production environments where least-privilege access is required.

The following PowerShell script grants the required permissions to the managed identity. Make sure this script is run on PowerShell 7.5 or a later version, and has the Microsoft.Graph module 2.28 or later installed.

# Set your Azure tenant and managed identity name
$tenantID = '<Enter-Your-Azure-Tenant-Id>'
$managedIdentityName = '<Enter-Your-Arc-HostMachine-Name>'

# Connect to Microsoft Graph
try {
    Connect-MgGraph -TenantId $tenantID -ErrorAction Stop
    Write-Output "Connected to Microsoft Graph successfully."
}
catch {
    Write-Error "Failed to connect to Microsoft Graph: $_"
    return
}

# Get Microsoft Graph service principal
$graphAppId = '00000003-0000-0000-c000-000000000000'
$graphSP = Get-MgServicePrincipal -Filter "appId eq '$graphAppId'"
if (-not $graphSP) {
    Write-Error "Microsoft Graph service principal not found."
    return
}

# Get the managed identity service principal
$managedIdentity = Get-MgServicePrincipal -Filter "displayName eq '$managedIdentityName'"
if (-not $managedIdentity) {
    Write-Error "Managed identity '$managedIdentityName' not found."
    return
}

# Define roles to assign
$requiredRoles = @(
    "User.Read.All",
    "GroupMember.Read.All",
    "Application.Read.All"
)

# Assign roles using scoped syntax
foreach ($roleValue in $requiredRoles) {
    $appRole = $graphSP.AppRoles | Where-Object {
        $_.Value -eq $roleValue -and $_.AllowedMemberTypes -contains "Application"
    }

    if ($appRole) {
        try {
            New-MgServicePrincipalAppRoleAssignment   -ServicePrincipalId $managedIdentity.Id `
                -PrincipalId $managedIdentity.Id `
                -ResourceId $graphSP.Id `
                -AppRoleId $appRole.Id `
                -ErrorAction Stop

            Write-Output "Successfully assigned role '$roleValue' to '$managedIdentityName'."
        }
        catch {
            Write-Warning "Failed to assign role '$roleValue': $_"
        }
    }
    else {
        Write-Warning "Role '$roleValue' not found in Microsoft Graph AppRoles."
    }
}

Create logins and users

Follow the steps in the Microsoft Entra tutorial to create logins and users for the managed identity.

Feedback

Was this page helpful?

Last updated on 2026-04-17