Secure Azure SQL Server Backups Using Managed Identities

Posted on by

I do believe most people know about the ability to backup your SQL server databases to URL (from Azure VMs).  If you recall you would use the storage key ( ideally not) or a SAS token, from there you would create a SQL credential that is bound to the SAS token (as a secret). Lots of moving parts especially when it comes to rotation time. So now, if you are on the newer versions of SQL server (SQL Server 2022 Cumulative Update 17 ) start thinking about backups via managed identities.

Assuming you have completed the pre-reqs (like enabling managed identities and relevant role assignments obviously) https://learn.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/backup-restore-to-url-using-managed-identities?view=azuresql#prerequisites you are good to go. The end goal is that you will issue:

CREATE CREDENTIAL [https://<storage-account-name>.blob.core.windows.net/<container-name>]
    WITH IDENTITY = 'Managed Identity'

BACKUP DATABASE [AdventureWorks] 
    TO URL = 'https://<storage-account-name>.blob.core.windows.net/<container-name>/AdventureWorks.bak'

Why should you consider this approach?

Improved Security: Managed identities eliminate the need to handle and store sensitive information like SAS tokens, which can be mismanaged or leaked. Managed identities provide a more secure way to authenticate to Azure services without storing credentials in your application code or configuration files.

Simplified Management: When using managed identities, there’s no need to manually create and manage SAS tokens. This reduces administrative overhead, as you don’t have to worry about generating, renewing, and revoking tokens.

Automatic Credential Rotation: Managed identities automatically handle credential rotation, reducing the risk of credential expiration or misuse. This means you don’t have to manually rotate tokens or worry about them becoming stale.

Granular Access Control: Managed identities integrate with Azure Active Directory (AAD), allowing you to use role-based access control (RBAC) to define fine-grained access permissions. This ensures that only authorized services and users have access to your resources.

Easier Auditing and Monitoring: Since managed identities are part of Azure Active Directory, you can leverage Azure’s built-in logging and monitoring capabilities to track identity usage and access patterns more effectively.

2 thoughts on “Secure Azure SQL Server Backups Using Managed Identities

  1. Pingback: Dew Drop – April 24, 2025 (#4406) – Morning Dew by Alvin Ashcraft

  2. Pingback: Securing SQL Server Backups to Azure via Managed Identity – Curated SQL

Leave a Reply