Jump to content
Free PC Help Forum
Logging In to Free PC Help Forum Has Changed

User Managed Identity support for Auditing SQL Azure database:

Guest Sravani Saluru

By Guest Sravani Saluru
in Microsoft Support & Discussions

 Share

Recommended Posts

Guest Sravani Saluru

Guest Sravani Saluru

Posted
Posted

Auditing for Azure SQL database has started supporting User Managed Identity. Auditing can be configured to Storage account using two authentication methods, managed identity and storage access keys. For managed identity you can use system managed identity or user managed identity. To know more about UMI in azure refer here

 

 

 

To configure writing audit logs to a storage account, select Storage when you get to the Auditing section. Select the Azure storage account where logs will be saved, you can use two storage authentication types i.e., managed identity and storage access keys.

 

For managed identity, we support system and user managed identity.

 

 

 

By default, it picks primary user identity that is assigned to the server, if there is no user identity then it will create system assigned identity and use it for authentication purpose.

 

select the retention period by opening Advanced properties. Then click Save. Logs older than the retention period is deleted.

 

 

 

 Note

 

The user managed identity authentication type for enabling auditing to storage behind VNet/Firewall is not currently supported.

 

 

 

 

 

mediumvv2px400.png.857a9e78c6c7f258b37d9b243516a0d3.png

 

 

 

 

 

 

 

 

 

Review the identity blade for your Azure database, you can see there is one primary identity configured

 

 

 

mediumvv2px400.png.3bc5403971a82365f76af03bdf415538.png

 

 

 

 

 

To configure Auditing using User managed Identity, follow the below steps

 

 

 

  1. Create a user managed identity and assign it to the server (User-assigned managed identity in Azure AD for Azure SQL - Azure SQL Database & Azure SQL Managed Instance | Microsoft Docs)
  2. Go to the desired storage account where auditing needs to send logs to and assign the 'Storage Blob Data Contributor' RBAC to the user managed identity previously assigned to the server. 
    Assign Azure roles using the Azure portal - Azure RBAC | Microsoft Docs
  3. Only after the above-mentioned role is assigned to the user managed identity, enable auditing using the Storage Authentication Type as managed identity 

 

If there is no user managed identity created, then by default it will use system identity. For system managed identity, when you configure auditing to storage account and select managed identity it will create system managed identity and grant required permissions to access storage account, no user action required.

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...