Scheduled Task using Entra ID Account on Entra-joined VM

Question

Scheduled Task using Entra ID Account on Entra-joined VM

Lipke, Harald 1

we have a Windows2022 server on Azure - Entra ID joined only (not hybrid joined!)
we want ro run a batch job that authenticates to SQL Managed Instance

How can we assign an Entra-Only User account to the scheduled task? We only manage to use local accounts here - who cannot authenticate to the database.

So basically its about: How can I use an entra id account in a scheduled task on entra joined VM?

1 answer

Your answer

Answer 1

Prrudram-MSFT 28,366 Microsoft Employee Moderator

Hi @Lipke, Harald

Thank you for reaching out to the Microsoft Q&A platform.

I can suggest you some steps on high level here along with relevant document links to support you.

To use an Entra-only user account in a scheduled task on an Entra-joined VM, you can create a user-assigned managed identity for your Azure Automation account and use it to access other resources, such as your SQL Managed Instance.

https://learn.microsoft.com/en-us/azure/automation/add-user-assigned-identity

Create a PowerShell runbook in your Azure Automation account that authenticates to your SQL Managed Instance using the user-assigned managed identity. https://learn.microsoft.com/en-us/azure/automation/learn/powershell-runbook-managed-identity

Create a scheduled job in your Azure Automation account that runs the PowerShell runbook at the desired frequency

https://learn.microsoft.com/en-us/azure/automation/quickstarts/create-azure-automation-account-portal

If I have answered your query, please click "Accept as answer" as a token of appreciation

Lipke, Harald 1 Reputation point

2024-05-29T14:27:02.33+00:00
Thank you for your answer!
Unfortunately we have to use an existing program that runs as a service and executes scheduled jobs that require acces to:

sql maaged instance db

and local file system

Due to the program's doc the account that runs the service must be an account with access rights to the db and access to local file system (target directory)
This could be solved, if it were possible use an entra id account to run the service in that VM.
Prrudram-MSFT 28,366 Reputation points Microsoft Employee Moderator

2024-05-29T19:18:12.0566667+00:00

Lipke, Harald

Is it possible to share more details about your existing configuration. What is it set up like?
Lipke, Harald 1 Reputation point

2024-05-30T15:31:31.1933333+00:00

Yes - sure

we have a SQL Managed instance on Azure hosting several DBs

customer uses a windows - software called esoffice, which currently has been moved from onprem to an Azure Windows 2022 VM. The software installs a service and this service should be configured with an account that has RW - access to a file share (we chose just local space on the VM's hard drive) and to the SQL managed instance DBs.

We do no longer have an active directory and want to only use Entra ID. Interactive access to the DB using Entra Account is fine, but it is not possible to use an Entra ID Account that can run as a service on the Windows 2022 VM - or we do not know how to achieve this.

We can logon interacitively to the VM via membership to "Virtual Machine Administrator/User Logon" - Role but an Entra ID Account cannot be selected for the service account.

Do you know if there is a solution for this?
Prrudram-MSFT 28,366 Reputation points Microsoft Employee Moderator

2024-08-07T15:38:54.52+00:00

Please see my private message for details.

Share via

Scheduled Task using Entra ID Account on Entra-joined VM

1 answer

Your answer