Share via

Difference between Active Directory Managed Identity and MSI in Azure SQL Database

ethanlchristensen 20 Reputation points
2024-12-13T21:59:31.9466667+00:00

Following this article: Azure Active Directory Authentication for SQL Server, what is the difference between:

  • Authentication=Active Directory Managed Identity
  • Authentication=Active Directory MSI

While attempting to connect to an Azure SQL Database using Managed Identity, an error occurs: Invalid value for key 'authentication'. However, connections using MSI seem to work without issue.

The article indicates that both Managed Identity and MSI can be used, suggesting they might function similarly. What does the Invalid value for key 'authentication' mean when using Managed Identity as opposed to MSI, and why does one work and not the other?

Azure SQL Database
Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments
Accepted answer
  1. Marcin Policht 49,640 Reputation points MVP Volunteer Moderator
    2024-12-13T22:31:34.6166667+00:00

    The key difference between Authentication=Active Directory Managed Identity and Authentication=Active Directory MSI lies in the terminology and support provided by different client libraries and drivers used to connect to Azure SQL Database. Here's an explanation:

    Active Directory Managed Identity is the newer and more explicit term for using Azure Managed Identity authentication, aligning with Azure's consistent naming conventions for its identity features. Active Directory MSI is an older or alternate name for the same concept, referring to the Managed Service Identity (MSI) feature that was renamed to "Managed Identity."

    The error suggests that the specific connection string value (Authentication=Active Directory Managed Identity) is not recognized by the client library or driver being used. Many Azure SQL Database client libraries, such as those in ADO.NET, ODBC, or JDBC, may not have been updated to support the Active Directory Managed Identity keyword. Instead, they still expect the older Active Directory MSI.

    Since Active Directory MSI is the legacy term and is still supported in many existing client libraries, it is recognized and processed correctly. Use Authentication=Active Directory MSI if it works and meets your needs. Keep in mind that it is functionally equivalent to Active Directory Managed Identity.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.