How to create Microsoft.Sql/servers/securityAlertPolicies using Managed Identity instead of Storage Account access key?

Question

How to create Microsoft.Sql/servers/securityAlertPolicies using Managed Identity instead of Storage Account access key?

Marcin Słowikowski 35

Hello,

I am working on IaC (Terraform). I don't fully understand this resource azurerm_mssql_server_security_alert_policy - resource type in Azure "Microsoft.Sql/servers/securityAlertPolicies". I couldn't find it in the Azure Portal. I found some issues on Github about this resource in the azurerm Terraform provider https://github.com/search?q=repo%3Ahashicorp%2Fterraform-provider-azurerm+azurerm_mssql_server_security_alert_policy&type=issues

I wanted to deploy this resource using a Storage Account with Managed Identity instead of a Storage Account access key because MS recommends disabling the access key to use Entra ID for authentication. Could you please give me some information about this resource (to fully understand it and how it works) and whether it is possible to deploy it without an access key? Does it make sense to create this resource without SA properties at all?

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Marcin Słowikowski 35 Reputation points

2025-05-16T11:16:27.1966667+00:00

@Adithya Prasad K is this quick response generated by AI? azurerm_mssql_server_security_alert_policy in the latest version of azurerm provider does not contain use_identity
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Marcin Słowikowski 35 Reputation points

2025-05-16T12:13:20.2533333+00:00

@Adithya Prasad K

Understanding the Resource While this resource is part of Terraform's Azure provider, you won’t find it as a distinct object in the Azure Portal—security alert policies are typically configured within the SQL Server settings. The Terraform implementation allows you to automate this setup through infrastructure as code. Deploying Without a Storage Account Access Key You’re absolutely right—Microsoft recommends using Managed Identity over access keys for security reasons. However, the Terraform resource currently requires a storage_account_access_key if you specify a storage account. At the moment, there isn't direct Terraform support for using Managed Identity instead of an access key for this resource.

If this is not Terraform provider feature then how to do it via Bicep, ARM template or API?

Does It Make Sense to Create Without Storage Account Properties? If your security policies rely on auditing and logging, specifying storage account properties is essential. However, if your goal is only to enable security alerts without audit logging, then storage configuration might not be necessary. An alternative approach is using Azure Monitor or Log Analytics to capture security-related events without relying on a storage account. If you want to avoid access keys entirely, consider using Log Analytics or Azure Monitor instead of Storage Account logging. Keep an eye on Terraform's Azure provider updates—support for Managed Identity authentication might be added in the future. For further information, I kindly recommend reviewing the links provided below.

azurerm_mssql_server_security_alert_policydoes not support Log Analytics workspace

If you generate these answers using AI then please don't do it because I want an answer from someone who has experience with this. I have already checked how AI can help me but unfortunately all the answers are wrong so I am looking for support here
SSingh-MSFT 16,371 Reputation points Moderator

2025-05-26T03:15:37.3466667+00:00

Hi Marcin Słowikowski,

We are checking with the internal team on the ask and will get back to you.

Thanks for your patience.

1 answer

Your answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Marcin Słowikowski 35 Reputation points

2025-05-16T11:16:27.1966667+00:00

@Adithya Prasad K is this quick response generated by AI? azurerm_mssql_server_security_alert_policy in the latest version of azurerm provider does not contain use_identity
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
SSingh-MSFT 16,371 Reputation points Moderator

2025-05-26T03:15:37.3466667+00:00

Hi Marcin Słowikowski,

We are checking with the internal team on the ask and will get back to you.

Thanks for your patience.

Answer 1

Oury Ba-MSFT 20,911 Microsoft Employee Moderator

@Marcin Słowikowski

Regarding your question about the securityAlertPolicies API, this is the old API for enabling Microsoft Defender for SQL on the SQL server. The storage account-related fields mentioned are not relevant anymore. We recommend using the new API: Microsoft.Sql/servers/advancedThreatProtectionSettings. Detailed information can be found here.

To clarify, SQL Advanced Threat Protection (ATP) does not require a storage account, which means there's no need for managed identity support for this particular purpose. I highly suggest using our new API: Microsoft.Sql/servers/advancedThreatProtectionSettings, and you can enable this simply by setting the state to "Enabled."

I hope this clears up any confusion. Please let me know if there's anything else you need.

Regards,

Oury

Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2025-06-02T16:55:04.3866667+00:00

@Marcin Słowikowski

Please don't forget to mark as accept answer if the reply was helpful.

Regards,

Oury

Share via

How to create Microsoft.Sql/servers/securityAlertPolicies using Managed Identity instead of Storage Account access key?

1 answer

Your answer