User-assigned managed identity and sql failover

AzureSDE 116 Reputation points
2021-06-13T23:16:39.33+00:00

Our Azure SQL database is configured with active/passive geo-replication between the primary and secondary regional datacenter. The primary SQL database belongs to a resource group that is in the West US and the secondary SQL database belongs to another resource group which is in the East US.

Creating a user-assigned managed identity requires a resource group and we were wondering how a user-assigned managed identity would work in a failover scenario. Would a user-assigned managed identity created under a resource group in the West US still work with the secondary SQL in the East US when there is a failover from the primary to the secondary?

Azure SQL Database
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,447 questions
{count} vote

Accepted answer
  1. Saurabh Sharma 23,806 Reputation points Microsoft Employee
    2021-06-16T23:32:29.64+00:00

    Hi @AzureSDE ,

    I have tested this with user-assigned managed identity for a published web application and it works only when you provide add this user assigned managed identity to secondary server (using CREATE USER [appserviceuser] FROM EXTERNAL PROVIDER) during the failover time.
    So, basically you need to provide access to your failover server to make this work.

    This even works if the user managed identity resides in a different resource group than the secondary SQL instance.
    Please let me know if you have any questions.

    Thanks
    Saurabh

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.