Share via

User-assigned managed identity and sql failover

AzureSDE 116 Reputation points
2021-06-13T23:16:39.33+00:00

Our Azure SQL database is configured with active/passive geo-replication between the primary and secondary regional datacenter. The primary SQL database belongs to a resource group that is in the West US and the secondary SQL database belongs to another resource group which is in the East US.

Creating a user-assigned managed identity requires a resource group and we were wondering how a user-assigned managed identity would work in a failover scenario. Would a user-assigned managed identity created under a resource group in the West US still work with the secondary SQL in the East US when there is a failover from the primary to the secondary?

Azure SQL Database
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Saurabh Sharma 23,866 Reputation points Microsoft Employee Moderator
    2021-06-16T23:32:29.64+00:00

    Hi @AzureSDE ,

    I have tested this with user-assigned managed identity for a published web application and it works only when you provide add this user assigned managed identity to secondary server (using CREATE USER [appserviceuser] FROM EXTERNAL PROVIDER) during the failover time.
    So, basically you need to provide access to your failover server to make this work.

    This even works if the user managed identity resides in a different resource group than the secondary SQL instance.
    Please let me know if you have any questions.

    Thanks
    Saurabh

    ----------

    Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.