This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 20%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
Was trying to perform encryption in Always Encrypted for Azure SQL DB in SSMS but it failed during the generation of new column master key:
Which Principal should I grant the key vault access to?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 49%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Hi @Chun Hanssen ,
Grant Key Vault access to your Azure SQL Server’s managed identity (not your user account).
Go to Azure SQL Server → Identity → System-assigned, copy the Object ID → then in Key Vault → Access policies → Add access policy, add that principal and give get, wrapKey, unwrapKey, sign permissions.
Thanks,
Akhil.
Hi @Akhil Gajavelly Thanks for the insights
Under SQL server, i have enabled the system assigned managed identity:
And obtained the ObjectID (principalID)
az sql server show --name <server-name> --resource-group <resource-group> --query identity
I have added the db under the access policy, and provided the permissions
However, it failed:
This is resolved. Noticed that the user was not granted get, wrapKey, unwrapKey, sign permissions under Cryptographic Operations in Azure Key Vault