Application requests to Azure SQL Database must be authenticated. Although there are multiple options for authenticating to Azure SQL Database, you should prioritize passwordless connections in your applications when possible. Traditional authentication methods that use passwords or secret keys create security risks and complications. Visit the passwordless connections for Azure services hub to learn more about the advantages of moving to passwordless connections.
The following tutorial explains how to migrate an existing Node.js application to connect to Azure SQL Database to use passwordless connections instead of a username and password solution.
Configure the Azure SQL Database
Passwordless connections use Microsoft Entra authentication to connect to Azure services, including Azure SQL Database. Microsoft Entra authentication, you can manage identities in a central location to simplify permission management. Learn more about configuring Microsoft Entra authentication for your Azure SQL Database:
For this migration guide, ensure you have a Microsoft Entra admin assigned to your Azure SQL Database.
Navigate to the Microsoft Entra page of your logical server.
Select Set admin to open the Microsoft Entra ID flyout menu.
In the Microsoft Entra ID flyout menu, search for the user you want to assign as admin.
Select the user and choose Select.
Configure your local development environment
Passwordless connections can be configured to work for both local and Azure-hosted environments. In this section, you apply configurations to allow individual users to authenticate to Azure SQL Database for local development.
Sign-in to Azure
For local development, make sure you're signed-in with the same Azure AD account you want to use to access Azure SQL Database. You can authenticate via popular development tools, such as the Azure CLI or Azure PowerShell. The development tools with which you can authenticate vary across languages.
Sign-in to Azure through the Azure CLI using the following command:
az login
Select the Sign in button in the top right of Visual Studio.
Sign-in using the Azure AD account you assigned a role to previously.
You will need to install the Azure CLI to work with DefaultAzureCredential through Visual Studio Code.
On the main menu of Visual Studio Code, navigate to Terminal > New Terminal.
Sign-in to Azure through the Azure CLI using the following command:
az login
Sign-in to Azure using PowerShell via the following command:
Connect-AzAccount
Create a database user and assign roles
Create a user in Azure SQL Database. The user should correspond to the Azure account you used to sign-in locally in the Sign-in to Azure section.
In the Azure portal, browse to your SQL database and select Query editor (preview).
Select Continue as <your-username> on the right side of the screen to sign into the database using your account.
On the query editor view, run the following T-SQL commands:
CREATE USER [user@domain] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [user@domain];
ALTER ROLE db_datawriter ADD MEMBER [user@domain];
ALTER ROLE db_ddladmin ADD MEMBER [user@domain];
GO
Running these commands assigns the SQL DB Contributor role to the account specified. This role allows the identity to read, write, and modify the data and schema of your database. For more information about the roles assigned, see Fixed-database roles.
Existing application code that connects to Azure SQL Database using the Node.js SQL Driver - tedious continues to work with passwordless connections with minor changes. To use a user-assigned managed identity, pass the authentication.type and options.clientId properties.
The AZURE_CLIENT_ID environment variable is created later in this tutorial.
Test the app
Run your app locally and verify that the connections to Azure SQL Database are working as expected. Keep in mind that it may take several minutes for changes to Azure users and roles to propagate through your Azure environment. Your application is now configured to run locally without developers having to manage secrets in the application itself.
Configure the Azure hosting environment
Once your app is configured to use passwordless connections locally, the same code can authenticate to Azure SQL Database after it's deployed to Azure. The sections that follow explain how to configure a deployed application to connect to Azure SQL Database using a managed identity. Managed identities provide an automatically managed identity in Microsoft Entra ID (formerly Azure Active Directory) for applications to use when connecting to resources that support Microsoft Entra authentication. Learn more about managed identities:
Complete the following steps in the Azure portal to associate the user-assigned managed identity with your app. These same steps apply to the following Azure services:
Azure Spring Apps
Azure Container Apps
Azure virtual machines
Azure Kubernetes Service
Navigate to the overview page of your web app.
Select Identity from the left navigation.
On the Identity page, switch to the User assigned tab.
Select + Add to open the Add user assigned managed identity flyout.
Select the subscription you used previously to create the identity.
Search for the MigrationIdentity by name and select it from the search results.
Select Add to associate the identity with your app.
Use the following Azure CLI commands to associate an identity with your app:
Retrieve the fully qualified resource ID of the managed identity you created using the az identity show command. Copy the output value to use in the next step.
az identity show --name MigrationIdentity -g <your-identity-resource-group-name> --query id
You can assign a managed identity to an Azure App Service instance with the az webapp identity assign command. The --identities parameter requires the fully qualified resource ID of the managed identity you retrieved in the previous step. A fully qualified resource ID starts with '/subscriptions/{subscriptionId}' or '/providers/{resourceProviderNamespace}/'.
If you are working with Git Bash, be careful of path conversions when using fully qualified resource IDs. To disable path conversion, add MSYS_NO_PATHCONV=1 to the beginning of your command. For more information, see Auto translation of resource IDs.
You can assign a managed identity to a virtual machine with the az vm identity assign command.
az vm identity assign \
--resource-group <resource-group-name> \
--name <virtual-machine-name> \
--identities <managed-identity-id>
You can assign a managed identity to an Azure Kubernetes Service (AKS) instance with the az aks update command.
az aks update \
--resource-group <resource-group-name> \
--name <cluster-name> \
--enable-managed-identity \
--assign-identity <managed-identity-id> \
--assign-kubelet-identity <managed-identity-id>
Create a database user for the identity and assign roles
Create a SQL database user that maps back to the user-assigned managed identity. Assign the necessary SQL roles to the user to allow your app to read, write, and modify the data and schema of your database.
In the Azure portal, browse to your SQL database and select Query editor (preview).
Select Continue as <username> on the right side of the screen to sign into the database using your account.
On the query editor view, run the following T-SQL commands:
CREATE USER [user-assigned-identity-name] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [user-assigned-identity-name];
ALTER ROLE db_datawriter ADD MEMBER [user-assigned-identity-name];
ALTER ROLE db_ddladmin ADD MEMBER [user-assigned-identity-name];
GO
Running these commands assigns the SQL DB Contributor role to the user-assigned managed identity. This role allows the identity to read, write, and modify the data and schema of your database.
Important
Use caution when assigning database user roles in enterprise production environments. In those scenarios, the app shouldn't perform all operations using a single, elevated identity. Try to implement the principle of least privilege by configuring multiple identities with specific permissions for specific tasks.
You can read more about configuring database roles and security on the following resources:
Create an app setting for the managed identity client ID
To use the user-assigned managed identity, create an AZURE_CLIENT_ID environment variable and set it equal to the client ID of the managed identity. You can set this variable in the Configuration section of your app in the Azure portal. You can find the client ID in the Overview section of the managed identity resource in the Azure portal.
Save your changes and restart the application if it doesn't do so automatically.
If you need to use a system-assigned managed identity, omit the options.clientId property. You still need to pass the authentication.type property.
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.