Create server configured with user-assigned managed identity and customer-managed TDE

Applies to: Azure SQL Database

This how-to guide outlines the steps to create an Azure SQL logical server configured with transparent data encryption (TDE) with customer-managed keys (CMK) using a user-assigned managed identity to access Azure Key Vault.


Create server configured with TDE with customer-managed key (CMK)

The following steps outline the process of creating a new Azure SQL Database logical server and a new database with a user-assigned managed identity assigned. The user-assigned managed identity is required for configuring a customer-managed key for TDE at server creation time.

  1. Browse to the Select SQL deployment option page in the Azure portal.

  2. If you aren't already signed in to Azure portal, sign in when prompted.

  3. Under SQL databases, leave Resource type set to Single database, and select Create.

  4. On the Basics tab of the Create SQL Database form, under Project details, select the desired Azure Subscription.

  5. For Resource group, select Create new, enter a name for your resource group, and select OK.

  6. For Database name enter ContosoHR.

  7. For Server, select Create new, and fill out the New server form with the following values:

    • Server name: Enter a unique server name. Server names must be globally unique for all servers in Azure, not just unique within a subscription. Enter something like mysqlserver135, and the Azure portal will let you know if it's available or not.
    • Server admin login: Enter an admin login name, for example: azureuser.
    • Password: Enter a password that meets the password requirements, and enter it again in the Confirm password field.
    • Location: Select a location from the dropdown list
  8. Select Next: Networking at the bottom of the page.

  9. On the Networking tab, for Connectivity method, select Public endpoint.

  10. For Firewall rules, set Add current client IP address to Yes. Leave Allow Azure services and resources to access this server set to No.

    screenshot of networking settings when creating a SQL server in the Azure portal

  11. Select Next: Security at the bottom of the page.

  12. On the Security tab, under Identity, select Configure Identities.

    screenshot of security settings and configuring identities in the Azure portal

  13. On the Identity blade, select User assigned managed identity and then select Add. Select the desired Subscription and then under User assigned managed identities select the desired user-assigned managed identity from the selected subscription. Then select the Select button.

    screenshot of adding user assigned managed identity when configuring server identity

    screenshot of user assigned managed identity when configuring server identity

  14. Under Primary identity, select the same user-assigned managed identity selected in the previous step.

    screenshot of selecting primary identity for server

  15. Select Apply

  16. On the Security tab, under Transparent data encryption, select Configure Transparent data encryption. Then select Select a key and select Change key. Select the desired Subscription, Key vault, Key, and Version for the customer-managed key to be used for TDE. Select the Select button.

    screenshot configuring TDE for server

    screenshot selecting key for use with TDE

  17. Select Apply

  18. Select Review + create at the bottom of the page

  19. On the Review + create page, after reviewing, select Create.

Next steps