Azure Database with managed identity error

postledmpostledm Posts: 10 New member
in Redgate Monitor
If I add a new Azure SQL database with system managed identity using the website on the Monitor server then it works fine.
If I try and add it from the browser on my desktop then it fails. It's almost like its trying to use the MI of my pc (which is an Azure virtual machine) rather than the MI of the monitor server
 
Tagged:
· Share on Twitter

Answers

  • hassan_imamhassan_imam Posts: 55 Bronze 1

    Hi David,

    Sorry to hear about the trouble you're having with SQL Monitor. I’ve just sent a file request to your email. Please upload the file there, and we'll review it.

    · Share on Twitter
  • postledmpostledm Posts: 10 New member
    you can find the log files from when I was setting up Monitor on ticket 317960
    · Share on Twitter
  • hassan_imamhassan_imam Posts: 55 Bronze 1
    Hey David, 

    Apologies for the delay, The problem occurs because, when accessing SQL Monitor from your desktop (an Azure virtual machine), the system is attempting to use the Managed Identity (MI) of that desktop VM rather than the MI of the Monitor server. Managed Identity authentication typically uses the identity of the environment initiating the request, leading to this issue. 

    Let me know if this helps or if you have any other questions.

    Best, 

    Hassan 
    Product Support Engineer
    · Share on Twitter
  • postledmpostledm Posts: 10 New member
    If this by design then you should update your documentation and probably put a help message on the screen in monitor.

    I have also seen that MI only works on the Monitor server if I use the localhost web address.
    If I use the FQDN alias for our Monitor that adda BD using MI fails 
    · Share on Twitter
  • austinjoyaustinjoy Posts: 5 New member
    when we talk about It looks like you're encountering issue when adding a new Azure SQL Database with a system-managed identity (MI).

    Works on Monitor Server: When I add the Azure SQL Database via the Azure portal from the Monitor server, it works perfectly.

    Fails from Desktop: However, when I try to add the database from my desktop browser (which is running on an Azure virtual machine)

    ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
    Status: 400 (Bad Request)
    Content: {"error":"invalid_request","error_description":"Identity not found"}
    (See attached screenshot for full details).

    It seems like my desktop VM is trying to use its own managed identity rather than the managed identity assigned to the Monitor server.

    Error Details (from screenshot):
    Status Code: 400 (Bad Request)
    Error: "Identity not found"
    It indicates that the managed identity is either not being recognized or not assigned to the resource (Azure SQL Database).

    What I’ve Tried So Far:

    Permission Verification: Both the Monitor server and the desktop VM have the necessary permissions (e.g., Contributor role on the SQL Database and the Resource Group).

    Cross-Check Managed Identity Settings: I double-checked the managed identity settings on both the Monitor server and desktop VM, ensuring the right identity is assigned.

    Possible Causes:

    Identity Confusion Across Different Machines: It seems like the request from my desktop VM is using its own managed identity rather than the Monitor server’s identity.

    Azure Active Directory Token Assignment: The desktop VM might not have the proper Azure AD token assignment for the SQL Database.

    Should I be explicitly setting the MI when making the request from the desktop, or is there a configuration in Azure Managed Services that could resolve this conflict?
    · Share on Twitter
  • austinjoyaustinjoy Posts: 5 New member
    edited September 23, 2024 12:54PM

    I’m encountering an issue when adding a new Azure SQL Database with a system-managed identity (MI). Here’s the situation:

    • Works on Monitor Server: When I add the Azure SQL Database via the Azure portal from the Monitor server, it works perfectly.

    • Fails from Desktop: However, when I try to add the database from my desktop browser (which is running on an Azure virtual machine), I get the following error:

    ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
    Status: 400 (Bad Request)
    Content: {"error":"invalid_request","error_description":"Identity not found"}
    (See attached screenshot for full details).

    It seems like my desktop VM is trying to use its own managed identity rather than the managed identity assigned to the Monitor server.

    Error Details (from screenshot):
    Status Code: 400 (Bad Request)
    Error: "Identity not found"
    It indicates that the managed identity is either not being recognized or not assigned to the resource (Azure SQL Database).

    What I’ve Tried So Far:

    • Permission Verification: Both the Monitor server and the desktop VM have the necessary permissions (e.g., Contributor role on the SQL Database and the Resource Group).
    • Cross-Check Managed Identity Settings: I double-checked the managed identity settings on both the Monitor server and desktop VM, ensuring the right identity is assigned.

    Possible Causes:

    1. Identity Confusion Across Different Machines: It seems like the request from my desktop VM is using its own managed identity rather than the Monitor server’s identity.
    2. Azure Active Directory Token Assignment: The desktop VM might not have the proper Azure AD token assignment for the SQL Database.
    Should I be explicitly setting the MI when making the request from the desktop, or is there a configuration in Azure Managed Services that could resolve this conflict?
    · Share on Twitter
  • hassan_imamhassan_imam Posts: 55 Bronze 1

    Hi David,

    You mentioned, 'If I try to add it from the browser on my desktop, it fails.' Are you attempting to use the system-managed identity in this scenario?

    · Share on Twitter
  • postledmpostledm Posts: 10 New member
    system MI
    · Share on Twitter
  • austinjoyaustinjoy Posts: 5 New member

    I’m encountering an issue when adding a new Azure SQL Database with a system-managed identity (MI). Here’s the situation:

    • Works on Monitor Server: When I add the Azure SQL Database via the Azure portal from the Monitor server, it works perfectly.

    • Fails from Desktop: However, when I try to add the database from my desktop browser (which is running on an Azure virtual machine), I get the following error:

    ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
    Status: 400 (Bad Request)
    Content: {"error":"invalid_request","error_description":"Identity not found"}
    (See attached screenshot for full details).

    It seems like my desktop VM is trying to use its own managed identity rather than the managed identity assigned to the Monitor server.

    Error Details (from screenshot):
    Status Code: 400 (Bad Request)
    Error: "Identity not found"
    It indicates that the managed identity is either not being recognized or not assigned to the resource (Azure SQL Database).

    What I’ve Tried So Far:

    • Permission Verification: Both the Monitor server and the desktop VM have the necessary permissions (e.g., Contributor role on the SQL Database and the Resource Group).
    • Cross-Check Managed Identity Settings: I double-checked the managed identity settings on both the Monitor server and desktop VM, ensuring the right identity is assigned.

    Possible Causes:

    1. Identity Confusion Across Different Machines: It seems like the request from my desktop VM is using its own managed identity rather than the Monitor server’s identity.
    2. Azure Active Directory Token Assignment: The desktop VM might not have the proper Azure AD token assignment for the SQL Database.
    Should I be explicitly setting the MI when making the request from the desktop, or is there a configuration in Azure Managed Services that could resolve this conflict?
    · Share on Twitter
  • hassan_imamhassan_imam Posts: 55 Bronze 1
    Hi Postledm and Austinjoy,  

    The error message "ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource." indicates that the managed identity being used (likely your desktop VM’s identity) has not been assigned to the Azure SQL Database. This is why the authentication fails when trying to connect from your desktop.

    In your case, explicitly setting the managed identity (MI) is a good approach when making requests from your desktop, especially if you're facing a conflict where the desktop VM's identity is being used instead of the Monitor server's identity.

    The cause is likely due to the following:

    • The desktop VM’s managed identity: When connecting to the Azure SQL Database from your desktop, it may be using the desktop VM’s managed identity, which doesn’t have the necessary permissions on the database. The identity is either not assigned or not properly configured on the Azure SQL Database. You

    • Permissions issue: The error indicates that the identity being used doesn’t have access to the database. You need to ensure that the correct identity is assigned and that it has the required permissions, such as admin account or a user with reduced permissions as mentioned here

    Please let me know if you have further issues 

    Best, 

    Hassan 
    Product Support Engineer
    · Share on Twitter
Sign In or Register to comment.