Back up to URL with managed identity (preview) - SQL Server enabled by Azure Arc

Applies to: SQL Server 2025 (17.x) Preview

This article describes how to use a managed identity to back up and restore databases with Azure Blob storage using SQL Server enabled by Azure Arc.

For SQL Server on Azure VMs, review Backup and restore to URL using managed identities with SQL Server on Azure VMs.

Prerequisites

To back up and restore databases with Azure Blob storage using managed identities, you need the following:

• SQL Server 2025 Preview enabled by Azure Arc that's been assigned a primary managed identity.
• An Azure Blob storage account.
• Valid network access to the Azure Blob storage and Windows Firewall permissions on the host to allow the outbound connection, and valid storage account service endpoints.
• The primary managed identity for the SQL Server instance needs to have the Storage Blob Data Contributor role assigned to the storage account.

Check storage account permissions

The primary managed identity for the SQL Server instance needs to have the Storage Blob Data Contributor role assigned to the storage account. This role allows the managed identity to write to and read from the storage account.

Use the Azure portal to check the permissions assigned to the managed identity by following these steps:

1. Go to your Storage account in the Azure portal.

2. Select Access Control (IAM) to open the Access Control (IAM) pane.

3. On the Access Control (IAM) pane, select Role assignments to view the list of users and groups that have been assigned roles for the storage account.

4. Filter by the Storage Blob Data Contributor role and verify that you see the managed identity for your SQL Server instance listed:

   

Create a server credential using managed identities

In order to use the T-SQL commands BACKUP DATABASE <database name> TO URL and RESTORE <database name> FROM URL with managed identities, you need to create a server credential that uses the managed identity. The credential name represents the Azure storage URL and indicates where the database backup is stored.

The following example shows how to create a credential for a managed identity:

CREATE CREDENTIAL [https://<storage-account-name>.blob.core.windows.net/<container-name>] 
    WITH IDENTITY = 'Managed Identity'

The WITH IDENTITY = 'Managed Identity' clause requires a primary managed identity assigned to the SQL Server instance.

BACKUP to URL with a managed identity

After you create the credential, you can use it to back up databases to Azure Blob storage.

The following example shows how to back up a database to Azure Blob storage using the managed identity credential:

BACKUP DATABASE [AdventureWorks] 
    TO URL = 'https://<storage-account-name>.blob.core.windows.net/<container-name>/AdventureWorks.bak' 

RESTORE from URL with a managed identity

The following example shows how to restore a database from Azure Blob storage using the managed identity credential:

RESTORE DATABASE [AdventureWorks] 
    FROM URL = 'https://<storage-account-name>.blob.core.windows.net/<container-name>/AdventureWorks.bak' 

Error messages

The error messages listed in the SQL Server on Azure VMs article also apply to SQL Server enabled by Azure Arc.

Related content

• Configure Microsoft Entra authentication for SQL Server
• Backup and restore to URL using managed identities with SQL Server on Azure VMs
• Restore to a point-in-time
• View SQL Azure Arc inventory
• Recovery Models (SQL Server)