From 142caa6ef55f9d187a1d7a6dda30b9640dacce16 Mon Sep 17 00:00:00 2001 From: Matt Hetherington Date: Mon, 2 Jun 2025 12:39:08 +0100 Subject: [PATCH 1/3] Document using managed identity with New-AzSqlDatabaseExport --- src/Sql/Sql/ChangeLog.md | 1 + src/Sql/Sql/help/New-AzSqlDatabaseExport.md | 54 ++++++++++++++++++++- 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/src/Sql/Sql/ChangeLog.md b/src/Sql/Sql/ChangeLog.md index d5a5e1a4ab69..de1d3c9beac4 100644 --- a/src/Sql/Sql/ChangeLog.md +++ b/src/Sql/Sql/ChangeLog.md @@ -21,6 +21,7 @@ ## Version 6.0.4 * Added server level action groups in enum of action groups to be able to be configured via auditing. +* Documented using managed identity with `New-AzSqlDatabaseExport` ## Version 6.0.3 * Added Information message to `Set-AzSqlInstance` for migrating Azure Sql database with GeoDr links to Azure Sql Hyperscale Edition diff --git a/src/Sql/Sql/help/New-AzSqlDatabaseExport.md b/src/Sql/Sql/help/New-AzSqlDatabaseExport.md index 4f6800ffde99..bb5f997b437d 100644 --- a/src/Sql/Sql/help/New-AzSqlDatabaseExport.md +++ b/src/Sql/Sql/help/New-AzSqlDatabaseExport.md @@ -28,7 +28,7 @@ The get export database status request may be sent to retrieve status informatio This cmdlet is also supported by the SQL Server Stretch Database service on Azure. > [!IMPORTANT] -> In order to make use of this cmdlet the firewall on the Azure SQL Server will need to be configured to "Allow Azure services and resources to access this server". If this is not configured then GatewayTimeout errors will be experienced. +> In order to make use of this cmdlet the firewall on the Azure SQL Server will need to be configured to "Allow Azure services and resources to access this server". If this is not configured then GatewayTimeout errors will be experienced. This is not required if a Private Link connection is established via the UseNetworkIsolation parameter. ## EXAMPLES @@ -55,11 +55,39 @@ ErrorMessage : This command creates an export request for the specified database. +### Example 2: Create an export request for a database using managed identity for authentication over private link + +```powershell +$sqlServerName = "Server01" +$storageAccountName = "storageaccount1" +$subscriptionId = "00000000-0000-0000-0000-000000000000" +$resourceGroup = "RG01" +$managedIdentityResourceId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-managed-identity" +$pw = ConvertTo-SecureString "AdministratorPassword" -AsPlainText -Force +New-AzSqlDatabaseExport ` + -ResourceGroupName $resourceGroup ` + -ServerName $sqlServerName ` + -DatabaseName "Database01" ` + -StorageKeyType ManagedIdentity ` + -StorageKey $managedIdentityResourceId ` + -StorageUri "https://storageaccount1.blob.core.windows.net/container1/my-file-name.bacpac" ` + -AuthenticationType ManagedIdentity ` + -AdministratorLogin $managedIdentityResourceId ` + -AdministratorLoginPassword $pw ` + -UseNetworkIsolation $true ` + -SqlServerResourceIdForPrivateLink "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Sql/servers/$sqlServerName" ` + -StorageAccountResourceIdForPrivateLink "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.Storage/storageAccounts/$storageAccountName" +``` + +This command creates an export request for the specified database using managed identity for authentication with connectivity over Private Link. + ## PARAMETERS ### -AdministratorLogin Specifies the name of the SQL administrator. +If `-AuthenticationType ManagedIdentity` is provided, this should be the full resource ID of a user-assigned managed identity that is a [Microsoft Entra administrator](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-portal#set-microsoft-entra-admin) of the server. + ```yaml Type: System.String Parameter Sets: (All) @@ -75,6 +103,17 @@ Accept wildcard characters: False ### -AdministratorLoginPassword Specifies the password of the SQL administrator. +This is mandatory. When using `-AuthenticationType ManagedIdentity` a dummy value must be provided, for example: + +``` +$administratorPassword = ConvertTo-SecureString "AdministratorPassword" -AsPlainText -Force + +New-AzSqlDatabaseExport ` + #... + -AdministratorLoginPassword $administratorPassword ` + #... +``` + ```yaml Type: System.Security.SecureString Parameter Sets: (All) @@ -98,6 +137,9 @@ Set the *AdministratorLogin* and *AdministratorLoginPassword* to the SQL adminis Microsoft Entra authentication. Set *AdministratorLogin* and *AdministratorLoginPassword* to the Microsoft Entra administrator username and password. This parameter is only available on SQL Database V12 servers. +- ManagedIdentity. +Managed identity authentication. +Use a user-assigned managed identity to authenticate with the SQL server. The managed identity must be a [Microsoft Entra administrator](https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-portal#set-microsoft-entra-admin) for the server. ```yaml Type: Microsoft.Azure.Commands.Sql.ImportExport.Model.AuthenticationType @@ -205,6 +247,8 @@ Accept wildcard characters: False ### -StorageKey Specifies the access key for the storage account. +When `-StorageKeyType ManagedIdentity` is provided, this should be the full resource ID of a user-assigned managed identity which has write access on the storage account for the StorageUri provided (for example via a [Storage Blob Data Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-contributor) role assignment). + ```yaml Type: System.String Parameter Sets: (All) @@ -224,6 +268,8 @@ The acceptable values for this parameter are: This value uses a storage account key. - SharedAccessKey. This value uses a Shared Access Signature (SAS) key. +- ManagedIdentity. +Use a user-assigned managed identity for authentication with the storage account. ```yaml Type: Microsoft.Azure.Commands.Sql.ImportExport.Model.StorageKeyType @@ -241,6 +287,12 @@ Accept wildcard characters: False ### -StorageUri Specifies the blob link, as a URL, to the .bacpac file. +For example: + +``` +-StorageUri "https://your-storage-account.blob.core.windows.net/your-container/your-file-name.bacpac" ` +``` + ```yaml Type: System.Uri Parameter Sets: (All) From d6c4c87f871400fb22839e3f72e7883e4c95c11c Mon Sep 17 00:00:00 2001 From: Yeming Liu <11371776+isra-fel@users.noreply.github.com> Date: Wed, 1 Oct 2025 16:46:44 +1000 Subject: [PATCH 2/3] Apply suggestions from code review --- src/Sql/Sql/ChangeLog.md | 1 - src/Sql/Sql/help/New-AzSqlDatabaseExport.md | 23 +++------------------ 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/src/Sql/Sql/ChangeLog.md b/src/Sql/Sql/ChangeLog.md index de1d3c9beac4..d5a5e1a4ab69 100644 --- a/src/Sql/Sql/ChangeLog.md +++ b/src/Sql/Sql/ChangeLog.md @@ -21,7 +21,6 @@ ## Version 6.0.4 * Added server level action groups in enum of action groups to be able to be configured via auditing. -* Documented using managed identity with `New-AzSqlDatabaseExport` ## Version 6.0.3 * Added Information message to `Set-AzSqlInstance` for migrating Azure Sql database with GeoDr links to Azure Sql Hyperscale Edition diff --git a/src/Sql/Sql/help/New-AzSqlDatabaseExport.md b/src/Sql/Sql/help/New-AzSqlDatabaseExport.md index bb5f997b437d..41121f0b86c8 100644 --- a/src/Sql/Sql/help/New-AzSqlDatabaseExport.md +++ b/src/Sql/Sql/help/New-AzSqlDatabaseExport.md @@ -63,7 +63,7 @@ $storageAccountName = "storageaccount1" $subscriptionId = "00000000-0000-0000-0000-000000000000" $resourceGroup = "RG01" $managedIdentityResourceId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-managed-identity" -$pw = ConvertTo-SecureString "AdministratorPassword" -AsPlainText -Force +$pw = ConvertTo-SecureString "******" -AsPlainText -Force New-AzSqlDatabaseExport ` -ResourceGroupName $resourceGroup ` -ServerName $sqlServerName ` @@ -103,17 +103,7 @@ Accept wildcard characters: False ### -AdministratorLoginPassword Specifies the password of the SQL administrator. -This is mandatory. When using `-AuthenticationType ManagedIdentity` a dummy value must be provided, for example: - -``` -$administratorPassword = ConvertTo-SecureString "AdministratorPassword" -AsPlainText -Force - -New-AzSqlDatabaseExport ` - #... - -AdministratorLoginPassword $administratorPassword ` - #... -``` - +This is mandatory. When using `-AuthenticationType ManagedIdentity` a dummy value must be provided. ```yaml Type: System.Security.SecureString Parameter Sets: (All) @@ -285,14 +275,7 @@ Accept wildcard characters: False ``` ### -StorageUri -Specifies the blob link, as a URL, to the .bacpac file. - -For example: - -``` --StorageUri "https://your-storage-account.blob.core.windows.net/your-container/your-file-name.bacpac" ` -``` - +Specifies the blob link, as a URL, to the .bacpac file. For example: `-StorageUri "https://your-storage-account.blob.core.windows.net/your-container/your-file-name.bacpac"` ```yaml Type: System.Uri Parameter Sets: (All) From ac7a42785ab523010a62dab0a01869625710bf0f Mon Sep 17 00:00:00 2001 From: Yeming Liu <11371776+isra-fel@users.noreply.github.com> Date: Thu, 2 Oct 2025 11:27:29 +1000 Subject: [PATCH 3/3] Update src/Sql/Sql/help/New-AzSqlDatabaseExport.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/Sql/Sql/help/New-AzSqlDatabaseExport.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Sql/Sql/help/New-AzSqlDatabaseExport.md b/src/Sql/Sql/help/New-AzSqlDatabaseExport.md index 41121f0b86c8..6b7844801d26 100644 --- a/src/Sql/Sql/help/New-AzSqlDatabaseExport.md +++ b/src/Sql/Sql/help/New-AzSqlDatabaseExport.md @@ -103,7 +103,7 @@ Accept wildcard characters: False ### -AdministratorLoginPassword Specifies the password of the SQL administrator. -This is mandatory. When using `-AuthenticationType ManagedIdentity` a dummy value must be provided. +This is mandatory. When using `-AuthenticationType ManagedIdentity`, a placeholder value (for example, any non-empty SecureString value) must be provided. ```yaml Type: System.Security.SecureString Parameter Sets: (All)