azure-sql-passwordless-migration.md

title	description	author	ms.author	ms.date	ms.service	ms.subservice	monikerRange	ms.topic	ms.custom	ms.devlang
Migrate a .NET application to use passwordless connections with Azure SQL Database	Learn how to migrate a .NET application to use passwordless connections with Azure SQL Database.	alexwolfmsft	alexwolf	02/10/2023	sql-database	security	= azuresql || = azuresql-db	how-to	devx-track-csharp, passwordless-dotnet, devx-track-azurecli	csharp

Migrate a .NET application to use passwordless connections with Azure SQL Database

Application requests to Azure SQL Database must be authenticated. Although there are multiple options for authenticating to Azure SQL Database, you should prioritize passwordless connections in your applications when possible. Traditional authentication methods that use passwords or secret keys create security risks and complications. Visit the passwordless connections for Azure services hub to learn more about the advantages of moving to passwordless connections. The following tutorial explains how to migrate an existing application to connect to Azure SQL Database to use passwordless connections instead of a username and password solution.

Configure the Azure SQL Database

[!INCLUDE configure-the-azure-sql-database]

Configure your local development environment

Passwordless connections can be configured to work for both local and Azure hosted environments. In this section, you'll apply configurations to allow individual users to authenticate to Azure SQL Database for local development.

Sign-in to Azure

[!INCLUDE default-azure-credential-sign-in]

Create a database user and assign roles

Create a user in Azure SQL Database. The user should correspond to the Azure account you used to sign-in locally via development tools like Visual Studio or IntelliJ.

[!INCLUDE local-create-user-roles]

Update the local connection configuration

Existing application code that connects to Azure SQL Database using the Microsoft.Data.SqlClient library or Entity Framework Core will continue to work with passwordless connections. However, you must update your database connection string to use the passwordless format. For example, the following code works with both SQL authentication and passwordless connections:

string connectionString = app.Configuration.GetConnectionString("AZURE_SQL_CONNECTIONSTRING")!;

using var conn = new SqlConnection(connectionString);
conn.Open();

var command = new SqlCommand("SELECT * FROM Persons", conn);
using SqlDataReader reader = command.ExecuteReader();

To update the referenced connection string (AZURE_SQL_CONNECTIONSTRING) to use the passwordless connection string format:

1. Locate your connection string. For local development with .NET applications, this is usually stored in one of the following locations:

   • The appsettings.json configuration file for your project.
   • The launchsettings.json configuration file for Visual Studio projects.
   • Local system or container environment variables.

2. Replace the connection string value with the following passwordless format. Update the <database-server-name> and <database-name> placeholders with your own values:

   Server=tcp:<database-server-name>.database.windows.net,1433;Initial Catalog=<database-name>;
   Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication="Active Directory Default";

Test the app

Run your app locally and verify that the connections to Azure SQL Database are working as expected. Keep in mind that it may take several minutes for changes to Azure users and roles to propagate through your Azure environment. Your application is now configured to run locally without developers having to manage secrets in the application itself.

Configure the Azure hosting environment

Once your app is configured to use passwordless connections locally, the same code can authenticate to Azure SQL Database after it's deployed to Azure. The sections that follow explain how to configure a deployed application to connect to Azure SQL Database using a managed identity. Managed identities provide an automatically managed identity in Microsoft Entra ID (formerly Azure Active Directory) for applications to use when connecting to resources that support Microsoft Entra authentication. Learn more about managed identities:

• Passwordless overview
• Managed identity best practices

Create the managed identity

[!INCLUDE create-the-managed-identity]

Associate the managed identity with your web app

Configure your web app to use the user-assigned managed identity you created.

Azure portal

Complete the following steps in the Azure portal to associate the user-assigned managed identity with your app. These same steps apply to the following Azure services:

• Azure Spring Apps
• Azure Container Apps
• Azure virtual machines
• Azure Kubernetes Service
• Navigate to the overview page of your web app.

1. Select Identity from the left navigation.

2. On the Identity page, switch to the User assigned tab.

3. Select + Add to open the Add user assigned managed identity flyout.

4. Select the subscription you used previously to create the identity.

5. Search for the MigrationIdentity by name and select it from the search results.

6. Select Add to associate the identity with your app.

   :::image type="content" source="media/passwordless-connections/assign-managed-identity-small.png" lightbox="media/passwordless-connections/assign-managed-identity.png" alt-text="A screenshot showing how to assign a managed identity.":::

Azure CLI

[!INCLUDE associate-managed-identity-cli]

Service Connector

[!INCLUDE service-connector-commands]

---

Create a database user for the identity and assign roles

[!INCLUDE create-database-user-for-identity]

Update the connection string

Update your Azure app configuration to use the passwordless connection string format. Connection strings are generally stored as environment variables in your app hosting environment. The following instructions focus on App Service, but other Azure hosting services provide similar configurations.

1. Navigate to the configuration page of your App Service instance and locate the Azure SQL Database connection string.

2. Select the edit icon and update the connection string value to match following format. Change the <database-server-name> and <database-name> placeholders with the values of your own service.

   Server=tcp:<database-server-name>.database.windows.net,1433;Initial Catalog=<database-name>;
   Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;Authentication="Active Directory Default";

3. Save your changes and restart the application if it does not do so automatically.

Test the application

Test your app to make sure everything is still working. It may take a few minutes for all of the changes to propagate through your Azure environment.

Next steps

In this tutorial, you learned how to migrate an application to passwordless connections.

You can read the following resources to explore the concepts discussed in this article in more depth:

• Passwordless overview
• Managed identity best practices
• Tutorial: Secure a database in Azure SQL Database
• Authorize database access to SQL Database