View on GitHub

SQL Commander

Lightweight Microsoft SQL Explorer.

Managed Identity authentication

SQL Commander supports Azure SQL authentication with system-assigned managed identity when SQL Commander is hosted in Azure.

This is the recommended production-style passwordless option for Azure-hosted SQL Commander.

What this mode does

When you select Azure Managed Identity, SQL Commander builds a connection string using:

Authentication=Active Directory Managed Identity

Microsoft.Data.SqlClient obtains a token from the Azure hosting environment’s managed identity endpoint.

Supported host environments

Managed identity requires SQL Commander to run in Azure, for example:

A local developer machine cannot normally validate managed identity because it does not expose the Azure managed identity endpoint. Use Azure Default Credential for local passwordless testing.

Azure setup

1. Enable system-assigned managed identity

For Azure App Service:

az webapp identity assign --resource-group <resource-group> --name <web-app-name>

Capture the principal ID if you need it for troubleshooting:

az webapp identity show --resource-group <resource-group> --name <web-app-name>

2. Configure Azure SQL Entra admin

Your Azure SQL logical server needs a Microsoft Entra admin. This admin is used to create contained database users for Entra identities.

3. Create a database user for the managed identity

Connect to the target Azure SQL database as the Entra admin and run:

CREATE USER [<web-app-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<web-app-name>];
ALTER ROLE db_datawriter ADD MEMBER [<web-app-name>];
ALTER ROLE db_ddladmin ADD MEMBER [<web-app-name>];

For a short validation environment, db_owner is simpler:

ALTER ROLE db_owner ADD MEMBER [<web-app-name>];

Use least privilege in real deployments.

SQL Commander settings

Open the Azure-hosted SQL Commander site and go to SettingsConnection Properties:

Setting Value
Server Name tcp:<server-name>.database.windows.net,1433
Database Name Your Azure SQL database name
Authentication Azure Managed Identity
User Name Leave blank for system-assigned identity
Password Leave blank
Encrypt Mandatory
Trust Server Certificate Usually off for Azure SQL

Or paste this connection string in SettingsConnection String:

Data Source=tcp:<server-name>.database.windows.net,1433;Initial Catalog=<database-name>;Authentication=Active Directory Managed Identity;Encrypt=True;TrustServerCertificate=False;Application Name=SQL Commander;Connect Timeout=30;Command Timeout=300;

Then click Test Connection or save the settings and let SQL Commander load metadata.

What success looks like

User-assigned managed identity note

SQL Commander currently validates the system-assigned managed identity path. User-assigned managed identity needs an additional setting for the managed identity client ID and a small code path to preserve/pass that value to SqlClient.

Troubleshooting

Login failed for token-identified principal

The managed identity probably does not have a contained user in the database, or it lacks role membership. Create the user and grant database roles.

CREATE USER cannot find the identity

Make sure you are connected as the Azure SQL Entra admin. In some tenants, service principal lookup may require directory permissions. For App Service system-assigned identity, using the web app resource name as the user name usually works:

CREATE USER [<web-app-name>] FROM EXTERNAL PROVIDER;

Firewall error from App Service

For quick validation, allow Azure services through the Azure SQL firewall. For production, prefer private endpoints or controlled outbound networking.

Works locally but not in Azure

Local passwordless testing uses Azure Default Credential. Managed Identity only works after the app is hosted in Azure and the managed identity has database access.