Can't enable Microsoft Entra authentication for SQL Server 2022 enabled by Azure Arc

Question

Can't enable Microsoft Entra authentication for SQL Server 2022 enabled by Azure Arc

Sergey Avramenko 20

I'm going through the documentation's article: https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/entra-authentication-setup-tutorial?view=sql-server-ver16

I successfully done with all steps until the described below.

At the step "Configure Microsoft Entra authentication for SQL Server through Azure portal" getting the error:
Exception occurred while downloading AAD certificate. https://some-vault.vault.azure.net/secrets/EXAMPLE-SQL-VM-Cert?api-version=7.1: Response status code does not indicate success: 403 (Forbidden).Exception occurred while downloading AAD certificate. https://some-vault.vault.azure.net/secrets/EXAMPLE-SQL-VM-Cert?api-version=7.1

Actually I don't have secrets at this key vault at all, but I have a certificate which I'm using for enable Microsoft Entra authentication at this step. But why it's trying to get secret instead of certificate? I understand that it is trying to get secret instead of certificate, because I see the secrets word in the link: https://some-vault.vault.azure.net/**secrets**/EXAMPLE-SQL-VM-Cert?api-version=7.1

Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-08T13:17:22.96+00:00
Hi @Sergey Avramenko,

The user setting up Microsoft Entra admin should have the Contributor role for your Azure Key Vault. To add a role to a user in Azure Key Vault

Check Access Policies: Ensure that the Azure Arc Machine has the necessary permissions to access the Key Vault. You may need to grant the following roles:

Key Vault Certificate User

Key Vault Secrets User

Verify Certificate Existence: Make sure that the certificate you are trying to use is indeed stored in the Key Vault and that it is accessible.

Access Configuration: Navigate to the Azure Key Vault instance and check the access configuration settings. Ensure that the Azure Arc resource has been granted access to the Key Vault.

Role Assignments: If you are using Azure role-based access control, verify that the role assignments are correctly configured for the Azure Arc resource.

https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-automation-setup-tutorial?view=sql-server-ver16&tabs=azure-portal#configure-permissions-for-azure-key-vault

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-09T11:39:13.31+00:00

Hi @Sergey Avramenko,

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it".
Sergey Avramenko 20 Reputation points

2025-04-09T12:35:47.9233333+00:00
@Ashok Gandhi Kotnana , hi!

I'm setting up Microsoft Entra admin and I'm Contributor

Key Vault Certificate User role was granted for Azure Arc SQL VM and for Azure Application a. Verify Certificate Existence: it's done certificate exists and I'm choosing it in the step "Configure Microsoft Entra authentication for SQL Server through Azure portal"

Access Configuration: I granted all necessary access for Azure Arc SQL VM

Role Assignments: we're using Vault access policy Permission model for the key vault After granting Key Vault Certificate User role was for Azure Arc SQL VM and for Azure Application, I tried to set Admin User for Azure Arc SQL Server again and unfortunately no success. I'm getting the same error message
Sergey Avramenko 20 Reputation points

2025-04-09T12:58:05.1+00:00

I just tried to choose Service-managed certificate instead of Customer-managed certificate. It created a new certificate in the Key Vault and showed the message "Saved successfully, but admin consent may need to be granted to app 'AZURE-APP'". After it I tried to login using Microsoft SQL Server Management Studio and no success.

I opened again the "Microsoft Entra ID and Purview" settings and it shows that Admin Login isn't set up
Sergey Avramenko 20 Reputation points

2025-04-09T13:42:33.0566667+00:00

In the end, after an endless number of attempts, I managed to create an admin account on Azure Arc SQL Server. I chose the certificate made by Azure when I tried to use the option "Service-managed certificate" and it showed the message "Saved successfully"

Now, I can log in to Azure Arc SQL Server using the Microsoft Entra MFA Authentication method. All different ways are failing
Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-09T15:00:36.96+00:00

Hi @Sergey Avramenko,

Great the issue is resolved?

Thankyou
Sergey Avramenko 20 Reputation points

2025-04-09T15:30:55.9333333+00:00

@Ashok Gandhi Kotnana could you explain why authentication methods Microsoft Entra can be failed?
Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-09T15:42:05.9433333+00:00

Hi @Sergey Avramenko,

below are the possible causes

Authentication issues may occur if admin consent isn't fully granted, admin login isn't properly set up, certificate settings are misconfigured, or configuration changes overlap before completion.

Thankyou
Sergey Avramenko 20 Reputation points

2025-04-09T15:49:14.2433333+00:00

@Ashok Gandhi Kotnana Ok, thanks. I think authentication issues it's another topic. This one can be closed.
Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-09T15:51:38.4466667+00:00

Hi @Sergey Avramenko,

Thank you for letting us know. I have converted the comment into an answer. If you could kindly accept answer and upvote it for the benefit of the community, it would be greatly appreciated and helpful to others.

Accepted answer

0 additional answers

Your answer

Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-08T13:17:22.96+00:00

Hi @Sergey Avramenko,

The user setting up Microsoft Entra admin should have the Contributor role for your Azure Key Vault. To add a role to a user in Azure Key Vault

Check Access Policies: Ensure that the Azure Arc Machine has the necessary permissions to access the Key Vault. You may need to grant the following roles:

Key Vault Certificate User

Key Vault Secrets User

Verify Certificate Existence: Make sure that the certificate you are trying to use is indeed stored in the Key Vault and that it is accessible.

Access Configuration: Navigate to the Azure Key Vault instance and check the access configuration settings. Ensure that the Azure Arc resource has been granted access to the Key Vault.

Role Assignments: If you are using Azure role-based access control, verify that the role assignments are correctly configured for the Azure Arc resource.

https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-automation-setup-tutorial?view=sql-server-ver16&tabs=azure-portal#configure-permissions-for-azure-key-vault

Please do not forget to "Accept the answer” and upvote it wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.
Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-09T11:39:13.31+00:00

Hi @Sergey Avramenko,

Just want to check if the above answer worked for you or else please let us know if any help, we are always here to help whenever you need us.

If the comment is helpful, please click "Upvote it".
Sergey Avramenko 20 Reputation points

2025-04-09T12:35:47.9233333+00:00

@Ashok Gandhi Kotnana , hi!

I'm setting up Microsoft Entra admin and I'm Contributor

Key Vault Certificate User role was granted for Azure Arc SQL VM and for Azure Application a. Verify Certificate Existence: it's done certificate exists and I'm choosing it in the step "Configure Microsoft Entra authentication for SQL Server through Azure portal"

Access Configuration: I granted all necessary access for Azure Arc SQL VM

Role Assignments: we're using Vault access policy Permission model for the key vault After granting Key Vault Certificate User role was for Azure Arc SQL VM and for Azure Application, I tried to set Admin User for Azure Arc SQL Server again and unfortunately no success. I'm getting the same error message
Sergey Avramenko 20 Reputation points

2025-04-09T12:58:05.1+00:00

I just tried to choose Service-managed certificate instead of Customer-managed certificate. It created a new certificate in the Key Vault and showed the message "Saved successfully, but admin consent may need to be granted to app 'AZURE-APP'". After it I tried to login using Microsoft SQL Server Management Studio and no success.

I opened again the "Microsoft Entra ID and Purview" settings and it shows that Admin Login isn't set up
Sergey Avramenko 20 Reputation points

2025-04-09T13:42:33.0566667+00:00

In the end, after an endless number of attempts, I managed to create an admin account on Azure Arc SQL Server. I chose the certificate made by Azure when I tried to use the option "Service-managed certificate" and it showed the message "Saved successfully"

Now, I can log in to Azure Arc SQL Server using the Microsoft Entra MFA Authentication method. All different ways are failing
Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-09T15:00:36.96+00:00

Hi @Sergey Avramenko,

Great the issue is resolved?

Thankyou
Sergey Avramenko 20 Reputation points

2025-04-09T15:30:55.9333333+00:00

@Ashok Gandhi Kotnana could you explain why authentication methods Microsoft Entra can be failed?
Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-09T15:42:05.9433333+00:00

Hi @Sergey Avramenko,

below are the possible causes

Authentication issues may occur if admin consent isn't fully granted, admin login isn't properly set up, certificate settings are misconfigured, or configuration changes overlap before completion.

Thankyou
Sergey Avramenko 20 Reputation points

2025-04-09T15:49:14.2433333+00:00

@Ashok Gandhi Kotnana Ok, thanks. I think authentication issues it's another topic. This one can be closed.
Ashok Gandhi Kotnana 6,355 Reputation points Microsoft External Staff

2025-04-09T15:51:38.4466667+00:00

Hi @Sergey Avramenko,

Thank you for letting us know. I have converted the comment into an answer. If you could kindly accept answer and upvote it for the benefit of the community, it would be greatly appreciated and helpful to others.

Answer 1

Hi Sergey Avramenko,
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue:
Can't enable Microsoft Entra authentication for SQL Server 2022 enabled by Azure Arc

Solution:
Issue resolved by @Sergey Avramenko
Service-managed certificate, which created one in Key Vault but showed a message about needing admin consent for the app 'AZURE-APP'. After setup, login via SSMS failed, and the Admin Login in Entra ID wasn’t configured. Once I set it up again using the Azure-generated certificate, the settings saved successfully, and I was able to log in using Entra MFA.

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

Can't enable Microsoft Entra authentication for SQL Server 2022 enabled by Azure Arc

0 additional answers

Your answer