| title | Tutorial: Create a passwordless connection with Service Connector |
|---|---|
| description | Create a passwordless connection with Service Connector |
| titleSuffix | Service Connector |
| author | maud-lv |
| ms.author | malev |
| ms.service | service-connector |
| ms.topic | tutorial |
| ms.date | 09/29/2025 |
| ms.devlang | azurecli |
| ms.custom | passwordless-dotnet, passwordless-java, devx-track-azurecli |
| zone_pivot_group_filename | service-connector/zone-pivot-groups.json |
| zone_pivot_groups | passwordless |
Passwordless connections use managed identities to access Azure services. With this approach, you don't have to manually track and manage secrets for managed identities. These tasks are securely handled internally by Azure.
Service Connector enables managed identities in app hosting services like Azure Spring Apps, Azure App Service, and Azure Container Apps. Service Connector also configures database services, such as Azure Database for PostgreSQL, Azure Database for MySQL, Azure SQL Database, and SQL database in Microsoft Fabric, to accept managed identities.
In this tutorial, you use the Azure CLI to complete the following tasks:
[!div class="checklist"]
- Check your initial environment with the Azure CLI.
- Create a passwordless connection with Service Connector.
- Use the environment variables or configurations generated by Service Connector to access a database service.
- An Azure account with an active subscription. Create an Azure account for free.
- An app deployed to Azure App Service in a region supported by Service Connector.
- Azure CLI version 2.61.0 or higher.
To begin using the Azure CLI:
[!INCLUDE azure-cli-prepare-your-environment-no-header.md]
[!INCLUDE passwordless snippet]
-
Deploy your application to an Azure hosting service. Optionally refer to the guides below for more information about deploying these resources.
- Azure App Service: Quickstart: Deploy an ASP.NET web app.
- Azure Container Apps: Quickstart: Deploy your first container app.
- Azure Spring Apps: Build and deploy the app. [!INCLUDE deprecation-note]
-
Check the log or call the application to see if it can connect to the Azure database successfully.
If you encounter any permission-related errors, confirm the Azure CLI signed-in user with the command az account show. Make sure you sign in with the correct account. Next, confirm that you have the following permissions that might be required to create a passwordless connection with Service Connector.
::: zone pivot="postgresql"
| Permission | Operation |
|---|---|
Microsoft.DBforPostgreSQL/flexibleServers/read |
Required to get information of database server |
Microsoft.DBforPostgreSQL/flexibleServers/write |
Required to enable Microsoft Entra authentication for database server |
Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write |
Required to create firewall rule in case the local IP address is blocked |
Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/delete |
Required to revert the firewall rule created by Service Connector to avoid security issue |
Microsoft.DBforPostgreSQL/flexibleServers/administrators/read |
Required to check if Azure CLI login user is a database server Microsoft Entra administrator |
Microsoft.DBforPostgreSQL/flexibleServers/administrators/write |
Required to add Azure CLI login user as database server Microsoft Entra administrator |
::: zone-end
::: zone pivot="mysql"
| Permission | Operation |
|---|---|
Microsoft.DBforMySQL/flexibleServers/read |
Required to get information of database server |
Microsoft.DBforMySQL/flexibleServers/write |
Required to add the provided User assigned managed identity to database server |
Microsoft.DBforMySQL/flexibleServers/firewallRules/write |
Required to create firewall rule in case the local IP address is blocked |
Microsoft.DBforMySQL/flexibleServers/firewallRules/delete |
Required to revert the firewall rule created by Service Connector to avoid security issue |
Microsoft.DBforMySQL/flexibleServers/administrators/read |
Required to check if Azure CLI login user is a database server Microsoft Entra administrator |
Microsoft.DBforMySQL/flexibleServers/administrators/write |
Required to add Azure CLI login user as database server Microsoft Entra administrator |
::: zone-end
::: zone pivot="sql"
| Permission | Operation |
|---|---|
Microsoft.Sql/servers/read |
Required to get information of database server |
Microsoft.Sql/servers/firewallRules/write |
Required to create firewall rule in case the local IP address is blocked |
Microsoft.Sql/servers/firewallRules/delete |
Required to revert the firewall rule created by Service Connector to avoid security issue |
Microsoft.Sql/servers/administrators/read |
Required to check if Azure CLI login user is a database server Microsoft Entra administrator |
Microsoft.Sql/servers/administrators/write |
Required to add Azure CLI login user as database server Microsoft Entra administrator |
::: zone-end
In some cases, the permissions aren't required. For example, if the Azure CLI-authenticated user is already an Active Directory Administrator on SQL server, you don't need to have the Microsoft.Sql/servers/administrators/write permission.
If you get an error ERROR: AADSTS530003: Your device is required to be managed to access this resource., ask your IT department for help with joining this device to Microsoft Entra ID. For more information, see Microsoft Entra joined devices.
Service Connector needs to access Microsoft Entra ID to get information of your account and managed identity of hosting service. You can use the following command to check if your device can access Microsoft Entra ID:
az ad signed-in-user show
If you don't log in interactively, you might also get the error and Interactive authentication is needed. To resolve the error, log in with the az login command.
::: zone pivot="postgresql"
If your database server is in Virtual Network, ensure your environment that runs the Azure CLI command can access the server in the Virtual Network.
::: zone-end
::: zone pivot="mysql"
If your database server is in Virtual Network, ensure your environment that runs the Azure CLI command can access the server in the Virtual Network.
::: zone-end
::: zone pivot="sql"
If your database server disallows public access, ensure your environment that runs the Azure CLI command can access the server through the private endpoint.
::: zone-end
For more information about Service Connector and passwordless connections, refer to the following resources:
[!div class="nextstepaction"] Service Connector documentation
[!div class="nextstepaction"] Passwordless connections for Azure services