Cannot Add Managed Identity to Synapse Pool
I am running an Azure Synapse workflow through the Synapse studio and running into this error:
{
"errorCode": "2200",
"message": "ErrorCode=FailedDbOperation,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Please make sure SQL DW has access to ADLS Gen2 account,Source=Microsoft.DataTransfer.ClientLibrary,''Type=System.Data.SqlClient.SqlException,Message=Managed Service Identity has not been enabled on this server. Please enable Managed Service Identity and try again.,Source=.Net SqlClient Data Provider,SqlErrorNumber=105096,Class=16,ErrorCode=-2146232060,State=1,Errors=[{Class=16,Number=105096,State=1,Message=Managed Service Identity has not been enabled on this server. Please enable Managed Service Identity and try again.,},],'",
"failureType": "UserError",
"target": "Copy data1",
"details": []
}
If I go into Azure Powershell and inspect the pool, I see that this is substantiated by the null entry in Identity:
ResourceGroupName : workspacemanagedrg-c6475066-bbe3-4c02-866c-7556d5e92e0b
ServerName : <mydw>
Location : eastus2
SqlAdministratorLogin : <myadmin>
SqlAdministratorPassword : <mypw>
ServerVersion : 12.0
Tags : {}
Identity :
FullyQualifiedDomainName : <mydw>.database.windows.net
There are two things that are peculiar about this:
- My Synapse workspace has a managed identity associated with it already:
- I'm getting a permission denied when trying to run the Powershell command as documented in this question which says
Set-AzSqlServer: The client '[email protected]' with object id 'guid' has permission to perform action 'Microsoft.Sql/servers/write' on scope '/subscriptions/mysubscription/resourceGroups/myrg/providers/Microsoft.Sql/servers/mydw'; however, the access is denied because of the deny assignment with name 'c6475066-bbe2-4c03-866c-7556d5e92e9b' and Id 'c6475066bbe24c03866c7556d5e92e9b' at scope '/subscriptions/mysubscription/resourceGroups/myrg'.
I have verified that this Managed Identity does have access to my data source (ADLS Gen2) and when I test the connections in the studio, they all work.
How do I assign the managed identity from my Synapse workspace to my sql pool that I've created?
Update 12/30/2020: This appears to be resolved now that Synapse is GA. Polybase and COPY INTO now work in a Synapse workspace SQL pool with a securely firewalled ADLS Gen 2 storage account. The updated instructions are published here.
There is one note at the bottom of the COPY INTO documentation with may be required on older Synapse workspaces for Polybase or COPY to work with a Managed Service Identity in a SQL Pool in a Synapse workspace.
If you have a Synapse workspace that was created prior to 12/07/2020, you may run into a similar error message when authenticating using Managed Identity: com.microsoft.sqlserver.jdbc.SQLServerException: Managed Service Identity has not been enabled on this server. Please enable Managed Service Identity and try again. Follow these steps to work around this issue by re-registering the workspace's managed identity:
- Go to your Synapse workspace in the Azure portal
- Go to the Managed identities blade
- If the “Allow Pipelines” option is already checked, you must uncheck this setting and save
- Check the "Allow Pipelines" option and save
As a side note I believe this same approach works for Serverless if you use a MSI. But if you want to use a pass through AAD auth then see this.
Old information as of August 2020 that’s now outdated: I had the same question and opened support case 120073024005140. The answer I got was that this Polybase or COPY INTO with MSI scenario isn’t yet working in Synapse workspaces but it is coming. For now you have to use other types of authentication like storage account key authentication and you have to leave the storage account firewall open. Or alternately your could use an older “Azure Synapse Analytics (formerly SQL DW)” SQL pool (no Synapse workspace and no Synapse studio) where this feature is working.
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages
- Adding custom headers to Azure Functions response
- Azure Queue Trigger is hit but not executing the logic inside of it
- az cli not showing redisenterprise keys
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- Azure Devops Server Pipelines: Any way to have a Stage result as "Succeeded" even if a constituent Job reported "SucceededWithIssues"?
- YAML strings including special characters % and & were not printed correctly for Windows environment
- Azure function returns error: No job functions found. Try making your job classes and methods public
- How to view Oldest Query results in Azure Monitor Metrics for an Azure PostgreSQL Flex Server instance
- Authenticate to Azure with certificate from Linux
- What are the minimum Azure permissions required to publish a Power BI report using "App Owns the Data"?
- How to report an Azure Text-to-Speech bug?
- Refresh an Azure search index
- Best way to clean up resources in StatefulService
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Query Azure SQL Database using Rest-API