Uses System Assigned Managed Identity (SAMI) for DAB → Azure SQL. The web app is anonymous. The API authenticates to SQL using its Azure identity.
This eliminates stored database credentials and is the recommended baseline for production deployments.
- Configure DAB with SAMI for passwordless Azure SQL access
- Set Entra admin on Azure SQL
- Create a database user from an external provider
| Hop | Local | Azure |
|---|---|---|
| User → Web | Anonymous | Anonymous |
| Web → API | Anonymous | Anonymous |
| API → SQL | SQL Auth | SAMI |
flowchart LR
U[User]
subgraph Azure Container Apps
W[Web App]
A[Data API builder]
end
subgraph Azure SQL
S[(Database)]
end
U -->|anon| W
W -->|anon| A
A -->|SAMI| S
Considerations on SAMI: The API must run in an Azure environment that supports managed identities. Azure SQL must be configured to trust that identity. Once configured, no secrets are required in configuration.
Server=tcp:myserver.database.windows.net,1433;
Initial Catalog=mydb;
Authentication=Active Directory Managed Identity
TrustServerCertificate=True;
- .NET 8 or later
- Aspire workload —
dotnet workload install aspire - Docker Desktop
Run
dotnet tool restoreto install DAB from the included tool manifest.
dotnet tool restore
dotnet run --project aspire-apphostLocally, DAB uses SQL Auth to talk to the containerized SQL Server.
pwsh ./azure-infra/azure-up.ps1The post-provision script automatically:
- Sets you as Entra admin on Azure SQL
- Creates a database user for DAB's managed identity (
CREATE USER [name] FROM EXTERNAL PROVIDER) - Grants
db_datareaderanddb_datawriterroles
No passwords stored for DAB → Azure SQL.
To tear down resources:
pwsh ./azure-infra/azure-down.ps1| File | Purpose |
|---|---|
azure/resources.bicep |
Configures the DAB container with identity: { type: 'SystemAssigned' } and MI connection string |
azure/main.bicep |
Outputs AZURE_CONTAINER_APP_API_PRINCIPAL_ID |
azure/post-provision.ps1 |
Sets Entra admin and creates the SAMI database user |