How can I update Synapse Workspace's Azure SQL Auditing connection to Storage Account to use Managed Identity

v-bemat 0 Reputation points Microsoft External Staff

Hello, I am attempting to update the Azure SQL Auditing connection to use Managed Identity instead of Storage Access Key. Following the documentation online, when I'm in the Azure SQL Auditing settings I should see both an option for Managed Identity and for Storage Access Keys, however I only see the latter as an available option. What do I need to do to update the Azure Synapse Portal configuration to allow for Managed Identity auth to the Storage Account for Auditing.

  1. SAI JAGADEESH KUDIPUDI 3,470 Reputation points Microsoft External Staff Moderator

    Hi @v-bemat ,

    Thank you for reaching out regarding the issue with updating Azure SQL auditing for the Synapse workspace. I understand the confusion here, and I’d like to clarify how auditing works in this scenario and how you can successfully update it.

    From a technical perspective, auditing in Azure Synapse Analytics is not managed directly at the “workspace UI level” in the way it might appear. Instead, auditing is configured at the SQL server or SQL pool (database) level, and the workspace reflects those underlying settings.

    Because of this design, updates may not apply if they are attempted from the wrong scope or when certain conditions are not met.

    To update or configure auditing successfully, please follow these steps:

    1. In the Azure portal, navigate to your Synapse SQL pool (or SQL database) rather than only the workspace.
    2. Go to Security → Auditing.
    3. Enable or update auditing by selecting a valid destination:
      • Azure Storage account
        • Log Analytics workspace
          • Event Hub
          1. Save the configuration.

    If a server-level auditing policy is already enabled, you can use the“View server settings” option to modify it. This policy will automatically apply to all databases under that server.
    Important checks

    Before applying changes, please verify the following:

    • The dedicated SQL pool is in a running state (auditing cannot be enabled or modified when the pool is paused).
    • Required permissions are available (such as SQL Security Manager role).
    • The selected target (Storage / Log Analytics) is correctly configured.

    Also note that when auditing is configured to Log Analytics or Event Hub, Azure automatically creates a diagnostic setting behind the scenes to capture audit events.
    Alternative (if portal update fails)

    If you continue to face issues through the portal, you can update the auditing configuration using Azure CLI:

    az synapse sql audit-policy update 
 --resource-group <ResourceGroupName>
 --workspace-name <WorkspaceName>
 --state Enabled
 --storage-account <StorageAccountName>

    This approach directly updates the underlying audit policy and can help in scenarios where the UI changes do not persist.
    Microsoft Reference documentation

    Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

  2. SAI JAGADEESH KUDIPUDI 3,470 Reputation points Microsoft External Staff Moderator

    Hi @v-bemat ,
    I hope you had a chance to review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.

Sign in to comment

1 answer

  1. hossein jalilian 13,360 Reputation points Volunteer Moderator

    Hello v-bemat,

    Thanks for posting your question in the Microsoft Q&A forum.

    In Azure Synapse, it’s normal not to see a Managed Identity option like Azure SQL Database. Synapse auditing mainly uses the workspace’s system assigned managed identity, but the portal often defaults to Storage Access Keys, especially if the storage account is not behind a firewall or VNet.

    If you want to use Managed Identity, make sure the Synapse workspace identity has the Storage Blob Data Contributor role on the storage account. If the portal still only shows keys, you may need to configure auditing through PowerShell or REST API, which is common for Synapse.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments No comments
    Sign in to comment
Sign in to answer

Your answer