Use same managed identity

Perform the following steps before installing PI AF server if you plan to use the same managed identity to set up the PI AF database and run the AF application service.

1. Choose one of the following methods to create the AF database in Azure SQL Database or Azure Managed Instance:

   • Create the PI AF database on the Azure portal. See Quickstart: Create a single database - Azure SQL database or Quickstart: Create Azure SQL Managed Instance .

   • Use the sqlcmd utility to create the PI AF database:

     a. Open PowerShell.

     b. Run the following command:

     sqlcmd -S <AzureSQLBURL> --authentication-method <AuthMethod> -U <UserWithPermissions> -Q "CREATE DATABASE <DatabaseName>"

2. Create a user for the managed identity and then assign a role. See Create a user-assigned managed identity.

   1. Run a query in the Azure portal, SQL Server Management Studio or the sqlcmd utility with the same authentication settings as 1b.

   2. Create a user query by running the following command in PowerShell:

      CREATE USER <ManagedIdentityName> FROM EXTERNAL PROVIDER

      Note: The name of the system-assigned service principal is always the same name as the Azure resource it's created for. See Managed Identity Types. The Microsoft Entra ID used to run the CREATE USER command needs access to read user, group, and application information from Microsoft Entra ID. When using a managed identity, the Azure requires that the assigned managed identity has proper permissions.

   3. Assign the db_owner role to the managed identity:

      ALTER ROLE db_owner ADD MEMBER <ManagedIdentityName>

3. Next, install PI AF server. See Install PI AF server components together.

4. After installing PI AF server, run the following commands to lower permissions on the account used to run the AF application service:

   ALTER ROLE db_owner DROP MEMBER <ManagedIdentityName>