Use different managed identities

This topic explains how to switch from a higher privilege account to a system-assigned managed identity with lesser privileges. If you use a user-assigned managed identity to install PI AF server from the PI Server 2024 R2 install kit, you will need to switch from this higher privileged account to an account with lesser privileges (either a user-assigned managed identity or a system-assigned managed identity). Switching accounts is required to ensure a secure setup for the AF application service.

Important: If the managed identity is assigned to the Azure SQL database with Application.Read.All permissions for Microsoft Entra ID, this step is handled by the AF SQL scripts when the PI AF database is created and configured. See Permissions.

For PI AF database setup from the PI Server install kit, use a user-assigned managed identity with administrative rights on Azure SQL Database or Azure Managed Instance. Once installation is finished, higher level privileges are no longer required. Either lower permissions on the user assigned managed identity or switch to a system-assigned managed identity with lesser privileges before running the AF application service.

Switch to a system-assigned managed identity with lesser privileges

1. Remove the ‘User ID=<App ID>;’ entry from the connection string in the AFService.exe.config.

2. Add permissions to the PI AF database for the system-assigned managed identity.

3. Run the following queries against the PI AF database using either the Azure portal, SQL Server Management Studio (SSMS) or sqlcmd:

   CREATE USER <ManagedIdentityName> FROM EXTERNAL PROVIDER;

   ALTER ROLE db_AFServer ADD MEMBER <ManagedIdentityName>;

   Note: The name of the system-assigned service principal is always the same name as the Azure resource it's created for. See Managed Identity Types.