Because of compliance and security reasons, we can't user user/password or connection string to connect to our Azure SQL databases.
Is it possible to use an Azure Identity to access the database?
And if yes, how?
Our Retool instance is self hosted, we have a vm and use docker-compose. We already have a System Assigned Identity for this virtual machine which could be used.
Hi @paulwellnerbou,
If your org is on an enterprise plan this can definitely be done!
Correct me if I am wrong but it seems that Azure Identity has been relabeled to "Microsoft Entra ID". Here is a link to our docs on how to set this up with a Retool.
There are also docs in that same section for SAML set up as well. Hope this helps!
Thank you, @Jack_T ,
As fas as I understand the docs, this settings are only for login (SSO), not to query any data sources.
Am I wrong?
Thank you!
Hey @paulwellnerbou,
It looks like I was missing some added context, to explain how you can use the credentials from SSO in your resource queries 
Once you have OIDC SSO set up, you can follow this next part of the docs to use authentication JWTs in resources. So that the SSO auth token can be passed in the header of the query's request.
You would use the keywords in the example has placeholders, and under the hood Retool will replace those variables that are in all upper cases with the token received when SSOing into the app.
I am not sure if we have any docs on how to set things up on the Azure side to match that token with the System Assigned Identity for this virtual machine as you had mentioned earlier.
But once you confirm the JWT is being sent in the query, you should be able to use that to grant access as needed and respond to the query's request 
Thanks, @Jack_T,
That's not what we need and want. The Users of our Retool Dashboard do not necessarily have rights to access the Azure Resources (Databases). We want to configure our Retool to use a certain identity (for example the one we created for the VM where the docker containers are running) to access the data sources.
I am not sure if we have any docs on how to set things up on the Azure side to match that token with the System Assigned Identity for this virtual machine as you had mentioned earlier.
That's exactly what we are searching for.
Our workaround plan for now is to create a cronjob on the VM (or in the docker environment) that uses the System Assigned Identity of the VM to fetch data and replicate it into the local db where Retool has access to. That should work, but it is an additional piece of software to maintain and the data won't be realtime any more.
Ah ok thank you for the added details, apologies for my confusion.
It sounds like we are running into an architectural limitation of what Retool supports out of the box.
But I am happy you found a workaround 