How to Backup Azure SQL Managed Instance to Blob Storage via SSMS

Backing up your Azure SQL Managed Instance (MI) is crucial for disaster recovery and migration scenarios. While Azure automatically provides continuous backups, sometimes you’ll need a manual full backup (.bak file) — for example, when migrating to another environment or keeping an offline archive.

How Azure SQL Managed Instance Handles Backups

Azure SQL Managed Instance supports native BACKUP/RESTORE operations only to Azure Blob Storage (URL). You can’t back up to local disks or file shares — instead, the .bak file is written directly to a Blob Storage container in your Azure Storage Account.

You have two options to authenticate and connect the Managed Instance to the container:

• Using a Shared Access Signature (SAS token), or
• Using a Managed Identity (recommended for enterprise environments)

Prerequisites

Before starting, make sure you have:

• An Azure SQL Managed Instance accessible via SSMS.
• An Azure Storage Account with a container created (for backups).
• SSMS version 18.12 or later.
• Proper permissions on both SQL and Azure sides (e.g., SQL admin, Storage Blob Contributor).

Step 1: Create a Blob Storage Container

1. Go to your Azure Portal.
2. Navigate to your Storage Account → Containers.
3. Click + Container, name it (e.g., sqlbackups), and set Public access = Private.
4. Inside this container, click Shared access tokens and create a SAS token with these permissions:
   • Read, Write, Add, Create, List (and Read for restores later)
   • Copy the generated SAS token — you’ll need it soon.

Step 2: Create a SQL Credential in SSMS

Open SSMS and connect to your Azure SQL Managed Instance.

Run the following T-SQL script in the master database:

USE master;
GO

-- Step 1: Create a master key if you don’t already have one
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Strong_P@ssword123!';
GO

-- Step 2: Create a credential linked to your Blob container
CREATE CREDENTIAL [https://<storageaccount>.blob.core.windows.net/<container>]
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = '<your_SAS_token_without_?>';
GO

Important:

• The credential name must exactly match your container URL.
• The SECRET is the SAS token without the leading “?”.

Step 3: Back Up the Database to Azure Blob

You can now run your backup command:

BACKUP DATABASE [YourDatabaseName]
TO URL = 'https://<storageaccount>.blob.core.windows.net/<container>/YourDatabaseName_full_2025_10_23.bak'
WITH COPY_ONLY, COMPRESSION, CHECKSUM, STATS = 5;

• COPY_ONLY ensures this backup doesn’t interfere with automatic backups.
• COMPRESSION reduces file size.
• The .bak file will appear in your Blob container.

Step 4: (Optional) Use Managed Identity Instead of SAS

If your Managed Instance has a system-assigned managed identity, you can eliminate the need for SAS tokens.

1. Go to your Storage Account → Access Control (IAM).
2. Assign the role Storage Blob Data Contributor to your Managed Instance’s managed identity.
3. Create the credential in SSMS:

CREATE CREDENTIAL [https://<storageaccount>.blob.core.windows.net/<container>]
WITH IDENTITY = 'Managed Identity';

Now your Managed Instance can securely back up to the container using its identity.

Step 5: Verify or Restore the Backup

You can check the backup file with:

RESTORE FILELISTONLY 
FROM URL = 'https://<storageaccount>.blob.core.windows.net/<container>/YourDatabaseName_full_2025_10_23.bak';

To restore it into the same or another MI:

RESTORE DATABASE [YourDatabaseName_Restore]
FROM URL = 'https://<storageaccount>.blob.core.windows.net/<container>/YourDatabaseName_full_2025_10_23.bak'
WITH MOVE 'YourDatabaseName' TO 'D:\data\YourDatabaseName_Restore.mdf',
     MOVE 'YourDatabaseName_log' TO 'D:\data\YourDatabaseName_Restore.ldf',
     STATS = 5, REPLACE;

Common Errors & Fixes

Error	Cause	Fix
Cannot open backup device… Operating system error 50	Credential name mismatch or invalid SAS	Ensure the credential name = container URL, and SAS token is valid (without “?”).
SSMS backup dialog doesn’t list storage	Subscription authentication issue	Use T-SQL instead of GUI.
Network error or timeout	Storage firewall blocking Managed Instance	Enable “Allow trusted services” or set up a private endpoint.

Bonus: Back Up via SSMS GUI

If you prefer the SSMS interface:

1. In Object Explorer → right-click your database → Tasks → Back Up…
2. Select Destination: URL, click Add, and choose your storage account and container.
3. SSMS will create the credential automatically if authorized.
4. Click OK to back up.

For secure automation, combine this method with Azure Automation Runbooks or Azure Logic Apps to schedule backups periodically.

Read More:

• How to Use Azure NetApp Files for OT Data Transfer to Cloud
• Fix: az vm run-command Not Working in Azure CLI
• Azure VM Series Retirement 2028 Explained: F, Fs, Lsv2, G, Av2, and B-Series Migration Guide
• Azure Site Recovery Debian 12 Compatibility Guide (Fix for Kernel 6.1.0-40-cloud-amd64)