I can't backup database via SSMS on Azure sql managed instance

Question

I can't backup database via SSMS on Azure sql managed instance

Shlomi Rachamim 40

need help to backup to azure storage account via SSMS

Marcin Policht 63,730 Reputation points MVP Volunteer Moderator

2025-10-06T17:24:13.5266667+00:00

Follow https://free.blessedness.top/en-us/sql/relational-databases/backup-restore/sql-server-backup-to-url

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Erland Sommarskog 127.4K Reputation points MVP Volunteer Moderator

2025-10-06T21:08:16.1433333+00:00

If Marcin's answer does not help you, please give more details about your problem, for instance any error message you get.
Abhisek Mishra 845 Reputation points Microsoft External Staff Moderator

2025-10-07T01:38:54.9966667+00:00

Hi Shlomi Rachamim,

Please review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.
Shlomi Rachamim 40 Reputation points

2025-10-07T18:19:45.27+00:00

I sent you in pm
Swapnesh Panchal 740 Reputation points Microsoft External Staff Moderator

2025-10-07T19:52:38.97+00:00

Hi @Shlomi Rachamim
Kindly share the requested details via private message so we can investigate this further.
Shlomi Rachamim 40 Reputation points

2025-10-15T13:17:36.8566667+00:00

any update??

I sent you multiple emails !!
Shlomi Rachamim 40 Reputation points

2025-10-18T18:51:29.0466667+00:00

please help and send me pm for next communication
Abhisek Mishra 845 Reputation points Microsoft External Staff Moderator

2025-10-21T06:58:29.2633333+00:00
Hi Shlomi Rachamim,

I went through the error message and here are the possible causes and fixes.

Cause:

On Azure SQL Managed Instance, databases are encrypted by default using service-managed Transparent Data Encryption (TDE).

Native BACKUP DATABASE to .bak files (like on-prem SQL Server) is not supported when TDE is service-managed.

You have two supported options for backup.
Use Azure-native backup/restore

Managed Instance automatically takes full, differential, and log backups.

You can restore to a point in time using Azure Portal, PowerShell, or Azure CLI.

Docs: https://free.blessedness.top/azure/azure-sql/managed-instance/automated-backups-overview

Export to BACPAC

If you need a copy outside the instance, export the database to a BACPAC file (schema + data)

If you need .bak backups

Only possible if you disable TDE (not recommended for production).

Or use customer-managed TDE keys (BYOK) and then use Managed Instance native backup/restore to Azure Blob Storage.

I hope this information is helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.

Thanks,

Abhisek
Shlomi Rachamim 40 Reputation points

2025-10-21T21:50:36.8366667+00:00
How to disable TDE?

Why it's not recommended for production ?
Abhisek Mishra 845 Reputation points Microsoft External Staff Moderator

2025-10-22T11:01:18.8566667+00:00
Hi Shlomi Rachamim,

Please find below, the answers for the questions you asked.

How to Disable TDE in Azure SQL

Transparent Data Encryption (TDE) is enabled by default for all new Azure SQL Databases and Managed Instances. To disable it:

Run T-SQL Command ALTER DATABASE [YourDatabase] SET ENCRYPTION OFF; This starts the decryption process. You can monitor progress using: SELECT`` db.name, dm.encryption_state, dm.percent_complete FROM`` sys.databases db LEFT`` JOIN sys.dm_database_encryption_keys dm ON`` db.database_id = dm.database_id WHERE`` db.name = 'YourDatabase'; When percent_complete reaches 100 and encryption_state changes to 1, the database is decrypted.

Drop the Database Encryption Key DROP DATABASE ENCRYPTION KEY; This fully removes TDE from the database.

Why Disabling TDE Is Not Recommended for Production

Security Risk: TDE protects data at rest (database files, backups, transaction logs). Disabling it means these files are stored in plain text, increasing exposure if storage media or backups are compromised.
https://free.blessedness.top/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&tabs=azure-portal

Compliance Impact: Many regulatory frameworks (e.g., PCI DSS, HIPAA) require encryption at rest. Turning off TDE can lead to non-compliance.

Minimal Performance Overhead: TDE uses AES-NI hardware acceleration, so the CPU impact is very small. Disabling it for performance reasons is rarely justified.

Best Practice: Keep TDE enabled and, if needed, use customer-managed keys for more control instead of disabling encryption.

Thanks,

Abhisek
Shlomi Rachamim 40 Reputation points

2025-10-22T18:46:51.7866667+00:00

I have another tenant that SSMS worked fine without disable TDE and without KeyVault

Your answer

Marcin Policht 63,730 Reputation points MVP Volunteer Moderator

2025-10-06T17:24:13.5266667+00:00

Follow https://free.blessedness.top/en-us/sql/relational-databases/backup-restore/sql-server-backup-to-url

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Erland Sommarskog 127.4K Reputation points MVP Volunteer Moderator

2025-10-06T21:08:16.1433333+00:00

If Marcin's answer does not help you, please give more details about your problem, for instance any error message you get.
Abhisek Mishra 845 Reputation points Microsoft External Staff Moderator

2025-10-07T01:38:54.9966667+00:00

Hi Shlomi Rachamim,

Please review the information shared earlier, and I hope this information has been helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.
Shlomi Rachamim 40 Reputation points

2025-10-07T18:19:45.27+00:00

I sent you in pm
Swapnesh Panchal 740 Reputation points Microsoft External Staff Moderator

2025-10-07T19:52:38.97+00:00

Hi @Shlomi Rachamim
Kindly share the requested details via private message so we can investigate this further.
Shlomi Rachamim 40 Reputation points

2025-10-15T13:17:36.8566667+00:00

any update??

I sent you multiple emails !!
Shlomi Rachamim 40 Reputation points

2025-10-18T18:51:29.0466667+00:00

please help and send me pm for next communication
Abhisek Mishra 845 Reputation points Microsoft External Staff Moderator

2025-10-21T06:58:29.2633333+00:00

Hi Shlomi Rachamim,

I went through the error message and here are the possible causes and fixes.

Cause:

On Azure SQL Managed Instance, databases are encrypted by default using service-managed Transparent Data Encryption (TDE).

Native BACKUP DATABASE to .bak files (like on-prem SQL Server) is not supported when TDE is service-managed.

You have two supported options for backup.
Use Azure-native backup/restore

Managed Instance automatically takes full, differential, and log backups.

You can restore to a point in time using Azure Portal, PowerShell, or Azure CLI.

Docs: https://free.blessedness.top/azure/azure-sql/managed-instance/automated-backups-overview

Export to BACPAC

If you need a copy outside the instance, export the database to a BACPAC file (schema + data)

If you need .bak backups

Only possible if you disable TDE (not recommended for production).

Or use customer-managed TDE keys (BYOK) and then use Managed Instance native backup/restore to Azure Blob Storage.

I hope this information is helpful! If you still have questions, please let us know what is needed in the comments so the question can be answered.

Thanks,

Abhisek
Shlomi Rachamim 40 Reputation points

2025-10-21T21:50:36.8366667+00:00

How to disable TDE?

Why it's not recommended for production ?
Abhisek Mishra 845 Reputation points Microsoft External Staff Moderator

2025-10-22T11:01:18.8566667+00:00

Hi Shlomi Rachamim,

Please find below, the answers for the questions you asked.

How to Disable TDE in Azure SQL

Transparent Data Encryption (TDE) is enabled by default for all new Azure SQL Databases and Managed Instances. To disable it:

Run T-SQL Command ALTER DATABASE [YourDatabase] SET ENCRYPTION OFF; This starts the decryption process. You can monitor progress using: SELECT`` db.name, dm.encryption_state, dm.percent_complete FROM`` sys.databases db LEFT`` JOIN sys.dm_database_encryption_keys dm ON`` db.database_id = dm.database_id WHERE`` db.name = 'YourDatabase'; When percent_complete reaches 100 and encryption_state changes to 1, the database is decrypted.

Drop the Database Encryption Key DROP DATABASE ENCRYPTION KEY; This fully removes TDE from the database.

Why Disabling TDE Is Not Recommended for Production

Security Risk: TDE protects data at rest (database files, backups, transaction logs). Disabling it means these files are stored in plain text, increasing exposure if storage media or backups are compromised.
https://free.blessedness.top/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?view=azuresql&tabs=azure-portal

Compliance Impact: Many regulatory frameworks (e.g., PCI DSS, HIPAA) require encryption at rest. Turning off TDE can lead to non-compliance.

Minimal Performance Overhead: TDE uses AES-NI hardware acceleration, so the CPU impact is very small. Disabling it for performance reasons is rarely justified.

Best Practice: Keep TDE enabled and, if needed, use customer-managed keys for more control instead of disabling encryption.

Thanks,

Abhisek
Shlomi Rachamim 40 Reputation points

2025-10-22T18:46:51.7866667+00:00

I have another tenant that SSMS worked fine without disable TDE and without KeyVault

Share via

I can't backup database via SSMS on Azure sql managed instance

Your answer