Follow up to #1611 (comment) and #1753
First of all thank you for supporting Entra auth in v4. This will save my org time as we plan to migrate a lot of different databases and do not want to deal with setting up SQL username + password auth for all of them when we have a entra setup working already.
First let me clarify that I am familiar with the different authentication types mentioned here, but I am mostly familiar with the Azure.Identity package in .NET, so some details may be different in MSAL4J.
Currently the only personal auth method is ActiveDirectoryPassword
Two issues with supporting this:
- It is deprecated due to MFA requirements https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication?view=sql-server-ver17#connect-using-activedirectorypassword-authentication-mode
The ActiveDirectoryPassword authentication option (Microsoft Entra ID password authentication) is deprecated in the Microsoft SQL drivers. This high-risk authentication flow is incompatible with [mandatory Microsoft Entra multifactor authentication (MFA)](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication) and might not work in tenants where MFA is enforced. Plan to migrate to a different Microsoft Entra authentication method.
- If I am not mistaken you can't really get this working anymore unless you create some exceptions to conditional access (not recommended), re: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet
For instance I just tried the ActiveDirectoryPassword auth and ended up with this:
[1/3] Running pgloader...
10:02:38.167 INFO [main] pgloader.cli - Parsing commands from file /tmp/tmp.chCNaCp5bl/migration.load
10:02:38.772 INFO [main] pgloader.core - Connected to PostgreSQL at postgresql://nis-gateway:kZ_NHmzwgVCus2tsL6TMn16BS_Dlf07X0L1vhF03ubg@127.0.0.1:5432/gateway?sslmode=disable
10:02:40.137 WARN [pool-2-thread-1] c.m.a.m.PublicClientApplication - [Correlation ID: 7f27db7b-25f8-4428-929b-743fa7f9987b] Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access xxxx-aaa-bbbb'. Trace ID: 5a2948ef-bc6d-4b8e-bbfa-be5fb76c5700 Correlation ID: 7f27db7b-25f8-4428-929b-743fa7f9987b Timestamp: 2026-07-06 08:02:38Z
Essentially what my org is used to using is Active Directory Default when connecting to a database from localhost. During local development I recommened our developers to run az login before starting their applications to connect to the Azure SQL databases. I think the same would make sense here. Currently when setting the connection string I end up with:
[1/3] Running pgloader...
10:00:12.006 INFO [main] pgloader.cli - Parsing commands from file /tmp/tmp.iPqkUaOklD/migration.load
10:00:12.619 INFO [main] pgloader.core - Connected to PostgreSQL at postgresql://nis-gateway:kZ_NHmzwgVCus2tsL6TMn16BS_Dlf07X0L1vhF03ubg@127.0.0.1:5432/gateway?sslmode=disable
Exception in thread "main" java.lang.NoClassDefFoundError: com/azure/identity/DefaultAzureCredentialBuilder
Before you created #1753 Claude did manage to generate working code for me to authenticate with Active Directory Default via Azure CLI, which shows that it should be possible. The generated code was not very clean so I don't have a PR to contribute with unfortunately.
Follow up to #1611 (comment) and #1753
First of all thank you for supporting Entra auth in v4. This will save my org time as we plan to migrate a lot of different databases and do not want to deal with setting up SQL username + password auth for all of them when we have a entra setup working already.
First let me clarify that I am familiar with the different authentication types mentioned here, but I am mostly familiar with the Azure.Identity package in .NET, so some details may be different in MSAL4J.
Currently the only personal auth method is
ActiveDirectoryPasswordTwo issues with supporting this:
For instance I just tried the ActiveDirectoryPassword auth and ended up with this:
Essentially what my org is used to using is Active Directory Default when connecting to a database from localhost. During local development I recommened our developers to run
az loginbefore starting their applications to connect to the Azure SQL databases. I think the same would make sense here. Currently when setting the connection string I end up with:Before you created #1753 Claude did manage to generate working code for me to authenticate with
Active Directory Defaultvia Azure CLI, which shows that it should be possible. The generated code was not very clean so I don't have a PR to contribute with unfortunately.