Skip to content

Support for more personal authentication modes for Azure SQL #1754

Description

@audunsolemdal

Follow up to #1611 (comment) and #1753

First of all thank you for supporting Entra auth in v4. This will save my org time as we plan to migrate a lot of different databases and do not want to deal with setting up SQL username + password auth for all of them when we have a entra setup working already.

First let me clarify that I am familiar with the different authentication types mentioned here, but I am mostly familiar with the Azure.Identity package in .NET, so some details may be different in MSAL4J.

Currently the only personal auth method is ActiveDirectoryPassword

Two issues with supporting this:

  1. It is deprecated due to MFA requirements https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication?view=sql-server-ver17#connect-using-activedirectorypassword-authentication-mode
The ActiveDirectoryPassword authentication option (Microsoft Entra ID password authentication) is deprecated in the Microsoft SQL drivers. This high-risk authentication flow is incompatible with [mandatory Microsoft Entra multifactor authentication (MFA)](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication) and might not work in tenants where MFA is enforced. Plan to migrate to a different Microsoft Entra authentication method.
  1. If I am not mistaken you can't really get this working anymore unless you create some exceptions to conditional access (not recommended), re: https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet

For instance I just tried the ActiveDirectoryPassword auth and ended up with this:

[1/3] Running pgloader...
10:02:38.167 INFO  [main] pgloader.cli - Parsing commands from file /tmp/tmp.chCNaCp5bl/migration.load
10:02:38.772 INFO  [main] pgloader.core - Connected to PostgreSQL at postgresql://nis-gateway:kZ_NHmzwgVCus2tsL6TMn16BS_Dlf07X0L1vhF03ubg@127.0.0.1:5432/gateway?sslmode=disable
10:02:40.137 WARN  [pool-2-thread-1] c.m.a.m.PublicClientApplication - [Correlation ID: 7f27db7b-25f8-4428-929b-743fa7f9987b] Execution of class com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier failed: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access xxxx-aaa-bbbb'. Trace ID: 5a2948ef-bc6d-4b8e-bbfa-be5fb76c5700 Correlation ID: 7f27db7b-25f8-4428-929b-743fa7f9987b Timestamp: 2026-07-06 08:02:38Z

Essentially what my org is used to using is Active Directory Default when connecting to a database from localhost. During local development I recommened our developers to run az login before starting their applications to connect to the Azure SQL databases. I think the same would make sense here. Currently when setting the connection string I end up with:

[1/3] Running pgloader...
10:00:12.006 INFO  [main] pgloader.cli - Parsing commands from file /tmp/tmp.iPqkUaOklD/migration.load
10:00:12.619 INFO  [main] pgloader.core - Connected to PostgreSQL at postgresql://nis-gateway:kZ_NHmzwgVCus2tsL6TMn16BS_Dlf07X0L1vhF03ubg@127.0.0.1:5432/gateway?sslmode=disable
Exception in thread "main" java.lang.NoClassDefFoundError: com/azure/identity/DefaultAzureCredentialBuilder

Before you created #1753 Claude did manage to generate working code for me to authenticate with Active Directory Default via Azure CLI, which shows that it should be possible. The generated code was not very clean so I don't have a PR to contribute with unfortunately.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions