Skip to content

feat(mssql): add Entra ID authentication methods for SQL Server, Synapse, and Fabric#4140

Open
sdebruyn wants to merge 2 commits into
dlt-hub:develfrom
sdebruyn:feat/mssql-token-authentication
Open

feat(mssql): add Entra ID authentication methods for SQL Server, Synapse, and Fabric#4140
sdebruyn wants to merge 2 commits into
dlt-hub:develfrom
sdebruyn:feat/mssql-token-authentication

Conversation

@sdebruyn

@sdebruyn sdebruyn commented Jun 30, 2026

Copy link
Copy Markdown

Description

Add an authentication credential option to MsSqlCredentials so the mssql, synapse and fabric destinations can authenticate to Azure-hosted SQL with Microsoft Entra ID instead of a SQL login.

Methods the ODBC driver supports natively are passed straight through as Authentication= in the connection string:

  • ActiveDirectoryServicePrincipal (UID = client id, PWD = client secret)
  • ActiveDirectoryPassword (UID/PWD)
  • ActiveDirectoryIntegrated
  • ActiveDirectoryInteractive
  • ActiveDirectoryMsi

The two methods the ODBC driver does not support natively are handled by dlt with azure-identity: it acquires the access token itself and injects it via attrs_before (SQL_COPT_SS_ACCESS_TOKEN), so they work cross-platform (including macOS, where the driver's built-in Entra ID modes are unreliable):

  • ActiveDirectoryDefault (with the thin alias default) — uses DefaultAzureCredential, which already covers environment variables, Azure CLI, managed identity, and so on.
  • ActiveDirectoryDeviceCode — uses DeviceCodeCredential.

Empty authentication keeps the existing SQL login (backwards compatible). ActiveDirectoryServicePrincipal without a secret falls back to a DefaultAzureCredential token.

The shared auth helpers live in the mssql destination; synapse inherits them and fabric reuses them, dropping its previous fabric-only token override. azure-identity is imported lazily (only for the token-injection methods).

Adds unit tests for every method on mssql and fabric, a Docker-based integration test for the SQL-login connection path, and documentation.

Related Issues

Additional Context

  • All tests ran locally and succeeded.
  • I created dbt-fabric where I do the same for dbt Core. I also contributed the same feature to Soda Core.

@sdebruyn sdebruyn force-pushed the feat/mssql-token-authentication branch from 6fe136b to c04913a Compare June 30, 2026 18:21
@sdebruyn sdebruyn changed the title feat(mssql): add Azure AD authentication methods across MS SQL destinations feat(mssql): add Azure AD authentication methods for SQL Server, Synapse, and Fabric Jun 30, 2026
@sdebruyn sdebruyn changed the title feat(mssql): add Azure AD authentication methods for SQL Server, Synapse, and Fabric feat(mssql): add Entra ID authentication methods for SQL Server, Synapse, and Fabric Jun 30, 2026
@sdebruyn sdebruyn force-pushed the feat/mssql-token-authentication branch 2 times, most recently from c239a65 to c0b5f04 Compare June 30, 2026 19:01
…SQL destinations

Add an `authentication` credential option to MsSqlCredentials so the mssql, synapse
and fabric destinations can authenticate to Azure-hosted SQL with Microsoft Entra ID
instead of a SQL login:

- azure-identity token methods (cli, default/auto, environment, interactive,
  devicecode, msi/managedidentity): dlt acquires an access token and injects it via
  pyodbc attrs_before (SQL_COPT_SS_ACCESS_TOKEN), so they work cross-platform
  (including macOS, where the ODBC driver's built-in Entra ID modes are unreliable).
- driver-native methods (ActiveDirectoryServicePrincipal, ActiveDirectoryPassword,
  ActiveDirectoryIntegrated, ActiveDirectoryInteractive) are passed as Authentication=.
- empty authentication keeps the existing SQL login (backwards compatible); the default
  Service Principal method without a secret falls back to DefaultAzureCredential.

The shared auth helpers live in the mssql destination; synapse inherits them and fabric
reuses them, dropping its previous fabric-only token override. azure-identity is imported
lazily (only for token methods).

Adds unit tests for every method on mssql and fabric, a Docker-based integration test
for the SQL-login connection path, and documentation.

Closes dlt-hub#2059

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sdebruyn sdebruyn force-pushed the feat/mssql-token-authentication branch from c0b5f04 to a87408c Compare June 30, 2026 20:36
@sdebruyn sdebruyn marked this pull request as ready for review June 30, 2026 20:40
sdebruyn added a commit to sdebruyn/dlt that referenced this pull request Jun 30, 2026
This branch tracks dlt and bundles the Fabric-related pull requests
(dlt-hub#4140, dlt-hub#4141, dlt-hub#4142) for combined testing. Point everything else to
the upstream dlt project.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sdebruyn sdebruyn marked this pull request as draft June 30, 2026 21:52
@sdebruyn sdebruyn marked this pull request as ready for review June 30, 2026 22:11
@sdebruyn sdebruyn force-pushed the feat/mssql-token-authentication branch from a87408c to e4ba09d Compare July 1, 2026 08:09
@sdebruyn sdebruyn marked this pull request as draft July 1, 2026 20:41
…n to two methods

Redesign the `authentication` credential option to be driver-aware for the pyodbc
driver used at this point in the mssql/synapse/fabric destinations:

- Driver-native (passed as `Authentication=` in the DSN, poolable): the ODBC driver
  itself performs the sign-in. Adds `ActiveDirectoryMsi` alongside the existing
  `ActiveDirectoryServicePrincipal`, `ActiveDirectoryPassword`, `ActiveDirectoryIntegrated`,
  `ActiveDirectoryInteractive`.
- azure-identity token injection (via pyodbc `attrs_before`, not poolable): narrowed to
  the two methods pyodbc/msodbcsql cannot perform natively, renamed to match ODBC's own
  naming convention: `ActiveDirectoryDefault` (DefaultAzureCredential) and
  `ActiveDirectoryDeviceCode` (DeviceCodeCredential).
- The thin `default` alias for `ActiveDirectoryDefault` is kept; `auto` is not carried
  over since it never existed on `devel` and has no backwards-compatibility reason to
  exist here (PR1 would have been the one introducing it).
- Removes the other dlt-custom lowercase names (`cli`, `environment`, `interactive`,
  `devicecode`, `msi`, `managedidentity`): the native `ActiveDirectory*` names now cover
  Interactive/DeviceCode/Msi directly, and `cli`/`environment` are covered by
  `ActiveDirectoryDefault`, whose `DefaultAzureCredential` chain already includes the
  Azure CLI and environment credentials.

Updates the mssql/fabric/synapse destination docs and the offline mssql/fabric
configuration unit tests to match.
@sdebruyn sdebruyn force-pushed the feat/mssql-token-authentication branch from e4ba09d to 4c12823 Compare July 1, 2026 21:45
@sdebruyn sdebruyn marked this pull request as ready for review July 1, 2026 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

1 participant