feat(mssql): add Entra ID authentication methods for SQL Server, Synapse, and Fabric#4140
Open
sdebruyn wants to merge 2 commits into
Open
feat(mssql): add Entra ID authentication methods for SQL Server, Synapse, and Fabric#4140sdebruyn wants to merge 2 commits into
sdebruyn wants to merge 2 commits into
Conversation
6fe136b to
c04913a
Compare
c239a65 to
c0b5f04
Compare
…SQL destinations Add an `authentication` credential option to MsSqlCredentials so the mssql, synapse and fabric destinations can authenticate to Azure-hosted SQL with Microsoft Entra ID instead of a SQL login: - azure-identity token methods (cli, default/auto, environment, interactive, devicecode, msi/managedidentity): dlt acquires an access token and injects it via pyodbc attrs_before (SQL_COPT_SS_ACCESS_TOKEN), so they work cross-platform (including macOS, where the ODBC driver's built-in Entra ID modes are unreliable). - driver-native methods (ActiveDirectoryServicePrincipal, ActiveDirectoryPassword, ActiveDirectoryIntegrated, ActiveDirectoryInteractive) are passed as Authentication=. - empty authentication keeps the existing SQL login (backwards compatible); the default Service Principal method without a secret falls back to DefaultAzureCredential. The shared auth helpers live in the mssql destination; synapse inherits them and fabric reuses them, dropping its previous fabric-only token override. azure-identity is imported lazily (only for token methods). Adds unit tests for every method on mssql and fabric, a Docker-based integration test for the SQL-login connection path, and documentation. Closes dlt-hub#2059 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
c0b5f04 to
a87408c
Compare
sdebruyn
added a commit
to sdebruyn/dlt
that referenced
this pull request
Jun 30, 2026
This branch tracks dlt and bundles the Fabric-related pull requests (dlt-hub#4140, dlt-hub#4141, dlt-hub#4142) for combined testing. Point everything else to the upstream dlt project. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
a87408c to
e4ba09d
Compare
This was referenced Jul 1, 2026
Open
…n to two methods Redesign the `authentication` credential option to be driver-aware for the pyodbc driver used at this point in the mssql/synapse/fabric destinations: - Driver-native (passed as `Authentication=` in the DSN, poolable): the ODBC driver itself performs the sign-in. Adds `ActiveDirectoryMsi` alongside the existing `ActiveDirectoryServicePrincipal`, `ActiveDirectoryPassword`, `ActiveDirectoryIntegrated`, `ActiveDirectoryInteractive`. - azure-identity token injection (via pyodbc `attrs_before`, not poolable): narrowed to the two methods pyodbc/msodbcsql cannot perform natively, renamed to match ODBC's own naming convention: `ActiveDirectoryDefault` (DefaultAzureCredential) and `ActiveDirectoryDeviceCode` (DeviceCodeCredential). - The thin `default` alias for `ActiveDirectoryDefault` is kept; `auto` is not carried over since it never existed on `devel` and has no backwards-compatibility reason to exist here (PR1 would have been the one introducing it). - Removes the other dlt-custom lowercase names (`cli`, `environment`, `interactive`, `devicecode`, `msi`, `managedidentity`): the native `ActiveDirectory*` names now cover Interactive/DeviceCode/Msi directly, and `cli`/`environment` are covered by `ActiveDirectoryDefault`, whose `DefaultAzureCredential` chain already includes the Azure CLI and environment credentials. Updates the mssql/fabric/synapse destination docs and the offline mssql/fabric configuration unit tests to match.
e4ba09d to
4c12823
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add an
authenticationcredential option toMsSqlCredentialsso the mssql, synapse and fabric destinations can authenticate to Azure-hosted SQL with Microsoft Entra ID instead of a SQL login.Methods the ODBC driver supports natively are passed straight through as
Authentication=in the connection string:ActiveDirectoryServicePrincipal(UID = client id, PWD = client secret)ActiveDirectoryPassword(UID/PWD)ActiveDirectoryIntegratedActiveDirectoryInteractiveActiveDirectoryMsiThe two methods the ODBC driver does not support natively are handled by dlt with azure-identity: it acquires the access token itself and injects it via
attrs_before(SQL_COPT_SS_ACCESS_TOKEN), so they work cross-platform (including macOS, where the driver's built-in Entra ID modes are unreliable):ActiveDirectoryDefault(with the thin aliasdefault) — usesDefaultAzureCredential, which already covers environment variables, Azure CLI, managed identity, and so on.ActiveDirectoryDeviceCode— usesDeviceCodeCredential.Empty
authenticationkeeps the existing SQL login (backwards compatible).ActiveDirectoryServicePrincipalwithout a secret falls back to aDefaultAzureCredentialtoken.The shared auth helpers live in the mssql destination; synapse inherits them and fabric reuses them, dropping its previous fabric-only token override. azure-identity is imported lazily (only for the token-injection methods).
Adds unit tests for every method on mssql and fabric, a Docker-based integration test for the SQL-login connection path, and documentation.
Related Issues
Additional Context