What tenantid is taken when we use authentication=ActiveDirectoryServicePrincipal in connection string with clientId and secret

VD 66 Reputation points
2021-02-23T16:10:54.33+00:00

Hi Team,

What tenantid is taken when we use authentication=ActiveDirectoryServicePrincipal in sql connection string?

Azure SQL Database
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,186 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,364 questions
0 comments
Accepted answer
  1. KalyanChanumolu-MSFT 8,316 Reputation points
    2021-02-24T07:54:03.44+00:00

    @VD That functionality is not built into Microsoft.Data.SqlClient today.
    But I get your point and see that it would be a useful feature to have. I would request you to create a feature request here

    Regarding acquiring access token using ClientSecret or AuthenticationContext, specifying the TenantId is optional in case of single tenant application.
    This is because the SDK can determine the service principal (highlighted in Green) and tenant based on the clientId (highlighted in blue) you provide.

    You can check this relationship from the Azure portal on the Overview blade of your AD Application.

    71444-image.png

    Do let me know if you have further questions.

    ----------

    If an answer is helpful, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. KalyanChanumolu-MSFT 8,316 Reputation points
    2021-02-24T05:13:44.89+00:00

    @VD Thank you for reaching out.
    By default, web app/API registrations in Azure AD are single tenant. So, you don't have to pass the tenant id to acquire the access token.

    If you have a multi-tenant application, you can pass the tenant id while acquiring the access token.
    Code below is from the constructor of DbContext in an EF Core application 

    public MSXDataContext(DbContextOptions<MSXDataContext> options) : base(options)  
{  
    var connection = (SqlConnection)Database.GetDbConnection();  
    connection.AccessToken = new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()  
                                .GetAccessTokenAsync("https://database.windows.net/", tenantId: "YOUR-TENANT-ID Here").Result;  
}

    Please let us know if you have further questions.

    ----------

    If an answer is helpful, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.

    1 person found this answer helpful.