How to set up Windows Authentication for Azure Active Directory with the modern interactive flow
This article describes how to implement the modern interactive authentication flow to allow enlightened clients running Windows 10 20H1, Windows Server 2022, or a higher version of Windows to authenticate to Azure SQL Managed Instance using Windows Authentication. Clients must be joined to Azure Active Directory (Azure AD) or Hybrid Azure AD.
Enabling the modern interactive authentication flow is one step in setting up Windows Authentication for Azure SQL Managed Instance using Azure Active Directory and Kerberos. The incoming trust-based flow is available for AD joined clients running Windows 10 / Windows Server 2012 and higher.
With this feature, Azure AD is now its own independent Kerberos realm. Windows 10 21H1 clients are already enlightened and will redirect clients to access Azure AD Kerberos to request a Kerberos ticket. The capability for clients to access Azure AD Kerberos is switched off by default and can be enabled by modifying group policy. Group policy can be used to deploy this feature in a staged manner by choosing specific clients you want to pilot on and then expanding it to all the clients across your environment.
There is no AD to Azure AD set up required for enabling software running on Azure AD Joined VMs to access Azure SQL Managed Instance using Windows Authentication. The following prerequisites are required to implement the modern interactive authentication flow:
|Clients must run Windows 10 20H1, Windows Server 2022, or a higher version of Windows.|
|Clients must be joined to Azure AD or Hybrid Azure AD.||You can determine if this prerequisite is met by running the dsregcmd command:
|Application must connect to the managed instance via an interactive session.||This supports applications such as SQL Server Management Studio (SSMS) and web applications, but won't work for applications that run as a service.|
|Azure AD tenant.|
|Azure subscription under the same Azure AD tenant you plan to use for authentication.|
|Azure AD Connect installed.||Hybrid environments where identities exist both in Azure AD and AD.|
Configure group policy
Enable the following group policy setting
Administrative Templates\System\Kerberos\Allow retrieving the cloud Kerberos ticket during the logon:
Open the group policy editor.
Select the Allow retrieving the cloud kerberos ticket during the logon setting.
In the setting dialog, select Enabled.
Refresh PRT (optional)
Users with existing logon sessions may need to refresh their Azure AD Primary Refresh Token (PRT) if they attempt to use this feature immediately after it has been enabled. It can take up to a few hours for the PRT to refresh on its own.
To refresh PRT manually, run this command from a command prompt:
Learn more about implementing Windows Authentication for Azure AD principals on Azure SQL Managed Instance:
- What is Windows Authentication for Azure Active Directory principals on Azure SQL Managed Instance?
- How Windows Authentication for Azure SQL Managed Instance is implemented with Azure Active Directory and Kerberos
- How to set up Windows Authentication for Azure AD with the incoming trust-based flow
- Configure Azure SQL Managed Instance for Windows Authentication for Azure Active Directory
- Troubleshoot Windows Authentication for Azure AD principals on Azure SQL Managed Instance