Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Data API builder allows developers to define the authentication mechanism (identity provider) they want Data API builder to use to authenticate who is making requests.
Authentication is delegated to a supported identity provider where access token can be issued. An acquired access token must be included with incoming requests to Data API builder. Data API builder then validates any presented access tokens, ensuring that Data API builder was the intended audience of the token.
In development (az login)
Using Authentication='Active Directory Default' in Azure SQL Database connection strings means the client authenticates using Microsoft Entra credentials. The environment determines the exact authentication method. When a developer runs az login, the Azure CLI opens a browser window prompting the user to sign in with a Microsoft account or corporate credentials. Once authenticated, Azure CLI retrieves and caches the token linked to the Microsoft Entra identity. This token is then used to authenticate requests to Azure services without requiring credentials in the connection string.
"data-source": {
"connection-string": "...;Authentication='Active Directory Default';"
}
To set up local credentials, use az login after you install the Azure CLI.
az login
JSON Web Token (JWT)
To use the JWT provider, you need to configure the runtime.host.authentication section by providing the needed information to verify the received JWT token:
"authentication": {
"provider": "AzureAD",
"jwt": {
"audience": "<APP_ID>",
"issuer": "https://login.microsoftonline.com/<AZURE_AD_TENANT_ID>/v2.0"
}
}
Roles selection
Once a request is authenticated via any of the available options, the roles defined in the token are used to help determine how permission rules are evaluated to authorize the request. Any authenticated request is automatically assigned to the authenticated system role, unless a user role is requested for use. For more information, see authorization.
Anonymous requests
Requests can also be made without being authenticated. In such cases, the request is automatically assigned to the anonymous system role so that it can be properly authorized.
X-MS-API-ROLE request header
Data API builder requires the header X-MS-API-ROLE to authorize requests using custom roles. The value of X-MS-API-ROLE must match a role specified in the token. For example, if the token has the role Sample.Role, then X-MS-API-ROLE should also be Sample.Role. For more information, see authorization user roles.