Edit

Share via

Use Microsoft Entra ID

Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW) SQL analytics endpoint in Microsoft Fabric Warehouse in Microsoft Fabric SQL database in Microsoft Fabric

Download OLE DB driver

Purpose

Starting with version 18.2.1, Microsoft OLE DB Driver for SQL Server allows OLE DB applications to connect to Azure SQL Database, Azure SQL Managed Instance, Azure Synapse Analytics, and Microsoft Fabric using a federated identity.

Microsoft Entra authentication methods include:

  • Username and password
  • Access token
  • Integrated authentication

Version 18.3.0 adds support for the following Microsoft Entra authentication methods:

Version 18.5.0 adds support for the following authentication method:

  • Microsoft Entra service principal authentication

Note

Using the following authentication modes with DataTypeCompatibility (or its corresponding property) set to 80 is not supported:

  • Microsoft Entra authentication using username and password
  • Microsoft Entra authentication using access token
  • Microsoft Entra integrated authentication
  • Microsoft Entra interactive authentication
  • Microsoft Entra managed identities authentication
  • Microsoft Entra service principal authentication

To use Microsoft Entra authentication, you must configure your Azure SQL data source. For more information, see Configure and manage Microsoft Entra authentication with Azure SQL.

Connection string keywords and properties

The following connection string keywords have been introduced to support Microsoft Entra authentication:

Connection string keyword Connection property Description
Access Token SSPROP_AUTH_ACCESS_TOKEN Specifies an access token to authenticate to Microsoft Entra ID.
Authentication SSPROP_AUTH_MODE Specifies authentication method to use.

For more information about the new keywords/properties, see the following pages:

Encryption and certificate validation

See Encryption and certificate validation for more information.

GUI additions

The driver graphical user interface has been enhanced to allow Microsoft Entra authentication. For more information, see:

Example connection strings

This section shows examples of new and existing connection string keywords to be used with IDataInitialize::GetDataSource and DBPROP_INIT_PROVIDERSTRING property.

SQL authentication

  • Using IDataInitialize::GetDataSource:
    • New:

      Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=SqlPassword;User ID=[username];Password=[password];Use Encryption for Data=Mandatory

    • Deprecated:

      Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];User ID=[username];Password=[password];Use Encryption for Data=Mandatory

  • Using DBPROP_INIT_PROVIDERSTRING:
    • New:

      Server=[server];Database=[database];Authentication=SqlPassword;UID=[username];PWD=[password];Encrypt=Mandatory

    • Deprecated:

      Server=[server];Database=[database];UID=[username];PWD=[password];Encrypt=Mandatory

Integrated Windows authentication using Security Support Provider Interface (SSPI)

  • Using IDataInitialize::GetDataSource:
    • New:

      Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryIntegrated;Use Encryption for Data=Mandatory

    • Deprecated:

      Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Integrated Security=SSPI;Use Encryption for Data=Mandatory

  • Using DBPROP_INIT_PROVIDERSTRING:
    • New:

      Server=[server];Database=[database];Authentication=ActiveDirectoryIntegrated;Encrypt=Mandatory

    • Deprecated:

      Server=[server];Database=[database];Trusted_Connection=yes;Encrypt=Mandatory

Microsoft Entra username and password authentication

Note

The ActiveDirectoryPassword authentication option (Microsoft Entra ID Password authentication) is deprecated.

Microsoft Entra ID password is based on the OAuth 2.0 Resource Owner Password Credentials (ROPC) grant, which allows an application to sign in the user by directly handling their password.

Microsoft recommends you don't use the ROPC flow; it's incompatible with multifactor authentication (MFA). In most scenarios, more secure alternatives are available and recommended. This flow requires a high degree of trust in the application, and carries risks that aren't present in other flows. You should only use this flow when more secure flows aren't viable. Microsoft is moving away from this high-risk authentication flow to protect users from malicious attacks. For more information, see Planning for mandatory multifactor authentication for Azure.

When user context is available, use ActiveDirectoryInteractive authentication.

When user context isn't available and your app is running on Azure infrastructure, use ActiveDirectoryMSI (or ActiveDirectoryManagedIdentity in some drivers). Managed Identity eliminates the overhead of maintaining and rotating secrets and certificates. If you can't use Managed Identity, use ActiveDirectoryServicePrincipal authentication.

Warning

Don't use Service Principal authentication when a user context is available. App-only access is inherently high-privilege, often granting tenant-wide access and potentially allowing a bad actor to access customer data for any user.

  • Using IDataInitialize::GetDataSource:

    Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryPassword;User ID=[username];Password=[password];Use Encryption for Data=Mandatory

  • Using DBPROP_INIT_PROVIDERSTRING:

    Server=[server];Database=[database];Authentication=ActiveDirectoryPassword;UID=[username];PWD=[password];Encrypt=Mandatory

Microsoft Entra integrated authentication

  • Using IDataInitialize::GetDataSource:

    Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryIntegrated;Use Encryption for Data=Mandatory

  • Using DBPROP_INIT_PROVIDERSTRING:

    Server=[server];Database=[database];Authentication=ActiveDirectoryIntegrated;Encrypt=Mandatory

Microsoft Entra authentication using an access token

  • Using IDataInitialize::GetDataSource:

    Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Access Token=[access token];Use Encryption for Data=Mandatory

  • Using DBPROP_INIT_PROVIDERSTRING:

    Providing access token through DBPROP_INIT_PROVIDERSTRING isn't supported

Microsoft Entra interactive authentication

  • Using IDataInitialize::GetDataSource:

    Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryInteractive;User ID=[username];Use Encryption for Data=Mandatory

  • Using DBPROP_INIT_PROVIDERSTRING:

    Server=[server];Database=[database];Authentication=ActiveDirectoryInteractive;UID=[username];Encrypt=Mandatory

Microsoft Entra managed identity authentication

  • Using IDataInitialize::GetDataSource:
    • User-assigned managed identity:

      Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryMSI;User ID=[Object ID];Use Encryption for Data=Mandatory

    • System-assigned managed identity:

      Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryMSI;Use Encryption for Data=Mandatory

  • Using DBPROP_INIT_PROVIDERSTRING:
    • User-assigned managed identity:

      Server=[server];Database=[database];Authentication=ActiveDirectoryMSI;UID=[Object ID];Encrypt=Mandatory

    • System-assigned managed identity:

      Server=[server];Database=[database];Authentication=ActiveDirectoryMSI;Encrypt=Mandatory

Microsoft Entra service principal authentication

  • Using IDataInitialize::GetDataSource:

    Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryServicePrincipal;User ID=[Application (client) ID];Password=[Application (client) secret];Use Encryption for Data=Mandatory

  • Using DBPROP_INIT_PROVIDERSTRING:

    Server=[server];Database=[database];Authentication=ActiveDirectoryServicePrincipal;UID=[Application (client) ID];PWD=[Application (client) secret];Encrypt=Mandatory

Code samples

The following samples show the code required to connect to Microsoft Entra ID with connection keywords.

Access Token

#include <string>
#include <iostream>
#include <msdasc.h>

int main()
{
    wchar_t azureServer[] = L"server";
    wchar_t azureDatabase[] = L"mydatabase";
    wchar_t accessToken[] = L"eyJ0eXAiOi...";
    IDBInitialize *pIDBInitialize = nullptr;
    IDataInitialize* pIDataInitialize = nullptr;
    HRESULT hr = S_OK;

    CoInitialize(nullptr);

    // Construct the connection string.
    std::wstring connString = L"Provider=MSOLEDBSQL19;Data Source=" + std::wstring(azureServer) + L";Initial Catalog=" + 
                              std::wstring(azureDatabase) + L";Access Token=" + accessToken + L";Use Encryption for Data=Mandatory;";
    hr = CoCreateInstance(CLSID_MSDAINITIALIZE, nullptr, CLSCTX_INPROC_SERVER, 
                          IID_IDataInitialize, reinterpret_cast<LPVOID*>(&pIDataInitialize));
    if (FAILED(hr))
    {
        std::cout << "Failed to create an IDataInitialize instance." << std::endl;
        goto Cleanup;
    }
    hr = pIDataInitialize->GetDataSource(nullptr, CLSCTX_INPROC_SERVER, connString.c_str(), 
                                         IID_IDBInitialize, reinterpret_cast<IUnknown**>(&pIDBInitialize));
    if (FAILED(hr))
    {
        std::cout << "Failed to get data source object." << std::endl;
        goto Cleanup;
    }
    hr = pIDBInitialize->Initialize();
    if (FAILED(hr))
    {
        std::cout << "Failed to establish connection." << std::endl;
        goto Cleanup;
    }

Cleanup:
    if (pIDBInitialize)
    {
        pIDBInitialize->Uninitialize();
        pIDBInitialize->Release();
    }
    if (pIDataInitialize)
    {
        pIDataInitialize->Release();
    }

    CoUninitialize();
}

Active Directory Integrated

#include <string>
#include <iostream>
#include <msdasc.h>

int main()
{
    wchar_t azureServer[] = L"server";
    wchar_t azureDatabase[] = L"mydatabase";
    IDBInitialize *pIDBInitialize = nullptr;
    IDataInitialize* pIDataInitialize = nullptr;
    HRESULT hr = S_OK;

    CoInitialize(nullptr);

    // Construct the connection string.
    std::wstring connString = L"Provider=MSOLEDBSQL19;Data Source=" + std::wstring(azureServer) + L";Initial Catalog=" + 
                              std::wstring(azureDatabase) + L";Authentication=ActiveDirectoryIntegrated;Use Encryption for Data=Mandatory;";

    hr = CoCreateInstance(CLSID_MSDAINITIALIZE, nullptr, CLSCTX_INPROC_SERVER, 
                          IID_IDataInitialize, reinterpret_cast<LPVOID*>(&pIDataInitialize));
    if (FAILED(hr)) 
    {
        std::cout << "Failed to create an IDataInitialize instance." << std::endl;
        goto Cleanup;
    }
    hr = pIDataInitialize->GetDataSource(nullptr, CLSCTX_INPROC_SERVER, connString.c_str(), 
                                         IID_IDBInitialize, reinterpret_cast<IUnknown**>(&pIDBInitialize));
    if (FAILED(hr))
    {
        std::cout << "Failed to get data source object." << std::endl;
        goto Cleanup;
    }
    hr = pIDBInitialize->Initialize();
    if (FAILED(hr))
    {
        std::cout << "Failed to establish connection." << std::endl;
        goto Cleanup;
    }

Cleanup:
    if (pIDBInitialize)
    {
        pIDBInitialize->Uninitialize();
        pIDBInitialize->Release();
    }
    if (pIDataInitialize)
    {
        pIDataInitialize->Release();
    }

    CoUninitialize();
}

Related content

  • Last updated on