Muokkaa

Jaa


How Windows Authentication for Azure SQL Managed Instance is implemented with Microsoft Entra ID and Kerberos

Windows Authentication for Azure SQL Managed Instance principals in Microsoft Entra ID (formerly Azure Active Directory) enables customers to move existing services to the cloud while maintaining a seamless user experience and provides the basis for security infrastructure modernization. To enable Windows Authentication for Microsoft Entra principals, you will turn your Microsoft Entra tenant into an independent Kerberos realm and create an incoming trust in the customer domain.

This configuration allows users in the customer domain to access resources in your Microsoft Entra tenant. It will not allow users in the Microsoft Entra tenant to access resources in the customer domain.

The following diagram gives an overview of how Windows Authentication is implemented for a managed instance using Microsoft Entra ID and Kerberos:

An overview of authentication: a client submits an encrypted Kerberos ticket as part of an authentication request to a managed instance. The managed instance submits the encrypted Kerberos ticket to Microsoft Entra I D, which exchanges it for a Microsoft Entra token that is returned the managed instance. The managed instance uses this token to authenticate the user.

- [Troubleshoot Windows Authentication for Microsoft Entra principals on Azure SQL Managed Instance](winauth-azuread-troubleshoot.md)