Using Microsoft Entra ID
Applies to: 
SQL Server
Azure SQL Database
Azure SQL Managed Instance
Azure Synapse Analytics
Analytics Platform System (PDW)
Purpose
Starting with version 18.2.1, Microsoft OLE DB Driver for SQL Server allows OLE DB applications to connect to Azure SQL Database or Azure SQL Managed Instance using a federated identity. The new Microsoft Entra authentication methods include:
Username and password
Access token
Integrated authentication
Version 18.3.0 adds support for the following Microsoft Entra authentication methods:
Interactive authentication
Managed identity authentication (only from within an Azure Virtual Machine configured with Managed Identity)
Version 18.5.0 adds support for the following authentication method:
- Microsoft Entra service principal authentication
Note
Using the following authentication modes with DataTypeCompatibility (or its corresponding property) set to 80 is not supported:
- Microsoft Entra authentication using username and password
- Microsoft Entra authentication using access token
- Microsoft Entra integrated authentication
- Microsoft Entra interactive authentication
- Microsoft Entra managed identities authentication
- Microsoft Entra service principal authentication
To use Microsoft Entra authentication, you must configure your Azure SQL data source. For more information, see Configure and manage Microsoft Entra authentication with Azure SQL.
Connection string keywords and properties
The following connection string keywords have been introduced to support Microsoft Entra authentication:
| Connection string keyword | Connection property | Description |
|---|---|---|
| Access Token | SSPROP_AUTH_ACCESS_TOKEN | Specifies an access token to authenticate to Microsoft Entra ID. |
| Authentication | SSPROP_AUTH_MODE | Specifies authentication method to use. |
For more information about the new keywords/properties, see the following pages:
- Using Connection String Keywords with OLE DB Driver for SQL Server
- Initialization and Authorization Properties
Encryption and certificate validation
See Encryption and certificate validation for more information.
GUI additions
The driver graphical user interface has been enhanced to allow Microsoft Entra authentication. For more information, see:
Example connection strings
This section shows examples of new and existing connection string keywords to be used with IDataInitialize::GetDataSource and DBPROP_INIT_PROVIDERSTRING property.
SQL authentication
- Using
IDataInitialize::GetDataSource:- New:
Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=SqlPassword;User ID=[username];Password=[password];Use Encryption for Data=Mandatory
- Deprecated:
Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];User ID=[username];Password=[password];Use Encryption for Data=Mandatory
- New:
- Using
DBPROP_INIT_PROVIDERSTRING:- New:
Server=[server];Database=[database];Authentication=SqlPassword;UID=[username];PWD=[password];Encrypt=Mandatory
- Deprecated:
Server=[server];Database=[database];UID=[username];PWD=[password];Encrypt=Mandatory
- New:
Integrated Windows authentication using Security Support Provider Interface (SSPI)
- Using
IDataInitialize::GetDataSource:- New:
Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryIntegrated;Use Encryption for Data=Mandatory
- Deprecated:
Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Integrated Security=SSPI;Use Encryption for Data=Mandatory
- New:
- Using
DBPROP_INIT_PROVIDERSTRING:- New:
Server=[server];Database=[database];Authentication=ActiveDirectoryIntegrated;Encrypt=Mandatory
- Deprecated:
Server=[server];Database=[database];Trusted_Connection=yes;Encrypt=Mandatory
- New:
Microsoft Entra username and password authentication
- Using
IDataInitialize::GetDataSource:Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryPassword;User ID=[username];Password=[password];Use Encryption for Data=Mandatory
- Using
DBPROP_INIT_PROVIDERSTRING:Server=[server];Database=[database];Authentication=ActiveDirectoryPassword;UID=[username];PWD=[password];Encrypt=Mandatory
Microsoft Entra integrated authentication
- Using
IDataInitialize::GetDataSource:Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryIntegrated;Use Encryption for Data=Mandatory
- Using
DBPROP_INIT_PROVIDERSTRING:Server=[server];Database=[database];Authentication=ActiveDirectoryIntegrated;Encrypt=Mandatory
Microsoft Entra authentication using an access token
- Using
IDataInitialize::GetDataSource:Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Access Token=[access token];Use Encryption for Data=Mandatory
- Using
DBPROP_INIT_PROVIDERSTRING:Providing access token through
DBPROP_INIT_PROVIDERSTRINGisn't supported
Microsoft Entra interactive authentication
- Using
IDataInitialize::GetDataSource:Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryInteractive;User ID=[username];Use Encryption for Data=Mandatory
- Using
DBPROP_INIT_PROVIDERSTRING:Server=[server];Database=[database];Authentication=ActiveDirectoryInteractive;UID=[username];Encrypt=Mandatory
Microsoft Entra managed identity authentication
- Using
IDataInitialize::GetDataSource:- User-assigned managed identity:
Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryMSI;User ID=[Object ID];Use Encryption for Data=Mandatory
- System-assigned managed identity:
Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryMSI;Use Encryption for Data=Mandatory
- User-assigned managed identity:
- Using
DBPROP_INIT_PROVIDERSTRING:- User-assigned managed identity:
Server=[server];Database=[database];Authentication=ActiveDirectoryMSI;UID=[Object ID];Encrypt=Mandatory
- System-assigned managed identity:
Server=[server];Database=[database];Authentication=ActiveDirectoryMSI;Encrypt=Mandatory
- User-assigned managed identity:
Microsoft Entra service principal authentication
- Using
IDataInitialize::GetDataSource:Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];Authentication=ActiveDirectoryServicePrincipal;User ID=[Application (client) ID];Password=[Application (client) secret];Use Encryption for Data=Mandatory
- Using
DBPROP_INIT_PROVIDERSTRING:Server=[server];Database=[database];Authentication=ActiveDirectoryServicePrincipal;UID=[Application (client) ID];PWD=[Application (client) secret];Encrypt=Mandatory
Code samples
The following samples show the code required to connect to Microsoft Entra ID with connection keywords.
Access Token
#include <string>
#include <iostream>
#include <msdasc.h>
int main()
{
wchar_t azureServer[] = L"server";
wchar_t azureDatabase[] = L"mydatabase";
wchar_t accessToken[] = L"eyJ0eXAiOi...";
IDBInitialize *pIDBInitialize = nullptr;
IDataInitialize* pIDataInitialize = nullptr;
HRESULT hr = S_OK;
CoInitialize(nullptr);
// Construct the connection string.
std::wstring connString = L"Provider=MSOLEDBSQL19;Data Source=" + std::wstring(azureServer) + L";Initial Catalog=" +
std::wstring(azureDatabase) + L";Access Token=" + accessToken + L";Use Encryption for Data=Mandatory;";
hr = CoCreateInstance(CLSID_MSDAINITIALIZE, nullptr, CLSCTX_INPROC_SERVER,
IID_IDataInitialize, reinterpret_cast<LPVOID*>(&pIDataInitialize));
if (FAILED(hr))
{
std::cout << "Failed to create an IDataInitialize instance." << std::endl;
goto Cleanup;
}
hr = pIDataInitialize->GetDataSource(nullptr, CLSCTX_INPROC_SERVER, connString.c_str(),
IID_IDBInitialize, reinterpret_cast<IUnknown**>(&pIDBInitialize));
if (FAILED(hr))
{
std::cout << "Failed to get data source object." << std::endl;
goto Cleanup;
}
hr = pIDBInitialize->Initialize();
if (FAILED(hr))
{
std::cout << "Failed to establish connection." << std::endl;
goto Cleanup;
}
Cleanup:
if (pIDBInitialize)
{
pIDBInitialize->Uninitialize();
pIDBInitialize->Release();
}
if (pIDataInitialize)
{
pIDataInitialize->Release();
}
CoUninitialize();
}
Active Directory Integrated
#include <string>
#include <iostream>
#include <msdasc.h>
int main()
{
wchar_t azureServer[] = L"server";
wchar_t azureDatabase[] = L"mydatabase";
IDBInitialize *pIDBInitialize = nullptr;
IDataInitialize* pIDataInitialize = nullptr;
HRESULT hr = S_OK;
CoInitialize(nullptr);
// Construct the connection string.
std::wstring connString = L"Provider=MSOLEDBSQL19;Data Source=" + std::wstring(azureServer) + L";Initial Catalog=" +
std::wstring(azureDatabase) + L";Authentication=ActiveDirectoryIntegrated;Use Encryption for Data=Mandatory;";
hr = CoCreateInstance(CLSID_MSDAINITIALIZE, nullptr, CLSCTX_INPROC_SERVER,
IID_IDataInitialize, reinterpret_cast<LPVOID*>(&pIDataInitialize));
if (FAILED(hr))
{
std::cout << "Failed to create an IDataInitialize instance." << std::endl;
goto Cleanup;
}
hr = pIDataInitialize->GetDataSource(nullptr, CLSCTX_INPROC_SERVER, connString.c_str(),
IID_IDBInitialize, reinterpret_cast<IUnknown**>(&pIDBInitialize));
if (FAILED(hr))
{
std::cout << "Failed to get data source object." << std::endl;
goto Cleanup;
}
hr = pIDBInitialize->Initialize();
if (FAILED(hr))
{
std::cout << "Failed to establish connection." << std::endl;
goto Cleanup;
}
Cleanup:
if (pIDBInitialize)
{
pIDBInitialize->Uninitialize();
pIDBInitialize->Release();
}
if (pIDataInitialize)
{
pIDataInitialize->Release();
}
CoUninitialize();
}
Next steps
Authorize access to Microsoft Entra web applications using the OAuth 2.0 code grant flow.
Learn about Microsoft Entra authentication to SQL Server.
Configure driver connections using connection string keywords the OLE DB driver supports.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for