Entra ID Connection Strings for Azure SQL Managed Instance

by

Moving away from legacy SQL authentication and adopting Microsoft Entra ID (formerly Azure Active Directory) is one of the best moves you can make to secure your Azure SQL Managed Instance. Using password-less authentication, Managed Identities and robust RBAC policies makes your data significantly safer.

However, getting the connection strings and package dependencies exactly right across different programming languages can be a bit of a headache.

Whether you’re building APIs in .NET, data pipelines in Python, enterprise apps in Java, or backend services in Node.js, this blog post has you covered. Below is your cheat sheet for package dependencies and exact connection string formats across the most popular languages.

Table of Contents

1 .NET (C#, F#, VB.NET)

This applies to .NE Framework, .NET Core, .NET Standard

If you are working in the .NET ecosystem, Microsoft.Data.SqlClient is the modern driver you must use.

Important Note for .NET 7.0+: Microsoft recently decoupled Azure identity libraries from the core SQL client to reduce package bloat. If you are using .NET 7.0 or later, you must install an extra extension package to use Entra ID authentication keywords in your connection strings.

Package Dependencies

  • Core: Microsoft.Data.SqlClient
  • Required for Microsoft.Data.SqlClient 7.0: Microsoft.Data.SqlClient.Extensions.Azure (Install this additional NuGet package)
  • Required for Default Auth: Azure.Identity

.NET Entra ID SQL MI Connection Strings:

Replace the placeholder values with the corresponding values.

Authentication ModeConnection String Example
Active Directory Defaultstring ConnectionString = @”Server=demo.database.windows.net;”
“Authentication=Active Directory Default; Encrypt=True; Database=testdb;”;
System Assigned Managed Identitystring ConnectionString = @”Server=demo.database.windows.net;”
“Authentication=Active Directory Managed Identity; Encrypt=True;”
“Database=testdb”;
User Assigned Managed Identitystring ConnectionString = @”Server=demo.database.windows.net;”
“Authentication=Active Directory Managed Identity; Encrypt=True;”
“User Id=ClientIdOfManagedIdentity; Database=testdb”;
Interactive (MFA Auth)string ConnectionString = @”Server=demo.database.windows.net;”
“Authentication=Active Directory Interactive; Encrypt=True;”
“Database=testdb”;
Service Principalstring ConnectionString = @”Server=demo.database.windows.net;”
“Authentication=Active Directory Service Principal; Encrypt=True;”
“Database=testdb; User Id=AppId; Password=Password”;
Integrated authenticationstring ConnectionString = @”Server=demo.database.windows.net;”
“Authentication=Active Directory Integrated; Encrypt=True; Database=testdb”;
Device Code Flowstring ConnectionString = @”Server=demo.database.windows.net;”
“Authentication=Active Directory Device Code Flow; Encrypt=True;”
“Database=testdb; Connect Timeout=180;”;

I have referred from the official Microsoft Documentation for the connection strings. Read the blogpost Connect to Azure SQL with Microsoft Entra authentication and SqlClient – ADO.NET Provider for SQL Server | Microsoft Learn

2. Java (JDBC Driver)

For Java applications, Microsoft provides native support through the official JDBC driver. However, the driver needs help generating Entra ID tokens, so you must include the Azure Identity libraries.

Package Dependencies (Maven/Gradle)

  1. mssql-jdbc (The core SQL Server JDBC driver)
  2. azure-identity (Handles modern Entra ID flows like Default or Managed Identity)
  3. msal4j (Often required for Interactive or Password-based flows)

Java Entra ID SQL MI Connection Strings

Replace the placeholder values with the corresponding values.

Authentication ModeJava JDBC Connection String Format
Default / Managed Identityjdbc:sqlserver://<server>.database.windows.net:1433;databaseName=<db>;authentication=ActiveDirectoryDefault;encrypt=true;
Service Principaljdbc:sqlserver://<server>.database.windows.net:1433;databaseName=<db>;authentication=ActiveDirectoryServicePrincipal;user=<client_id>;password=<client_secret>;encrypt=true;
Interactive (MFA)jdbc:sqlserver://<server>.database.windows.net:1433;databaseName=<db>;authentication=ActiveDirectoryInteractive;user=<email>;encrypt=true;

3. Python (pyodbc)

Python handles database connections a bit differently. It relies heavily on the underlying C++ ODBC Driver installed on your host OS or Docker container.

Prerequisite: You must install ODBC Driver 17 or 18 for SQL Server on your operating system for these connection strings to work natively.

Package Dependencies

  • System Level: ODBC Driver 18 for SQL Server
  • Python Package: pyodbc

Python SQL MI Entra ID Connection Strings

Authentication ModePython pyodbc Connection String Format
Managed Identity (System)Driver={ODBC Driver 18 for SQL Server};Server=tcp:<server>.database.windows.net,1433;Database=<db>;Authentication=ActiveDirectoryMsi;Encrypt=yes;
Managed Identity (User)Driver={ODBC Driver 18 for SQL Server};Server=tcp:<server>.database.windows.net;Database=<db>;Authentication=ActiveDirectoryMsi;UID=<Managed_Identity_Client_ID>;Encrypt=yes;
Service PrincipalDriver={ODBC Driver 18 for SQL Server};Server=tcp:<server>.database.windows.net;Database=<db>;Authentication=ActiveDirectoryServicePrincipal;UID=<Client_ID>;PWD=<Client_Secret>;Encrypt=yes;
Interactive (MFA)Driver={ODBC Driver 18 for SQL Server};Server=tcp:<server>.database.windows.net;Database=<db>;Authentication=ActiveDirectoryInteractive;UID=<email>;Encrypt=yes;

4. Node.js (mssql / tedious)

In the Node.js world, the most popular package is mssql. Node.js handles Entra ID differently than the other languages: rather than parsing a single long connection string, it strongly prefers using a configuration object.

NodeJS Package Dependencies

  1. mssql
  2. @azure/identity (Strictly required to supply the authentication methods)

NodeJS Entra ID SQL MI Configuration Object Example

Instead of a connection string, you will build a configuration object like this:

Includes, Service Principal, User assigned Managed Identity and Active directory Default.

const sql = require('mssql');

const sqlConfig = {
    server: '<server>.database.windows.net',
    database: '<db>',
    options: {
        encrypt: true, // Required for Azure
        trustServerCertificate: false // Set to true only for local dev
    },
    authentication: {
        // Uses @azure/identity under the hood. Perfect for local dev and Managed Identities in prod.
        type: 'azure-active-directory-default' 
        
        // Alternative: Service Principal
        // type: 'azure-active-directory-service-principal',
        // options: { clientId: '<id>', tenantId: '<id>', clientSecret: '<secret>' }
        
        // Alternative: App Service Managed Identity
        // type: 'azure-active-directory-msi-app-service' 
    }
};

async function connectToDb() {
    try {
        await sql.connect(sqlConfig);
        console.log("Connected using Entra ID!");
    } catch (err) {
        console.error("Database connection failed: ", err);
    }
}

Summary

Migrating to Entra ID authentication might require a brief adjustment period as you update your dependencies and syntax, but the payoff in security is massive.

Best Practice: Whenever possible, use Active Directory Default combined with Managed Identities in Azure. This ensures your code requires absolutely zero hardcoded passwords or secrets, significantly reducing your security risk while streamlining your CI/CD pipelines.

Let me know in the comments section if you find connecting to SQL MI using Entra ID is difficult. For more technical blogposts, visit CloudNerchuko.in

Leave a Comment