From d7e346d44b82f0bbae06a7b7ae88699631e189a1 Mon Sep 17 00:00:00 2001 From: Cheena Malhotra Date: Fri, 13 Mar 2026 09:44:09 -0700 Subject: [PATCH 1/3] Readme and doc updates (incl. Entra ID branding) --- .github/copilot-instructions.md | 2 +- .../instructions/architecture.instructions.md | 4 +- .../documentation.instructions.md | 2 +- .../external-resources.instructions.md | 2 +- .github/instructions/features.instructions.md | 6 +-- .github/instructions/testing.instructions.md | 6 +-- BUILDGUIDE.md | 6 +-- CHANGELOG.md | 2 +- doc/apps/AzureAuthentication/EntryPoint.cs | 2 +- doc/apps/AzureAuthentication/README.md | 8 ++-- .../ActiveDirectoryAuthenticationProvider.xml | 2 +- .../SqlConnection.xml | 2 +- release-notes/7.0/7.0.0-preview4.md | 6 +-- .../Extensions/Azure/1.0/1.0.0-preview1.md | 4 +- .../ActiveDirectoryAuthenticationProvider.xml | 2 +- .../ActiveDirectoryAuthenticationProvider.cs | 16 +++---- .../Azure/src/PackageReadme.md | 6 +-- .../AzureKeyVaultProvider/PackageReadme.md | 6 +-- .../src/PackageReadme.md | 45 +++++++++++++++---- .../SQL/AdapterTest/AdapterTest.cs | 2 +- .../ConnectivityTests/AADConnectionTest.cs | 6 +-- .../SQL/ConnectivityTests/ConnectivityTest.cs | 2 +- .../ConnectionSchemaTest.cs | 2 +- .../SqlConfigurationManagerReliabilityTest.cs | 4 +- .../SqlConnectionReliabilityTest.cs | 8 ++-- .../TDS/TDS.Servers/TdsServerArguments.cs | 4 +- 26 files changed, 93 insertions(+), 64 deletions(-) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 6aa49d196e..272a0c2164 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -31,7 +31,7 @@ This project includes several key products and libraries that facilitate SQL Ser - **Microsoft.SqlServer.Server**: Supplies APIs for SQL Server-specific features, including user-defined types (UDTs) and SQL Server-specific attributes. ## 🛠️ Key Features -- **Connectivity to SQL Server**: Provides robust and secure connections to SQL Server databases, using various authentication methods, such as Windows Authentication, SQL Server Authentication, and Azure Active Directory authentication, e.g. `ActiveDirectoryIntegrated`, `ActiveDirectoryPassword`, `ActiveDirectoryServicePrincipal`,`ActiveDirectoryInteractive`, `ActiveDirectoryDefault`, and `ActiveDirectoryManagedIdentity`. +- **Connectivity to SQL Server**: Provides robust and secure connections to SQL Server databases, using various authentication methods, such as Windows Authentication, SQL Server Authentication, and Entra ID authentication, e.g. `ActiveDirectoryIntegrated`, `ActiveDirectoryPassword`, `ActiveDirectoryServicePrincipal`,`ActiveDirectoryInteractive`, `ActiveDirectoryDefault`, and `ActiveDirectoryManagedIdentity`. - **Connection Resiliency**: Implements connection resiliency features to handle transient faults and network issues, ensuring reliable database connectivity. - **TLS Encryption**: Supports secure connections using TLS protocols to encrypt data in transit. Supports TLS 1.2 and higher, ensuring secure communication with SQL Server. Supported encryption modes are: - **Optional**: Encryption is used if available, but not required. diff --git a/.github/instructions/architecture.instructions.md b/.github/instructions/architecture.instructions.md index 48a7775ede..3314babb7c 100644 --- a/.github/instructions/architecture.instructions.md +++ b/.github/instructions/architecture.instructions.md @@ -133,7 +133,7 @@ Entry point for database connectivity. Manages: - Connection string parsing (via `SqlConnectionStringBuilder`) - Connection pooling integration - Transaction enlistment (local and distributed) -- Authentication (SQL, Windows, Azure AD) +- Authentication (SQL, Windows, Entra ID) ### SqlCommand Executes SQL statements and stored procedures: @@ -159,7 +159,7 @@ Located in `ConnectionPool/`: Located in `SSPI/` and authentication-related files: - Windows Authentication (SSPI/Kerberos) - SQL Server Authentication -- Azure Active Directory authentication modes +- Entra ID authentication modes ### Always Encrypted Column-level encryption implementation: diff --git a/.github/instructions/documentation.instructions.md b/.github/instructions/documentation.instructions.md index d9367cec2e..57f547ee6d 100644 --- a/.github/instructions/documentation.instructions.md +++ b/.github/instructions/documentation.instructions.md @@ -91,7 +91,7 @@ Working with SQL data types: ### Security Samples Authentication and encryption: -- Azure AD authentication +- Entra ID authentication - Always Encrypted - Azure Key Vault integration - SSL/TLS configuration diff --git a/.github/instructions/external-resources.instructions.md b/.github/instructions/external-resources.instructions.md index a4e82a8119..feed8123d0 100644 --- a/.github/instructions/external-resources.instructions.md +++ b/.github/instructions/external-resources.instructions.md @@ -17,7 +17,7 @@ When working with Microsoft.Data.SqlClient, reference official documentation for | **Connection Pooling** | https://learn.microsoft.com/sql/connect/ado-net/sql-server-connection-pooling | | **Data Types** | https://learn.microsoft.com/sql/connect/ado-net/sql/sql-server-data-types | | **Always Encrypted** | https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-database-engine | -| **Azure AD Auth** | https://learn.microsoft.com/sql/connect/ado-net/sql/azure-active-directory-authentication | +| **Entra ID Auth** | https://learn.microsoft.com/sql/connect/ado-net/sql/azure-active-directory-authentication | ### MS-TDS Protocol diff --git a/.github/instructions/features.instructions.md b/.github/instructions/features.instructions.md index 64b1cd273a..3ecba2cc4e 100644 --- a/.github/instructions/features.instructions.md +++ b/.github/instructions/features.instructions.md @@ -24,13 +24,13 @@ This is a comprehensive reference of supported connection string keywords. | `Integrated Security` | True/False, SSPI | Windows Authentication | | `User ID` | | SQL Server username | | `Password` | PWD | SQL Server password | -| `Authentication` | See below | Azure AD authentication mode | +| `Authentication` | See below | Entra ID authentication mode | | `Attestation Protocol` | None, HGS, AAS | Enclave attestation | #### Authentication Modes - `SqlPassword` - SQL Server authentication -- `ActiveDirectoryPassword` - Azure AD with password -- `ActiveDirectoryIntegrated` - Azure AD integrated +- `ActiveDirectoryPassword` - Entra ID with password +- `ActiveDirectoryIntegrated` - Entra ID integrated - `ActiveDirectoryInteractive` - Interactive browser auth - `ActiveDirectoryServicePrincipal` - Service principal - `ActiveDirectoryManagedIdentity` - Managed identity diff --git a/.github/instructions/testing.instructions.md b/.github/instructions/testing.instructions.md index 25fac3c734..4f651a7104 100644 --- a/.github/instructions/testing.instructions.md +++ b/.github/instructions/testing.instructions.md @@ -34,7 +34,7 @@ src/Microsoft.Data.SqlClient/tests/ - Full integration tests with SQL Server - Require `config.json` setup - Test real database operations -- Include Always Encrypted, Azure AD tests +- Include Always Encrypted, Entra ID tests ## Test Configuration @@ -58,7 +58,7 @@ Copy `config.default.json` to `config.json` and configure: |----------|-------------| | `TCPConnectionString` | Primary TCP connection | | `NPConnectionString` | Named Pipes connection | -| `AADPasswordConnectionString` | Azure AD password auth | +| `AADPasswordConnectionString` | Entra ID password auth | | `AzureKeyVaultURL` | AKV for encryption tests | | `EnclaveEnabled` | Enable enclave tests | | `FileStreamDirectory` | FileStream test path | @@ -310,7 +310,7 @@ Common test helper class: ```csharp DataTestUtility.TCPConnectionString // Get TCP connection DataTestUtility.AreConnStringsSetup // Check if config exists -DataTestUtility.IsAADPasswordConnStrSetup // Check AAD config +DataTestUtility.IsAADPasswordConnStrSetup // Check Entra ID config ``` ### AssertExtensions diff --git a/BUILDGUIDE.md b/BUILDGUIDE.md index 829383d914..8f13730f68 100644 --- a/BUILDGUIDE.md +++ b/BUILDGUIDE.md @@ -40,12 +40,12 @@ Manual Tests require the below setup to run: |TCPConnectionStringAASSGX | (Optional) Connection String for a TCP enabled SQL Server with a SGX Enclave and using Microsoft Azure Attestation (AAS) attestation protocol configuration. | `Server=tcp:{servername}; Database={Database_Name}; UID={UID}; PWD={PWD}; Attestation Protocol = AAS; Enclave Attestation Url = {AttestationURL};`| |EnclaveEnabled | Enables tests requiring an enclave-configured server.| |TracingEnabled | Enables EventSource related tests | - |AADAuthorityURL | (Optional) Identifies the OAuth2 authority resource for `Server` specified in `AADPasswordConnectionString` | `https://login.windows.net/`, where `` is the tenant ID of the Azure Active Directory (Azure AD) tenant | - |AADPasswordConnectionString | (Optional) Connection String for testing Azure Active Directory Password Authentication. | `Data Source={server.database.windows.net}; Initial Catalog={Azure_DB_Name};Authentication=Active Directory Password; User ID={AAD_User}; Password={AAD_User_Password};`| + |AADAuthorityURL | (Optional) Identifies the OAuth2 authority resource for `Server` specified in `AADPasswordConnectionString` | `https://login.windows.net/`, where `` is the tenant ID of the Entra ID (Azure AD) tenant | + |AADPasswordConnectionString | (Optional) Connection String for testing Entra ID Password Authentication. | `Data Source={server.database.windows.net}; Initial Catalog={Azure_DB_Name};Authentication=Active Directory Password; User ID={AAD_User}; Password={AAD_User_Password};`| |AADSecurePrincipalId | (Optional) The Application Id of a registered application which has been granted permission to the database defined in the AADPasswordConnectionString. | {Application ID} | |AADSecurePrincipalSecret | (Optional) A Secret defined for a registered application which has been granted permission to the database defined in the AADPasswordConnectionString. | {Secret} | |AzureKeyVaultURL | (Optional) Azure Key Vault Identifier URL | `https://{keyvaultname}.vault.azure.net/` | - |AzureKeyVaultTenantId | (Optional) The Azure Active Directory tenant (directory) Id of the service principal. | _{Tenant ID of Active Directory}_ | + |AzureKeyVaultTenantId | (Optional) The Entra ID tenant (directory) Id of the service principal. | _{Tenant ID of Active Directory}_ | |SupportsIntegratedSecurity | (Optional) Whether or not the USER running tests has integrated security access to the target SQL Server.| `true` OR `false`| |LocalDbAppName | (Optional) If Local Db Testing is supported, this property configures the name of Local DB App instance available in client environment. Empty string value disables Local Db testing. | Name of Local Db App to connect to.| |LocalDbSharedInstanceName | (Optional) If LocalDB testing is supported and the instance is shared, this property configures the name of the shared instance of LocalDB to connect to. | Name of shared instance of LocalDB. | diff --git a/CHANGELOG.md b/CHANGELOG.md index a78bb55eb2..ebe0cac4f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ Also released as part of this milestone: ### Changed -- **Breaking:** Removed Azure dependencies from the core package. Azure AD / Entra authentication (`ActiveDirectoryAuthenticationProvider` and related types) has been extracted into a new `Microsoft.Data.SqlClient.Extensions.Azure` package. The core `Microsoft.Data.SqlClient` package no longer depends on `Azure.Core`, `Azure.Identity`, or their transitive dependencies. Applications using Azure AD authentication must now install `Microsoft.Data.SqlClient.Extensions.Azure` separately. +- **Breaking:** Removed Azure dependencies from the core package. Azure AD / Entra authentication (`ActiveDirectoryAuthenticationProvider` and related types) has been extracted into a new `Microsoft.Data.SqlClient.Extensions.Azure` package. The core `Microsoft.Data.SqlClient` package no longer depends on `Azure.Core`, `Azure.Identity`, or their transitive dependencies. Applications using Entra ID authentication must now install `Microsoft.Data.SqlClient.Extensions.Azure` separately. ([#1108](https://github.com/dotnet/SqlClient/issues/1108), [#3680](https://github.com/dotnet/SqlClient/pull/3680), [#3902](https://github.com/dotnet/SqlClient/pull/3902), diff --git a/doc/apps/AzureAuthentication/EntryPoint.cs b/doc/apps/AzureAuthentication/EntryPoint.cs index 847224e289..20885ae1af 100644 --- a/doc/apps/AzureAuthentication/EntryPoint.cs +++ b/doc/apps/AzureAuthentication/EntryPoint.cs @@ -19,7 +19,7 @@ public static int Main(string[] args) { Description = "The ADO.NET connection string used to connect to SQL Server. " + - "Supports SQL, Azure AD, and integrated authentication modes.", + "Supports SQL, Entra ID, and integrated authentication modes.", Required = true }; diff --git a/doc/apps/AzureAuthentication/README.md b/doc/apps/AzureAuthentication/README.md index 20a3c628ba..91327c7528 100644 --- a/doc/apps/AzureAuthentication/README.md +++ b/doc/apps/AzureAuthentication/README.md @@ -77,7 +77,7 @@ Usage: Options: -c, --connection-string (REQUIRED) The ADO.NET connection string used to connect to SQL Server. - Supports SQL, Azure AD, and integrated authentication modes. + Supports SQL, Entra ID, and integrated authentication modes. -l, --log-events Enable SqlClient event emission to the console. -t, --trace Pauses execution to allow dotnet-trace to be attached. -v, --verbose Enable verbose output with detailed error information. @@ -91,7 +91,7 @@ The app expects a single argument: a full connection string. dotnet run -- -c "" ``` -For Azure AD authentication, use an `Authentication` keyword in the connection string. For example: +For Entra ID authentication, use an `Authentication` keyword in the connection string. For example: ```bash dotnet run -- -c "Server=myserver.database.windows.net;Database=mydb;Authentication=ActiveDirectoryDefault" @@ -134,7 +134,7 @@ Run with the default (published) package versions, and no `Azure` package: dotnet run -- -c "" ``` -If the connection string specifies one of the Azure Active Directory authentication methods, +If the connection string specifies one of the Entra ID authentication methods, `SqlClient` will fail with an error indicating that no authentication provider has been registered. This is because the `Azure` package was not referenced, and the app did not provide its own custom authentication provider. @@ -160,6 +160,6 @@ dotnet run -p:SqlClientVersion=7.0.0-preview1 -p:AkvProviderVersion=7.0.0-previe ## Prerequisites - [.NET 10.0 SDK](https://dotnet.microsoft.com/download) and .NET Framework 4.8.1 or later. -- A SQL Server or Azure SQL instance accessible with Azure AD credentials. +- A SQL Server or Azure SQL instance accessible with Entra ID credentials. - Azure credentials available to `DefaultAzureCredential` (e.g. Azure CLI login, environment variables, or managed identity). diff --git a/doc/snippets/Microsoft.Data.SqlClient/ActiveDirectoryAuthenticationProvider.xml b/doc/snippets/Microsoft.Data.SqlClient/ActiveDirectoryAuthenticationProvider.xml index a940011eb3..36f10a6aab 100644 --- a/doc/snippets/Microsoft.Data.SqlClient/ActiveDirectoryAuthenticationProvider.xml +++ b/doc/snippets/Microsoft.Data.SqlClient/ActiveDirectoryAuthenticationProvider.xml @@ -143,7 +143,7 @@ The callback method to be called by MSAL.NET to delegate the Web user interface with the Secure Token Service (STS). - Sets a callback method which is invoked with a custom Web UI instance that will let the user sign-in with Azure Active Directory, present consent if needed, and get back the authorization code. Applicable when working with Active Directory Interactive authentication. + Sets a callback method which is invoked with a custom Web UI instance that will let the user sign-in with Entra ID, present consent if needed, and get back the authorization code. Applicable when working with Active Directory Interactive authentication. The "authorizationUri" is crafted to leverage PKCE in order to protect the token from a man in the middle attack. Only MSAL.NET can redeem the code. In the event of cancellation, the implementer should return . diff --git a/doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml b/doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml index 1f103cba7f..f0eddd56fa 100644 --- a/doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml +++ b/doc/snippets/Microsoft.Data.SqlClient/SqlConnection.xml @@ -975,7 +975,7 @@ The following table lists the valid names for keyword values within the
An application name can be 128 characters or less.| |AttachDBFilename

-or-

Extended Properties

-or-

Initial File Name|N/A|The name of the primary database file, including the full path name of an attachable database. AttachDBFilename is only supported for primary data files with an .mdf extension.

If the value of the AttachDBFileName key is specified in the connection string, the database is attached and becomes the default database for the connection.

If this key is not specified and if the database was previously attached, the database will not be reattached. The previously attached database will be used as the default database for the connection.

If this key is specified together with the AttachDBFileName key, the value of this key will be used as the alias. However, if the name is already used in another attached database, the connection will fail.

The path may be absolute or relative by using the DataDirectory substitution string. If DataDirectory is used, the database file must exist within a subdirectory of the directory pointed to by the substitution string. **Note:** Remote server, HTTP, and UNC path names are not supported.

The database name must be specified with the keyword 'database' (or one of its aliases) as in the following:

"AttachDbFileName=|DataDirectory|\data\YourDB.mdf;integrated security=true;database=YourDatabase"

An error will be generated if a log file exists in the same directory as the data file and the 'database' keyword is used when attaching the primary data file. In this case, remove the log file. Once the database is attached, a new log file will be automatically generated based on the physical path.| |Attestation Protocol|NotSpecified|Gets or sets the value of Attestation Protocol.

When no value is specified, secure enclaves are disabled on the connection.

Valid values are:
`AAS`
`HGS`
`None` (Only valid in v3.1 and v4.1+))| -|Authentication|N/A|The authentication method used for [Connecting to SQL Database By Using Azure Active Directory Authentication](https://azure.microsoft.com/documentation/articles/sql-database-aad-authentication/#7-connect-to-your-database-by-using-azure-active-directory-identities).

Valid values are:

`Active Directory Integrated`, `Active Directory Interactive`, `Active Directory Password`, `Active Directory Service Principal`, `Active Directory Device Code Flow`, `Active Directory Managed Identity`, `Active Directory MSI`, `Active Directory Default`, `Sql Password`.

For additional information see [Using Azure Active Directory authentication with SqlClient](https://docs.microsoft.com/sql/connect/ado-net/sql/azure-active-directory-authentication?view=sql-server-ver15).| +|Authentication|N/A|The authentication method used for [Connecting to SQL Database By Using Entra ID Authentication](https://azure.microsoft.com/documentation/articles/sql-database-aad-authentication/#7-connect-to-your-database-by-using-azure-active-directory-identities).

Valid values are:

`Active Directory Integrated`, `Active Directory Interactive`, `Active Directory Password`, `Active Directory Service Principal`, `Active Directory Device Code Flow`, `Active Directory Managed Identity`, `Active Directory MSI`, `Active Directory Default`, `Sql Password`.

For additional information see [Using Entra ID authentication with SqlClient](https://docs.microsoft.com/sql/connect/ado-net/sql/azure-active-directory-authentication?view=sql-server-ver15).| |Column Encryption Setting|disabled|Enables or disables [Always Encrypted](https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-database-engine) functionality for the connection. Supported values are: `enabled` and `disabled`| |Command Timeout|30|The default wait time (in seconds) before terminating the attempt to execute a command and generating an error.

Valid values are greater than or equal to 0 and less than or equal to 2147483647.| |Connect Retry Count

-or-

ConnectRetryCount|1|Controls the number of reconnection attempts after the client identifies an idle connection failure. Valid values are 0 to 255. 0 means do not attempt to reconnect (disable connection resiliency).

Note: Since version 5.x the default value for non Azure endpoints is 1. For Azure SQL endpoints, the default is 2. For Azure SQL serverless or on demand endpoints, the default is 5 to improve connection success for connections to an idle or paused instance.

For additional information about idle connection resiliency, see [.NET SqlConnection parameters for connection retry](https://learn.microsoft.com/azure/azure-sql/database/troubleshoot-common-connectivity-issues?view=azuresql#net-sqlconnection-parameters-for-connection-retry) and [Technical Article - Idle Connection Resiliency](https://go.microsoft.com/fwlink/?LinkId=393996).| diff --git a/release-notes/7.0/7.0.0-preview4.md b/release-notes/7.0/7.0.0-preview4.md index 62d1d39157..5ff1d92390 100644 --- a/release-notes/7.0/7.0.0-preview4.md +++ b/release-notes/7.0/7.0.0-preview4.md @@ -26,12 +26,12 @@ *Who Benefits:* - All users benefit from a significantly lighter core package. Previously, the Azure dependency chain pulled in numerous assemblies (including `Azure.Core`, `Azure.Identity`, `Microsoft.Identity.Client`, and `Microsoft.Web.WebView2`) even for applications that only needed basic SQL Server connectivity. This was the most upvoted open issue in the repository ([#1108](https://github.com/dotnet/SqlClient/issues/1108)). -- Users who do not use Azure AD authentication no longer carry Azure-related assemblies in their build output, reducing deployment size and eliminating confusion about unexpected dependencies. -- Users who do use Azure AD authentication can now manage Azure dependency versions independently from the core driver. +- Users who do not use Entra ID authentication no longer carry Azure-related assemblies in their build output, reducing deployment size and eliminating confusion about unexpected dependencies. +- Users who do use Entra ID authentication can now manage Azure dependency versions independently from the core driver. *Impact:* -- Applications using Azure AD authentication (e.g., `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryDefault`, etc.) must now install the `Microsoft.Data.SqlClient.Extensions.Azure` NuGet package separately. No code changes are required beyond adding the package reference. +- Applications using Entra ID authentication (e.g., `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryDefault`, etc.) must now install the `Microsoft.Data.SqlClient.Extensions.Azure` NuGet package separately. No code changes are required beyond adding the package reference. ### Added diff --git a/release-notes/Extensions/Azure/1.0/1.0.0-preview1.md b/release-notes/Extensions/Azure/1.0/1.0.0-preview1.md index 4876263b8b..c091bfbe78 100644 --- a/release-notes/Extensions/Azure/1.0/1.0.0-preview1.md +++ b/release-notes/Extensions/Azure/1.0/1.0.0-preview1.md @@ -15,12 +15,12 @@ *Who Benefits:* -- Users who need Azure AD authentication (e.g., `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryDefault`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryServicePrincipal`) with `Microsoft.Data.SqlClient` 7.0+. +- Users who need Entra ID authentication (e.g., `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryDefault`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryServicePrincipal`) with `Microsoft.Data.SqlClient` 7.0+. - Users who want to manage the `Azure.Identity` and `Azure.Core` dependency versions independently from the core driver. *Impact:* -- Applications using Azure AD authentication with `Microsoft.Data.SqlClient` 7.0+ must install this package. No code changes are required beyond adding the NuGet package reference. +- Applications using Entra ID authentication with `Microsoft.Data.SqlClient` 7.0+ must install this package. No code changes are required beyond adding the NuGet package reference. ## Target Platform Support diff --git a/src/Microsoft.Data.SqlClient.Extensions/Azure/doc/ActiveDirectoryAuthenticationProvider.xml b/src/Microsoft.Data.SqlClient.Extensions/Azure/doc/ActiveDirectoryAuthenticationProvider.xml index c680d0dd8b..84b6343497 100644 --- a/src/Microsoft.Data.SqlClient.Extensions/Azure/doc/ActiveDirectoryAuthenticationProvider.xml +++ b/src/Microsoft.Data.SqlClient.Extensions/Azure/doc/ActiveDirectoryAuthenticationProvider.xml @@ -148,7 +148,7 @@ See the LICENSE file in the project root for more information. The callback method to be called by MSAL.NET to delegate the Web user interface with the Secure Token Service (STS). - Sets a callback method which is invoked with a custom Web UI instance that will let the user sign-in with Azure Active Directory, present consent if needed, and get back the authorization code. Applicable when working with Active Directory Interactive authentication. + Sets a callback method which is invoked with a custom Web UI instance that will let the user sign-in with Entra ID, present consent if needed, and get back the authorization code. Applicable when working with Active Directory Interactive authentication. The "authorizationUri" is crafted to leverage PKCE in order to protect the token from a man in the middle attack. Only MSAL.NET can redeem the code. In the event of cancellation, the implementer should return . diff --git a/src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.cs b/src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.cs index 080bb74c69..2e1ec76e04 100644 --- a/src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.cs +++ b/src/Microsoft.Data.SqlClient.Extensions/Azure/src/ActiveDirectoryAuthenticationProvider.cs @@ -145,14 +145,14 @@ public override async Task AcquireTokenAsync(SqlAuthenti // We split audience from Authority URL here. Audience can be one of // the following: // - // - The Azure AD authority audience enumeration + // - The Entra ID authority audience enumeration // - The tenant ID, which can be: - // - A GUID (the ID of your Azure AD instance), for + // - A GUID (the ID of your Entra ID instance), for // single-tenant applications - // - A domain name associated with your Azure AD instance (also + // - A domain name associated with your Entra ID instance (also // for single-tenant applications) // - One of these placeholders as a tenant ID in place of the - // Azure AD authority audience enumeration: + // Entra ID authority audience enumeration: // - `organizations` for a multitenant application // - `consumers` to sign in users only with their personal // accounts @@ -160,9 +160,9 @@ public override async Task AcquireTokenAsync(SqlAuthenti // accounts or their personal Microsoft accounts // // MSAL will throw a meaningful exception if you specify both the - // Azure AD authority audience and the tenant ID. + // Entra ID authority audience and the tenant ID. // - // If you don't specify an audience, your app will target Azure AD + // If you don't specify an audience, your app will target Entra ID // and personal Microsoft accounts as an audience. (That is, it // will behave as though `common` were specified.) // @@ -708,7 +708,7 @@ private IPublicClientApplication CreateClientAppInstance(PublicClientAppKey publ ClientVersion = Extensions.Azure.ThisAssembly.InformationalVersion, RedirectUri = publicClientAppKey.RedirectUri, }) - // The Authority contains the tenant-specific Azure AD endpoint, e.g. + // The Authority contains the tenant-specific Entra ID endpoint, e.g. // "https://login.microsoftonline.com/72f988bf-...". The tenant ID is not determined by // the client; it originates from the SQL Server FEDAUTHINFO TDS token that the server // sends during the login handshake. The flow is: @@ -719,7 +719,7 @@ private IPublicClientApplication CreateClientAppInstance(PublicClientAppKey publ // constructing SqlAuthenticationParametersBuilder. // 3. AcquireTokenAsync stores the full authority (including tenant) in // PublicClientAppKey.Authority. - // 4. Here, WithAuthority directs MSAL to authenticate against the correct Azure AD + // 4. Here, WithAuthority directs MSAL to authenticate against the correct Entra ID // tenant. .WithAuthority(publicClientAppKey.Authority); diff --git a/src/Microsoft.Data.SqlClient.Extensions/Azure/src/PackageReadme.md b/src/Microsoft.Data.SqlClient.Extensions/Azure/src/PackageReadme.md index c3fdad2018..0c7d6c51ca 100644 --- a/src/Microsoft.Data.SqlClient.Extensions/Azure/src/PackageReadme.md +++ b/src/Microsoft.Data.SqlClient.Extensions/Azure/src/PackageReadme.md @@ -9,7 +9,7 @@ This package provides **Azure integration extensions** for [Microsoft.Data.SqlCl ## Key Features -- **Azure AD Authentication**: Simplified Azure Active Directory token-based authentication +- **Entra ID Authentication**: Simplified Entra ID token-based authentication - **Managed Identity Support**: Connect to Azure SQL using Azure Managed Identities - **Token Caching**: Automatic caching of authentication tokens for improved performance - **Azure.Identity Integration**: Leverage the full power of Azure.Identity credential providers @@ -129,7 +129,7 @@ await connection.OpenAsync(); ## Documentation -- [Azure SQL Database Azure AD Authentication](https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview) +- [Entra ID Authentication](https://learn.microsoft.com/azure/azure-sql/database/authentication-aad-overview) - [Azure.Identity Documentation](https://learn.microsoft.com/dotnet/api/overview/azure/identity-readme) - [Microsoft.Data.SqlClient Documentation](https://learn.microsoft.com/sql/connect/ado-net/introduction-microsoft-data-sqlclient-namespace) - [Managed Identities Overview](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) @@ -143,4 +143,4 @@ This package is licensed under the [MIT License](https://licenses.nuget.org/MIT) - [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient) - The main SqlClient driver - [Microsoft.Data.SqlClient.Extensions.Abstractions](https://www.nuget.org/packages/Microsoft.Data.SqlClient.Extensions.Abstractions) - Core abstractions - [Microsoft.Data.SqlClient.Extensions.Logging](https://www.nuget.org/packages/Microsoft.Data.SqlClient.Extensions.Logging) - Logging extensions -- [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) - Azure AD authentication library +- [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) - Entra ID authentication library diff --git a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/PackageReadme.md b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/PackageReadme.md index fe6989b025..ae3ff21943 100644 --- a/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/PackageReadme.md +++ b/src/Microsoft.Data.SqlClient/add-ons/AzureKeyVaultProvider/PackageReadme.md @@ -7,7 +7,7 @@ This library provides an **Always Encrypted Azure Key Vault Provider** for [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient). It enables .NET applications to use [Microsoft Azure Key Vault](https://azure.microsoft.com/services/key-vault/) with [Always Encrypted](https://aka.ms/AlwaysEncrypted) in Microsoft Azure SQL Database and Microsoft SQL Server. -Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to SQL Server. This provider enables storing column master keys (CMKs) in Azure Key Vault, providing centralized key management, secure key storage, and integration with Azure AD authentication. +Always Encrypted allows clients to encrypt sensitive data inside client applications and never reveal the encryption keys to SQL Server. This provider enables storing column master keys (CMKs) in Azure Key Vault, providing centralized key management, secure key storage, and integration with Entra ID authentication. ## Supportability @@ -72,7 +72,7 @@ var ssn = await command.ExecuteScalarAsync(); ## Key Features - **Azure Key Vault Integration**: Store and manage column master keys (CMKs) in Azure Key Vault -- **Azure AD Authentication**: Supports Azure.Identity credentials for seamless Azure AD authentication +- **Entra ID Authentication**: Supports Azure.Identity credentials for seamless Entra ID authentication - **Key Caching**: Built-in caching of column encryption keys (CEKs) for improved performance - **Multiple Authentication Methods**: Supports DefaultAzureCredential, ClientSecretCredential, ManagedIdentityCredential, and more @@ -94,5 +94,5 @@ This package is licensed under the [MIT License](https://licenses.nuget.org/MIT) ## Related Packages - [Microsoft.Data.SqlClient](https://www.nuget.org/packages/Microsoft.Data.SqlClient) - The main SqlClient driver -- [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) - Azure AD authentication library +- [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) - Entra ID authentication library - [Azure.Security.KeyVault.Keys](https://www.nuget.org/packages/Azure.Security.KeyVault.Keys) - Azure Key Vault Keys client library diff --git a/src/Microsoft.Data.SqlClient/src/PackageReadme.md b/src/Microsoft.Data.SqlClient/src/PackageReadme.md index bd0674ea06..6869cb1be7 100644 --- a/src/Microsoft.Data.SqlClient/src/PackageReadme.md +++ b/src/Microsoft.Data.SqlClient/src/PackageReadme.md @@ -45,6 +45,31 @@ await connection.OpenAsync(); Console.WriteLine("Connected successfully!"); ``` +### Connecting to Azure + +Starting with v7.0, to use Entra ID authentication modes (such as `Active Directory Default`, `Active Directory Managed Identity`, `Active Directory Interactive`, etc.) via connection string keywords, install the [Microsoft.Data.SqlClient.Extensions.Azure](https://www.nuget.org/packages/Microsoft.Data.SqlClient.Extensions.Azure) extension package via NuGet: + +```bash +dotnet add package Microsoft.Data.SqlClient.Extensions.Azure +``` +Or via the Package Manager Console: + +```powershell +Install-Package Microsoft.Data.SqlClient.Extensions.Azure +``` + +This package provides the `ActiveDirectoryAuthenticationProvider`, which integrates with [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) to handle token acquisition, caching, and credential management. + +With this package reference, you can continue to use Entra ID authentication modes directly in your connection string: + +```csharp +// Active Directory Default — uses DefaultAzureCredential (Managed Identity, Azure CLI, Visual Studio, etc.) +var connectionString = "Server=myserver.database.windows.net;Database=mydb;Authentication=Active Directory Default;"; + +using var connection = new SqlConnection(connectionString); +await connection.OpenAsync(); +``` + ### Execute a Query ```csharp @@ -112,7 +137,7 @@ catch | Feature | Description | |---------|-------------| | **Cross-Platform** | Runs on Windows, Linux, and macOS | -| **Azure AD Authentication** | Multiple Azure Active Directory authentication modes | +| **Entra ID Authentication** | Multiple Entra ID authentication modes | | **Always Encrypted** | Client-side encryption for sensitive data | | **Connection Pooling** | Efficient connection management | | **TLS 1.3 Support** | Enhanced security with strict encryption mode | @@ -142,12 +167,15 @@ Microsoft.Data.SqlClient.SqlConnectionStringBuilder |--------|-------------------| | SQL Server Authentication | `User ID=user;Password=pass;` | | Windows Authentication | `Integrated Security=true;` | -| Azure AD Password | `Authentication=Active Directory Password;User ID=user;Password=pass;` | -| Azure AD Integrated | `Authentication=Active Directory Integrated;` | -| Azure AD Interactive | `Authentication=Active Directory Interactive;` | -| Azure AD Managed Identity | `Authentication=Active Directory Managed Identity;` | -| Azure AD Service Principal | `Authentication=Active Directory Service Principal;User ID=clientId;Password=clientSecret;` | -| Azure AD Default | `Authentication=Active Directory Default;` | +| Entra ID Password (deprecated) | `Authentication=Active Directory Password;User ID=user;Password=pass;` | +| Entra ID Integrated | `Authentication=Active Directory Integrated;` | +| Entra ID Interactive | `Authentication=Active Directory Interactive;` | +| Entra ID Managed Identity | `Authentication=Active Directory Managed Identity;` | +| Entra ID Service Principal | `Authentication=Active Directory Service Principal;User ID=clientId;Password=clientSecret;` | +| Entra ID Default | `Authentication=Active Directory Default;` | +| Entra ID Workload Identity | `Authentication=Active Directory Workload Identity` | + +> **Note:** To use Entra ID authentication modes (such as `Active Directory Default`, `Active Directory Managed Identity`, `Active Directory Interactive`, etc.) via connection string keywords, install the [Microsoft.Data.SqlClient.Extensions.Azure](https://www.nuget.org/packages/Microsoft.Data.SqlClient.Extensions.Azure) extension package. ## Encryption Modes @@ -170,7 +198,7 @@ Two implementations are available: - [Connection String Syntax](https://learn.microsoft.com/sql/connect/ado-net/connection-string-syntax) - [Connection Pooling](https://learn.microsoft.com/sql/connect/ado-net/sql-server-connection-pooling) - [Always Encrypted](https://learn.microsoft.com/sql/relational-databases/security/encryption/always-encrypted-database-engine) -- [Azure AD Authentication](https://learn.microsoft.com/sql/connect/ado-net/sql/azure-active-directory-authentication) +- [Entra ID Authentication](https://learn.microsoft.com/sql/connect/ado-net/sql/azure-active-directory-authentication) ## Release Notes @@ -191,6 +219,7 @@ This package is licensed under the [MIT License](https://licenses.nuget.org/MIT) ## Related Packages +- [Microsoft.Data.SqlClient.Extensions.Azure](https://www.nuget.org/packages/Microsoft.Data.SqlClient.Extensions.Azure) - Entra ID authentication provider with Azure.Identity integration - [Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider](https://www.nuget.org/packages/Microsoft.Data.SqlClient.AlwaysEncrypted.AzureKeyVaultProvider) - Azure Key Vault integration for Always Encrypted - [Microsoft.SqlServer.Server](https://www.nuget.org/packages/Microsoft.SqlServer.Server) - SQL CLR UDT support - [Microsoft.Data.SqlClient.SNI](https://www.nuget.org/packages/Microsoft.Data.SqlClient.SNI) - Native SNI for .NET Framework diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/AdapterTest/AdapterTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/AdapterTest/AdapterTest.cs index 5b498b7318..ed9d9ab541 100644 --- a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/AdapterTest/AdapterTest.cs +++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/AdapterTest/AdapterTest.cs @@ -1062,7 +1062,7 @@ public void UpdateOffsetTest() public static bool CanRunSchemaTests() { return DataTestUtility.AreConnStringsSetup() && - // Tests switch to master database, which is not guaranteed when using AAD auth + // Tests switch to master database, which is not guaranteed when using Entra ID auth DataTestUtility.TcpConnectionStringDoesNotUseAadAuth; } diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/AADConnectionTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/AADConnectionTest.cs index f2c0128c46..3c68e6dafd 100644 --- a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/AADConnectionTest.cs +++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/AADConnectionTest.cs @@ -497,7 +497,7 @@ public static void AccessTokenCallbackReceivesUsernameAndPassword() } // Test passes locally everytime, but in pieplines fails randomly with uncertainity. - // e.g. Second AAD connection too slow (802ms)! (More than 30% of the first (576ms).) + // e.g. Second Entra ID connection too slow (802ms)! (More than 30% of the first (576ms).) [ActiveIssue("16058")] [ConditionalFact(nameof(IsAADConnStringsSetup))] public static void ConnectionSpeed() @@ -538,9 +538,9 @@ public static void ConnectionSpeed() } } - // Subsequent AAD connections within a short timeframe should use an auth token cached from the connection pool + // Subsequent Entra ID connections within a short timeframe should use an auth token cached from the connection pool // Second connection speed in tests was typically 10-15% of the first connection time. Using 30% since speeds may vary. - Assert.True(((double)secondConnectionTime.ElapsedMilliseconds / firstConnectionTime.ElapsedMilliseconds) < 0.30, $"Second AAD connection too slow ({secondConnectionTime.ElapsedMilliseconds}ms)! (More than 30% of the first ({firstConnectionTime.ElapsedMilliseconds}ms).)"); + Assert.True(((double)secondConnectionTime.ElapsedMilliseconds / firstConnectionTime.ElapsedMilliseconds) < 0.30, $"Second Entra ID connection too slow ({secondConnectionTime.ElapsedMilliseconds}ms)! (More than 30% of the first ({firstConnectionTime.ElapsedMilliseconds}ms).)"); } finally { diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/ConnectivityTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/ConnectivityTest.cs index a500055490..28955b39ff 100644 --- a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/ConnectivityTest.cs +++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/ConnectivityTests/ConnectivityTest.cs @@ -365,7 +365,7 @@ public static void ConnectionStringPersistentInfoTest() } } - // ConnectionOpenDisableRetry relies on error 4060 for automatic retry, which is not returned when using AAD auth + // ConnectionOpenDisableRetry relies on error 4060 for automatic retry, which is not returned when using Entra ID auth [ConditionalFact(typeof(DataTestUtility), nameof(DataTestUtility.AreConnStringsSetup), nameof(DataTestUtility.IsNotAzureServer), nameof(DataTestUtility.TcpConnectionStringDoesNotUseAadAuth))] public static void ConnectionOpenDisableRetry() { diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/DataBaseSchemaTest/ConnectionSchemaTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/DataBaseSchemaTest/ConnectionSchemaTest.cs index 0bc5b29806..41e6ecb451 100644 --- a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/DataBaseSchemaTest/ConnectionSchemaTest.cs +++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/DataBaseSchemaTest/ConnectionSchemaTest.cs @@ -13,7 +13,7 @@ public static class ConnectionSchemaTest public static bool CanRunSchemaTests() { return DataTestUtility.AreConnStringsSetup() && - // Tests switch to master database, which is not guaranteed when using AAD auth + // Tests switch to master database, which is not guaranteed when using Entra ID auth DataTestUtility.TcpConnectionStringDoesNotUseAadAuth; } diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/RetryLogic/SqlConfigurationManagerReliabilityTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/RetryLogic/SqlConfigurationManagerReliabilityTest.cs index c52ea76ec5..bcb221ff30 100644 --- a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/RetryLogic/SqlConfigurationManagerReliabilityTest.cs +++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/RetryLogic/SqlConfigurationManagerReliabilityTest.cs @@ -23,7 +23,7 @@ public class SqlConfigurationManagerReliabilityTest { InitialCatalog = SqlConnectionReliabilityTest.InvalidInitialCatalog, ConnectTimeout = 1 }.ConnectionString; #region Internal Functions - // Test relies on error 4060 for automatic retry, which is not returned when using AAD auth + // Test relies on error 4060 for automatic retry, which is not returned when using Entra ID auth [ConditionalTheory(typeof(DataTestUtility), nameof(DataTestUtility.AreConnStringsSetup), nameof(DataTestUtility.TcpConnectionStringDoesNotUseAadAuth))] [InlineData(RetryLogicConfigHelper.RetryMethodName_Fix, RetryLogicConfigHelper.RetryMethodName_Inc)] [InlineData(RetryLogicConfigHelper.RetryMethodName_Inc, RetryLogicConfigHelper.RetryMethodName_Exp)] @@ -131,7 +131,7 @@ public void InvalidRetryMethodName(string methodName) s_commandCRLTest.NoneRetriableExecuteFail(TcpCnnString, cmdProvider); } - // Test relies on error 4060 for automatic retry, which is not returned when using AAD auth + // Test relies on error 4060 for automatic retry, which is not returned when using Entra ID auth [ConditionalTheory(typeof(DataTestUtility), nameof(DataTestUtility.AreConnStringsSetup), nameof(DataTestUtility.TcpConnectionStringDoesNotUseAadAuth))] [InlineData("InvalidRetrylogicTypeName")] [InlineData("")] diff --git a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/RetryLogic/SqlConnectionReliabilityTest.cs b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/RetryLogic/SqlConnectionReliabilityTest.cs index 984c030f10..d133d25e03 100644 --- a/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/RetryLogic/SqlConnectionReliabilityTest.cs +++ b/src/Microsoft.Data.SqlClient/tests/ManualTests/SQL/RetryLogic/SqlConnectionReliabilityTest.cs @@ -23,7 +23,7 @@ public class SqlConnectionReliabilityTest maxInterval: TimeSpan.FromSeconds(1), deltaTime: TimeSpan.FromMilliseconds(250)); - // Test relies on error 4060 for automatic retry, which is not reliable when using Azure or AAD auth + // Test relies on error 4060 for automatic retry, which is not reliable when using Azure or Entra ID auth // Restricted to non azure: https://github.com/dotnet/SqlClient/issues/3821 [ConditionalTheory(typeof(DataTestUtility), nameof(DataTestUtility.AreConnStringsSetup), nameof(DataTestUtility.IsNotAzureServer))] [MemberData(nameof(ConnectionRetryOpenInvalidCatalogFailed_Data), DisableDiscoveryEnumeration = true)] @@ -48,7 +48,7 @@ public void ConnectionRetryOpenInvalidCatalogFailed(string cnnString, SqlRetryLo maxInterval: TimeSpan.FromSeconds(1), deltaTime: TimeSpan.FromMilliseconds(250)); - // Test relies on error 4060 for automatic retry, which is not reliable when using Azure or AAD auth + // Test relies on error 4060 for automatic retry, which is not reliable when using Azure or Entra ID auth // Restricted to non azure: https://github.com/dotnet/SqlClient/issues/3821 [ConditionalTheory(typeof(DataTestUtility), nameof(DataTestUtility.AreConnStringsSetup), nameof(DataTestUtility.IsNotAzureServer))] [MemberData(nameof(ConnectionCancelRetryOpenInvalidCatalog_Data), DisableDiscoveryEnumeration = true)] @@ -194,7 +194,7 @@ public void DefaultOpenWithoutRetry(string connectionString, SqlRetryLogicBasePr maxInterval: TimeSpan.FromSeconds(1), deltaTime: TimeSpan.FromMilliseconds(250)); - // Test relies on error 4060 for automatic retry, which is not reliable when using Azure or AAD auth + // Test relies on error 4060 for automatic retry, which is not reliable when using Azure or Entra ID auth // Restricted to non azure: https://github.com/dotnet/SqlClient/issues/3821 [ConditionalTheory(typeof(DataTestUtility), nameof(DataTestUtility.AreConnStringsSetup), nameof(DataTestUtility.IsNotAzureServer))] [MemberData(nameof(ConnectionRetryOpenAsyncInvalidCatalogFailed_Data), DisableDiscoveryEnumeration = true)] @@ -219,7 +219,7 @@ public async Task ConnectionRetryOpenAsyncInvalidCatalogFailed(string cnnString, maxInterval: TimeSpan.FromSeconds(1), deltaTime: TimeSpan.FromMilliseconds(250)); - // Test relies on error 4060 for automatic retry, which is not returned when using AAD auth + // Test relies on error 4060 for automatic retry, which is not returned when using Entra ID auth // Restricted to non azure: https://github.com/dotnet/SqlClient/issues/3821 [ConditionalTheory(typeof(DataTestUtility), nameof(DataTestUtility.AreConnStringsSetup), nameof(DataTestUtility.TcpConnectionStringDoesNotUseAadAuth), nameof(DataTestUtility.IsNotAzureServer))] [MemberData(nameof(ConnectionCancelRetryOpenAsyncInvalidCatalog_Data), DisableDiscoveryEnumeration = true)] diff --git a/src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.Servers/TdsServerArguments.cs b/src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.Servers/TdsServerArguments.cs index f129bf189a..3a9a093d5e 100644 --- a/src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.Servers/TdsServerArguments.cs +++ b/src/Microsoft.Data.SqlClient/tests/tools/TDS/TDS.Servers/TdsServerArguments.cs @@ -16,12 +16,12 @@ namespace Microsoft.SqlServer.TDS.Servers public class TdsServerArguments { /// - /// Service Principal Name, representing Azure SQL Database in Azure Active Directory. + /// Service Principal Name, representing Azure SQL Database in Entra ID. /// public const string AzureADServicePrincipalName = @"https://database.windows.net/"; /// - /// The Azure Active Directory production token endpoint to re-direct the client to fetch a token from. + /// The Entra ID production token endpoint to re-direct the client to fetch a token from. /// public const string AzureADProductionTokenEndpoint = @"https://login.windows.net/common"; From c29a7426e5ba731037559ecd202c7e9965c63f4e Mon Sep 17 00:00:00 2001 From: Cheena Malhotra <13396919+cheenamalhotra@users.noreply.github.com> Date: Fri, 13 Mar 2026 09:50:55 -0700 Subject: [PATCH 2/3] Include client id Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- src/Microsoft.Data.SqlClient/src/PackageReadme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Microsoft.Data.SqlClient/src/PackageReadme.md b/src/Microsoft.Data.SqlClient/src/PackageReadme.md index 6869cb1be7..9215d800f3 100644 --- a/src/Microsoft.Data.SqlClient/src/PackageReadme.md +++ b/src/Microsoft.Data.SqlClient/src/PackageReadme.md @@ -173,7 +173,7 @@ Microsoft.Data.SqlClient.SqlConnectionStringBuilder | Entra ID Managed Identity | `Authentication=Active Directory Managed Identity;` | | Entra ID Service Principal | `Authentication=Active Directory Service Principal;User ID=clientId;Password=clientSecret;` | | Entra ID Default | `Authentication=Active Directory Default;` | -| Entra ID Workload Identity | `Authentication=Active Directory Workload Identity` | +| Entra ID Workload Identity | `Authentication=Active Directory Workload Identity;User ID=clientId;` | > **Note:** To use Entra ID authentication modes (such as `Active Directory Default`, `Active Directory Managed Identity`, `Active Directory Interactive`, etc.) via connection string keywords, install the [Microsoft.Data.SqlClient.Extensions.Azure](https://www.nuget.org/packages/Microsoft.Data.SqlClient.Extensions.Azure) extension package. From 8e8a0e7c515d2b62959f00def710900efd84c2a7 Mon Sep 17 00:00:00 2001 From: Cheena Malhotra <13396919+cheenamalhotra@users.noreply.github.com> Date: Fri, 13 Mar 2026 10:26:43 -0700 Subject: [PATCH 3/3] Update CHANGELOG.md --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ebe0cac4f7..dc51c7d2bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,7 +19,7 @@ Also released as part of this milestone: ### Changed -- **Breaking:** Removed Azure dependencies from the core package. Azure AD / Entra authentication (`ActiveDirectoryAuthenticationProvider` and related types) has been extracted into a new `Microsoft.Data.SqlClient.Extensions.Azure` package. The core `Microsoft.Data.SqlClient` package no longer depends on `Azure.Core`, `Azure.Identity`, or their transitive dependencies. Applications using Entra ID authentication must now install `Microsoft.Data.SqlClient.Extensions.Azure` separately. +- **Breaking:** Removed Azure dependencies from the core package. Entra ID authentication (`ActiveDirectoryAuthenticationProvider` and related types) has been extracted into a new `Microsoft.Data.SqlClient.Extensions.Azure` package. The core `Microsoft.Data.SqlClient` package no longer depends on `Azure.Core`, `Azure.Identity`, or their transitive dependencies. Applications using Entra ID authentication must now install `Microsoft.Data.SqlClient.Extensions.Azure` separately. ([#1108](https://github.com/dotnet/SqlClient/issues/1108), [#3680](https://github.com/dotnet/SqlClient/pull/3680), [#3902](https://github.com/dotnet/SqlClient/pull/3902),