8

I have already configured my Azure SQL Server so that I am Server admin, my account also has MFA enabled. I was trying to follow this documentation but it doesn't mention anything about Active directory with MFA.

I can use my account and MFA to sign into the server fine using SQL Management studio

Initially I tried (based on the new SqlAuthenticationMethod Enum):

SqlConnection con = new SqlConnection("Server=tcp:myapp.database.windows.net;Database=CustomerDB;Authentication=Active Directory Interactive;Encrypt=True;[email protected]"))

Error:

'Cannot find an authentication provider for 'ActiveDirectoryInteractive'.'

I then saw this about accessing SQL via an Azure application But this is not what I want to do.

This SO question talks about connecting without the provider and setting the Driver in the connection string

SqlConnection con = new SqlConnection("DRIVER={ODBC Driver 17 for SQL Server};Server=tcp:myapp.database.windows.net;Database=CustomerDB;Authentication=Active Directory Interactive;Encrypt=True;[email protected]"))

but I get the error:

'Keyword not supported: 'driver'.'

Is there anyway to write a connection string so that when it tries to connect the Microsoft authentication box pops up to walk the user through Multi factor authentication?

Improve this question
2

4 Answers 4

Reset to default
8
Answer recommended by Microsoft Azure Collective

To use Azure AD authentication, your C# program has to register as an Azure AD application. Completing an app registration generates and displays an application ID. Your program has to include this ID to connect. To register and set necessary permissions for your application, go to the Azure portal, select Azure Active Directory > App registrations > New registration.

enter image description here

After the app registration is created, the application ID value is generated and displayed.

enter image description here

Select API permissions > Add a permission.

enter image description here

Select APIs my organization uses > type Azure SQL Database into the search > and select Azure SQL Database.

enter image description here

Select Delegated permissions > user_impersonation > Add permissions.

enter image description here

It seems you have already set an Azure AD admin for your Azure SQL Database.

You can also add a user to the database with the SQL Create User command. An example is CREATE USER [] FROM EXTERNAL PROVIDER. For more information, see here.

Below an example on C#.

using System; // Reference to Azure AD authentication assembly using Microsoft.IdentityModel.Clients.ActiveDirectory; using DA = System.Data; using SC = System.Data.SqlClient; using AD = Microsoft.IdentityModel.Clients.ActiveDirectory; using TX = System.Text; using TT = System.Threading.Tasks; namespace ADInteractive5 { class Program { // ASSIGN YOUR VALUES TO THESE STATIC FIELDS !! static public string Az_SQLDB_svrName = "<Your SQL DB server>"; static public string AzureAD_UserID = "<Your User ID>"; static public string Initial_DatabaseName = "<Your Database>"; // Some scenarios do not need values for the following two fields: static public readonly string ClientApplicationID = "<Your App ID>"; static public readonly Uri RedirectUri = new Uri("<Your URI>"); public static void Main(string[] args) { var provider = new ActiveDirectoryAuthProvider(); SC.SqlAuthenticationProvider.SetProvider( SC.SqlAuthenticationMethod.ActiveDirectoryInteractive, //SC.SqlAuthenticationMethod.ActiveDirectoryIntegrated, // Alternatives. //SC.SqlAuthenticationMethod.ActiveDirectoryPassword, provider); Program.Connection(); } public static void Connection() { SC.SqlConnectionStringBuilder builder = new SC.SqlConnectionStringBuilder(); // Program._ static values that you set earlier. builder["Data Source"] = Program.Az_SQLDB_svrName; builder.UserID = Program.AzureAD_UserID; builder["Initial Catalog"] = Program.Initial_DatabaseName; // This "Password" is not used with .ActiveDirectoryInteractive. //builder["Password"] = "<YOUR PASSWORD HERE>"; builder["Connect Timeout"] = 15; builder["TrustServerCertificate"] = true; builder.Pooling = false; // Assigned enum value must match the enum given to .SetProvider(). builder.Authentication = SC.SqlAuthenticationMethod.ActiveDirectoryInteractive; SC.SqlConnection sqlConnection = new SC.SqlConnection(builder.ConnectionString); SC.SqlCommand cmd = new SC.SqlCommand( "SELECT '******** MY QUERY RAN SUCCESSFULLY!! ********';", sqlConnection); try { sqlConnection.Open(); if (sqlConnection.State == DA.ConnectionState.Open) { var rdr = cmd.ExecuteReader(); var msg = new TX.StringBuilder(); while (rdr.Read()) { msg.AppendLine(rdr.GetString(0)); } Console.WriteLine(msg.ToString()); Console.WriteLine(":Success"); } else { Console.WriteLine(":Failed"); } sqlConnection.Close(); } catch (Exception ex) { Console.ForegroundColor = ConsoleColor.Red; Console.WriteLine("Connection failed with the following exception..."); Console.WriteLine(ex.ToString()); Console.ResetColor(); } } } // EOClass Program. /// <summary> /// SqlAuthenticationProvider - Is a public class that defines 3 different Azure AD /// authentication methods. The methods are supported in the new .NET 4.7.2. /// . /// 1. Interactive, 2. Integrated, 3. Password /// . /// All 3 authentication methods are based on the Azure /// Active Directory Authentication Library (ADAL) managed library. /// </summary> public class ActiveDirectoryAuthProvider : SC.SqlAuthenticationProvider { // Program._ more static values that you set! private readonly string _clientId = Program.ClientApplicationID; private readonly Uri _redirectUri = Program.RedirectUri; public override async TT.Task<SC.SqlAuthenticationToken> AcquireTokenAsync(SC.SqlAuthenticationParameters parameters) { AD.AuthenticationContext authContext = new AD.AuthenticationContext(parameters.Authority); authContext.CorrelationId = parameters.ConnectionId; AD.AuthenticationResult result; switch (parameters.AuthenticationMethod) { case SC.SqlAuthenticationMethod.ActiveDirectoryInteractive: Console.WriteLine("In method 'AcquireTokenAsync', case_0 == '.ActiveDirectoryInteractive'."); result = await authContext.AcquireTokenAsync( parameters.Resource, // "https://database.windows.net/" _clientId, _redirectUri, new AD.PlatformParameters(AD.PromptBehavior.Auto), new AD.UserIdentifier( parameters.UserId, AD.UserIdentifierType.RequiredDisplayableId)); break; case SC.SqlAuthenticationMethod.ActiveDirectoryIntegrated: Console.WriteLine("In method 'AcquireTokenAsync', case_1 == '.ActiveDirectoryIntegrated'."); result = await authContext.AcquireTokenAsync( parameters.Resource, _clientId, new AD.UserCredential()); break; case SC.SqlAuthenticationMethod.ActiveDirectoryPassword: Console.WriteLine("In method 'AcquireTokenAsync', case_2 == '.ActiveDirectoryPassword'."); result = await authContext.AcquireTokenAsync( parameters.Resource, _clientId, new AD.UserPasswordCredential( parameters.UserId, parameters.Password)); break; default: throw new InvalidOperationException(); } return new SC.SqlAuthenticationToken(result.AccessToken, result.ExpiresOn); } public override bool IsSupported(SC.SqlAuthenticationMethod authenticationMethod) { return authenticationMethod == SC.SqlAuthenticationMethod.ActiveDirectoryIntegrated || authenticationMethod == SC.SqlAuthenticationMethod.ActiveDirectoryInteractive || authenticationMethod == SC.SqlAuthenticationMethod.ActiveDirectoryPassword; } } // EOClass ActiveDirectoryAuthProvider. } // EONamespace. End of entire program source code.

The example above relies on the Microsoft.IdentityModel.Clients.ActiveDirectory DLL assembly.

To install this package, in Visual Studio, select Project > Manage NuGet Packages. Search for and install Microsoft.IdentityModel.Clients.ActiveDirectory.

Starting in .NET Framework version 4.7.2, the enum SqlAuthenticationMethod has a new value: ActiveDirectoryInteractive.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

When I search for "Azure SQL Database" when adding the permissions, I do not find anything. What needs to be done to get the "Azure SQL Database" API available so that it can be used with a Entra/AD App?
Do you have permissions as Application Administrator or Application Developer?
I am the owner of the subscription. Is that enough?
I would have try these steps again.
4

The only way I have found to login using Active Directory and MFA and cache the token is to use @Alberto's method

I did also find another way which would ask for login credentials every time which is to use this connection string:

OdbcConnection con = new OdbcConnection("Driver={ODBC Driver 17 for SQL Server};SERVER=tcp:myserver.database.windows.net;DATABASE=MyDb;Authentication=ActiveDirectoryInteractive;[email protected]")

Improving the code posted by @alberto. I must say for something so fundamental in the modern world this is unbelievably undocumented. Anyway here's the improved Provider code.

This code also requires you to target .Net Framework 4.7.2 or greater

Firstly follow @alberto's code.. I did find one extra unmentioned step is that you need to also configure a Platform for your app in azure on the authentication tab to look like:

enter image description here

Add these two classes to your project:

ActiveDirectoryAuthProvider 

using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using Microsoft.IdentityModel.Clients.ActiveDirectory; using System.Data.SqlClient; namespace SQLAzureConnectivity { public class ActiveDirectoryAuthProvider : SqlAuthenticationProvider { private string _clientId { get; set; } private Uri _redirectURL { get; set; } = new Uri("https://login.microsoftonline.com/common/oauth2/nativeclient"); public ActiveDirectoryAuthProvider(string clientId) { _clientId = clientId; } //https://learn.microsoft.com/en-us/azure/sql-database/active-directory-interactive-connect-azure-sql-db#c-code-example public override async Task<System.Data.SqlClient.SqlAuthenticationToken> AcquireTokenAsync(System.Data.SqlClient.SqlAuthenticationParameters parameters) { AuthenticationContext authContext = new AuthenticationContext(parameters.Authority, new FilesBasedAdalV3TokenCache(".\\Token.dat")); authContext.CorrelationId = parameters.ConnectionId; AuthenticationResult result = null; switch (parameters.AuthenticationMethod) { case System.Data.SqlClient.SqlAuthenticationMethod.ActiveDirectoryInteractive: Console.WriteLine("In method 'AcquireTokenAsync', case_0 == '.ActiveDirectoryInteractive'."); try { result = await authContext.AcquireTokenSilentAsync(parameters.Resource, _clientId); } catch (AdalException adalException) { if (adalException.ErrorCode == AdalError.FailedToAcquireTokenSilently || adalException.ErrorCode == AdalError.InteractionRequired) { result = await authContext.AcquireTokenAsync(parameters.Resource, _clientId, _redirectURL, new PlatformParameters(PromptBehavior.Auto)); //result = await authContext.AcquireTokenAsync(parameters.Resource, _clientId, _redirectURL, new PlatformParameters(PromptBehavior.Auto), new UserIdentifier(parameters.UserId, UserIdentifierType.RequiredDisplayableId)); } } break; case System.Data.SqlClient.SqlAuthenticationMethod.ActiveDirectoryIntegrated: Console.WriteLine("In method 'AcquireTokenAsync', case_1 == '.ActiveDirectoryIntegrated'."); result = await authContext.AcquireTokenAsync(parameters.Resource, _clientId, new UserCredential()); break; case System.Data.SqlClient.SqlAuthenticationMethod.ActiveDirectoryPassword: Console.WriteLine("In method 'AcquireTokenAsync', case_2 == '.ActiveDirectoryPassword'."); result = await authContext.AcquireTokenAsync(parameters.Resource, _clientId, new UserPasswordCredential(parameters.UserId, parameters.Password)); break; default: throw new InvalidOperationException(); } return new System.Data.SqlClient.SqlAuthenticationToken(result.AccessToken, result.ExpiresOn); } public override bool IsSupported(System.Data.SqlClient.SqlAuthenticationMethod authenticationMethod) { return authenticationMethod == System.Data.SqlClient.SqlAuthenticationMethod.ActiveDirectoryIntegrated || authenticationMethod == System.Data.SqlClient.SqlAuthenticationMethod.ActiveDirectoryInteractive || authenticationMethod == System.Data.SqlClient.SqlAuthenticationMethod.ActiveDirectoryPassword; } } }

FilesBasedAdalV3TokenCache

using Microsoft.IdentityModel.Clients.ActiveDirectory; using System.IO; using System.Security.Cryptography; namespace SQLAzureConnectivity { // This is a simple persistent cache implementation for an ADAL V3 desktop application public class FilesBasedAdalV3TokenCache : TokenCache { public string CacheFilePath { get; } private static readonly object FileLock = new object(); // Initializes the cache against a local file. // If the file is already present, it loads its content in the ADAL cache public FilesBasedAdalV3TokenCache(string filePath) { CacheFilePath = filePath; this.AfterAccess = AfterAccessNotification; this.BeforeAccess = BeforeAccessNotification; lock (FileLock) { this.DeserializeAdalV3(ReadFromFileIfExists(CacheFilePath)); } } // Empties the persistent store. public override void Clear() { base.Clear(); File.Delete(CacheFilePath); } // Triggered right before ADAL needs to access the cache. // Reload the cache from the persistent store in case it changed since the last access. void BeforeAccessNotification(TokenCacheNotificationArgs args) { lock (FileLock) { this.DeserializeAdalV3(ReadFromFileIfExists(CacheFilePath)); } } // Triggered right after ADAL accessed the cache. void AfterAccessNotification(TokenCacheNotificationArgs args) { // if the access operation resulted in a cache update if (this.HasStateChanged) { lock (FileLock) { // reflect changes in the persistent store WriteToFileIfNotNull(CacheFilePath, this.SerializeAdalV3()); // once the write operation took place, restore the HasStateChanged bit to false this.HasStateChanged = false; } } } /// <summary> /// Read the content of a file if it exists /// </summary> /// <param name="path">File path</param> /// <returns>Content of the file (in bytes)</returns> private byte[] ReadFromFileIfExists(string path) { byte[] protectedBytes = (!string.IsNullOrEmpty(path) && File.Exists(path)) ? File.ReadAllBytes(path) : null; byte[] unprotectedBytes = (protectedBytes != null) ? ProtectedData.Unprotect(protectedBytes, null, DataProtectionScope.CurrentUser) : null; return unprotectedBytes; } /// <summary> /// Writes a blob of bytes to a file. If the blob is <c>null</c>, deletes the file /// </summary> /// <param name="path">path to the file to write</param> /// <param name="blob">Blob of bytes to write</param> private static void WriteToFileIfNotNull(string path, byte[] blob) { if (blob != null) { byte[] protectedBytes = ProtectedData.Protect(blob, null, DataProtectionScope.CurrentUser); File.WriteAllBytes(path, protectedBytes); } else { File.Delete(path); } } } }

Then before using a SQLConnection write these two lines:

var provider = new ActiveDirectoryAuthProvider("ClientID from the Azure app you set up earlier"); SqlAuthenticationProvider.SetProvider(SqlAuthenticationMethod.ActiveDirectoryInteractive, provider);

References:

Improve this answer

Comments

3

As mentioned elsewhere, you can use ODBC to connect, without registering your app in the Azure Portal. The interactive prompt will be shown whenever a new connection is added to the pool. Thus, even if you open multiple ODBC connections using the same connection string, you will only see the prompt once within your application lifecycle (or until the connection pool is recycled).

If you don't want to use ODBC, you may also use OLE DB with the MSOLEDBSQL driver, which has similar (or better) performance than the native SQL Client provider (which is deprecated and shouldn't be used anyway):

using System.Data.OleDb; ... OleDbConnection con = new OleDbConnection("Provider=MSOLEDBSQL;Data Source=sqlserver.database.windows.net;User [email protected];Initial Catalog=database;Authentication=ActiveDirectoryInteractive");
Improve this answer

2 Comments

Authentication=ActiveDirectoryInteractive is one word...where it is Authentication="Active Directory Interactive" in SqlClient connection string. After that, the popup worked as expected! I believe the connection pool handles preventing this dialog popping up more than once. Which is perfect for my local unit testing. And I fall back to the accepted answer when running it via azure devops pipeline (where the application key is a pipeline variable for security reasons).
TamusJRoyce's Suggestion of Authentication="Active Directory Interactive" is what did it for me. After debugging into the method where the call was made, my browser opened with the sign in prompt.
1

This may not be the best place to put this answer, as is it is specific to unit testing sql server and visual studio (community,prof,ent) -- https://youtu.be/OZiTKfNSXh4 @ 1:10 -- via mfa interactive using @Dan answer.

The problem is that generating a c#/sql unit test project can be done using interactive connection. But running any unit test will fail because mfa interactive is not supported by SqlClient provider. Below is a work-around.

New file OleDatabaseTestService.cs

using Microsoft.Data.Tools.Schema.Sql.UnitTesting; using System.Data.OleDb; namespace [YourNamespace]Tests { public class OleDatabaseTestService : SqlDatabaseTestService { static OleDatabaseTestService() { SetupConext(); } private static ConnectionContext _contextExecution = null; private static ConnectionContext _contextPrivileged = null; public static ConnectionContext ContextExecution { get; set; } = null; public static ConnectionContext ContextPrivileged { get; set; } = null; public override ConnectionContext OpenExecutionContext() { return ContextExecution; } public override ConnectionContext OpenPrivilegedContext() { return ContextPrivileged == null ? ContextExecution : ContextPrivileged; } // TODO: This can be a written a lot better - please edit this SO if you wish to help protected static ConnectionContext SetupConext() { var context = new ConnectionContext(); context.Provider = OleDbFactory.Instance; var connection = context.Provider.CreateConnection(); // TODO: Drive the connection string from app.config interactive connection string (wizard creates interactive correctly, but not supported by SqlClient provider) // var connectionSection = (SqlUnitTestingSection)ConfigurationManager.GetSection("SqlUnitTesting"); // DbConnection connection = new OleDbConnection( connection.ConnectionString = "Provider=MSOLEDBSQL;Data Source=[azure_database_name].database.windows.net;Initial Catalog=[initial db];User ID=[email];Authentication=ActiveDirectoryInteractive"; // + connectionSection.ExecutionContext.ConnectionString; connection.Open(); context.Connection = connection; ContextExecution = context; ContextPrivileged = context; return context; } } }

Change to SqlDatabaseSetup.cs

using Microsoft.Data.Tools.Schema.Sql.UnitTesting; using Microsoft.VisualStudio.TestTools.UnitTesting; namespace [YourNamespace]Tests { [TestClass()] public class SqlDatabaseSetup { [AssemblyInitialize()] public static void InitializeAssembly(TestContext ctx) { var service = new OleDatabaseTestService(); SqlDatabaseTestClass.TestService = service; SqlDatabaseTestClass.TestService.DeployDatabaseProject(); SqlDatabaseTestClass.TestService.GenerateData(); } } }

Please add a comment on where this would best be moved to. Or if someone prefers this as a Question/self-Answered on its own (no need to waste points).

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.