Azure AD enables access authorization to SQL Azure as an alternative to providing username/password information in the connection string: https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/. It is somewhat analogous to using Windows Authentication when both the client and the database are on a Windows domain network. It is particularly useful on public (non-confidential) clients where storing secrets is inappropriate and the only alternative would be to have the user use special SQL-only credentials. Azure AD authentication allows the user to access SQL by using their work or school credentials and supports single signon.
Sample code showing use of this approach in a WinForms/C# project is available here: https://github.com/mrochon/AADPublicClient2SQLAzure/. It shows three options for using AAD to connect to SQL Azure:
- Using current Windows identity (assuming user is on-domain and Azure AD is federated with on-premises AD)
- Using Azure AD challenge mechanism (including MFA) to authenticate the user
- Using username/password entered directly into the client’s UI
It also shows the use of these authentication methods with both ADO.NET and Entity Framework 6 (Code First). The SQL Azure and Azure AD setup follows instructions in: https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/. In my implementation I have defined a security group (‘sql users’ in my case) and added it as the SQL user login in SQL Azure, as per above instructions. That way, to allow a new user to access the database all I need to do is to add this user to the group).
(There seems to be a missing setup step in the setup instructions provided in https://azure.microsoft.com/en-us/documentation/articles/sql-database-aad-authentication/. In addition to what it describes, you also need to allow your client application to request OAuth2 access tokens intended for SQL Azure as resource. To do that, use the Azure AD application manifest download/upload functionality to modify the manifest by including the following in the requiredResourceAccess section – see source code for example manifest).
Oct 7th, 2016: to use non-public, confidential clients to login to SQL, you can add the client app’s display name (in Azure AD) as user to SQL and assign appropriate roles. You can then use OAuth2 client credential flow (with symmetric key or certificate) to obtain an access token.