This chapter covers the two authentication methods for Azure SQL Database and Azure SQL Managed Instance: SQL Authentication and Microsoft Entra ID authentication. Understanding the differences, security implications, and configuration requirements is essential for the DP-900 exam, where approximately 10-15% of questions relate to authentication and security. You will learn how each method works, when to use each, and the exact settings you need to know for the exam.
Jump to a section
Think of an Azure SQL database as a secure office building. SQL Authentication is like giving each user a physical key to the front door. You (the DBA) must create a copy of that key for every person who needs access, and you are responsible for tracking who has which key. If someone leaves the company, you must change the lock and reissue keys to everyone—or risk the ex-employee walking in. Microsoft Entra ID (formerly Azure AD) authentication is like installing an electronic badge reader at the door. Instead of handing out physical keys, you assign each employee a badge that is centrally managed by the HR system (Entra ID). When an employee swipes their badge, the reader checks with the central directory to see if that badge is still active and authorized. If the employee is terminated, HR deactivates the badge in the directory, and the door instantly denies access—no lock changes, no key reissuing. The building owner (Azure SQL) no longer manages keys; it only trusts the badge reader (Entra ID) to validate identities. This eliminates the administrative burden of password rotations, reduces the risk of orphaned accounts, and enables features like multi-factor authentication (MFA) and conditional access policies that would be impossible with static keys.
What is Authentication in Azure SQL?
Authentication is the process of verifying the identity of a user or application trying to connect to a database. In Azure SQL, two primary authentication methods exist: SQL Authentication (username and password stored in the database) and Microsoft Entra ID authentication (identity verified via Azure's cloud identity service). The exam expects you to know the differences, benefits, and limitations of each.
SQL Authentication: The Traditional Approach
SQL Authentication uses a login and password stored in the master database of the Azure SQL server. The password hash is stored in the sys.sql_logins system view. When a client connects, it sends the username and password over the network (ideally encrypted using TLS). The server hashes the password and compares it to the stored hash. If they match, the login is authenticated and the user is granted access to databases based on user mappings.
Key characteristics:
The password is managed entirely within Azure SQL—no dependency on external identity providers.
Password policy (complexity, expiration) can be enforced via Azure SQL's password policy, which mirrors Windows Server policies (e.g., minimum length, complexity requirements).
There is no built-in support for Multi-Factor Authentication (MFA).
Passwords can be rotated by the administrator using ALTER LOGIN statements.
SQL Authentication is disabled by default for new Azure SQL servers; you must enable it during server creation or later via the Azure portal or PowerShell.
Microsoft Entra ID Authentication: Modern Identity
Microsoft Entra ID authentication allows users to connect to Azure SQL using their cloud identities (user accounts, service principals, or managed identities). The authentication process uses OAuth 2.0 tokens. When a user attempts to connect, the client (e.g., SQL Server Management Studio) acquires an access token from Microsoft Entra ID. The token is then presented to Azure SQL, which validates it using the tenant's public keys. If valid, the user is authenticated and mapped to a database user (contained user) or a server-level login.
Key characteristics:
Supports MFA natively.
Enables conditional access policies (e.g., require compliant device).
Password policies are managed by Entra ID (e.g., password expiration, lockout).
Eliminates the need to manage passwords in the database.
Supports service principals and managed identities for applications.
Requires that an Entra ID administrator is configured at the server level before any Entra ID users can connect.
How to Configure Each Method
SQL Authentication:
1. During server creation, set 'Authentication method' to 'Use only Azure Active Directory authentication' or 'Use both SQL and Azure Active Directory authentication'. To use SQL Authentication, you must choose the latter.
2. After creation, create SQL logins in the master database:
CREATE LOGIN MySQLLogin WITH PASSWORD = 'StrongPassword!';3. Map the login to a database user:
CREATE USER MyUser FOR LOGIN MySQLLogin;Grant permissions (e.g., db_datareader).
Entra ID Authentication: 1. Set an Entra ID administrator for the Azure SQL server (Azure portal -> SQL server -> Active Directory admin). This user must be an Entra ID user or group. 2. Connect as that admin and create contained database users:
CREATE USER [user@domain.com] FROM EXTERNAL PROVIDER;Grant permissions as usual.
How Authentication Works Internally
SQL Authentication flow:
1. Client sends a login packet containing username and password (encrypted via TLS).
2. Server receives the packet, extracts the password, hashes it with a stored salt.
3. Server compares the hash to the stored hash in sys.sql_logins.
4. If match, server checks if the login is enabled and not locked out.
5. Server then checks database user mappings and permissions.
6. If all checks pass, a session is established.
Entra ID Authentication flow: 1. Client (e.g., SSMS) initiates OAuth 2.0 authorization code flow or device code flow. 2. User authenticates to Entra ID (via password, MFA, etc.). 3. Entra ID returns an access token (JWT) with claims including user's object ID and tenant ID. 4. Client sends the token to Azure SQL in the TDS login packet. 5. Azure SQL validates the token's signature using the tenant's public keys (fetched from Entra ID). 6. Server extracts the user's object ID from the token and looks up a matching user in the database. 7. If found, the user is authenticated; permissions are then evaluated.
Key Differences in Management
Password management: SQL Authentication requires you to manage passwords; Entra ID offloads this to Entra ID policies.
Account lifecycle: With SQL Authentication, disabling a user requires manual intervention in the database; with Entra ID, disabling the user in Entra ID automatically blocks access.
Auditing: SQL Authentication logs show the SQL login name; Entra ID logs show the user principal name (UPN).
Exam-Relevant Details
The default authentication method for new Azure SQL servers is Microsoft Entra ID only (SQL Authentication disabled). You can enable both during creation.
To use Entra ID authentication, you must first configure an Entra ID administrator for the server. This is a single user or group that can manage other Entra ID users.
Contained database users are required for Entra ID authentication; you cannot use server-level logins for Entra ID users.
Service principals and managed identities can be used as Entra ID users for applications.
The CREATE USER ... FROM EXTERNAL PROVIDER syntax is used for Entra ID users.
Limitations and Considerations
SQL Authentication does not support MFA.
Entra ID authentication requires network connectivity to Entra ID endpoints (login.microsoftonline.com).
Entra ID users cannot be used for cross-database queries unless they are contained users in each database.
SQL Authentication logins can be used for linked server connections; Entra ID users cannot (directly).
Security Best Practices
Prefer Entra ID authentication for all users and applications to leverage MFA and conditional access.
If SQL Authentication is necessary, enforce strong passwords and rotate them regularly.
Use firewall rules to restrict IP addresses that can connect.
Enable Advanced Threat Protection and auditing for both methods.
Create Azure SQL Server
In the Azure portal, navigate to SQL databases and click 'Create'. Fill in subscription, resource group, server name, location, and compute + storage. Under 'Authentication method', you choose between 'Use only Microsoft Entra ID authentication' and 'Use both SQL and Microsoft Entra ID authentication'. If you select the latter, you must provide a server admin login and password. This step sets the foundation for which authentication methods are allowed. The default is 'Use only Microsoft Entra ID authentication' for new servers.
Configure Entra ID Admin
After server creation, go to the SQL server resource in Azure portal. Under 'Settings', select 'Active Directory admin'. Click 'Set admin' and select a user or group from your Entra ID tenant. This user becomes the first Entra ID principal that can connect to the server. They can then create other Entra ID users. This step is mandatory before any Entra ID user can connect. The admin can be changed later, but there must always be at least one Entra ID admin if Entra ID authentication is enabled.
Create Database Users
Connect to the database using the Entra ID admin (or a SQL login if enabled). To add an Entra ID user, execute `CREATE USER [user@domain.com] FROM EXTERNAL PROVIDER;` in the context of the target database. This creates a contained database user mapped to the Entra ID identity. For SQL Authentication, create a server login first with `CREATE LOGIN ... WITH PASSWORD = '...';` then map it to a database user with `CREATE USER ... FOR LOGIN ...;`. Users can then be granted permissions like `db_datareader` or `db_owner`.
Grant Permissions
After creating the user, assign appropriate database roles or individual permissions. Common roles include `db_datareader` (read all data), `db_datawriter` (insert/update/delete), and `db_owner` (full control). Use `ALTER ROLE db_datareader ADD MEMBER [user];` for Entra ID users, or `EXEC sp_addrolemember 'db_datareader', 'MyUser';` for SQL users. Permissions can also be granted directly with `GRANT SELECT ON ... TO [user];`. The exam expects you to know the difference between server-level roles and database-level roles.
Connect and Verify
From a client tool like SSMS or Azure Data Studio, attempt to connect. For SQL Authentication, provide the SQL login and password. For Entra ID authentication, select 'Azure Active Directory - Universal with MFA' as authentication type and enter the user UPN. The client will acquire a token automatically. If MFA is required, a pop-up prompts for additional verification. Successful connection indicates correct configuration. Common errors include 'Login failed for user' (wrong credentials) or 'Cannot open server' (firewall blocking IP).
Enterprise Scenario 1: Large Organization with MFA Requirement
A multinational corporation with 10,000+ employees uses Azure SQL for its data warehouse. They require MFA for all database access to comply with security policies. SQL Authentication cannot meet this requirement, so they deploy Entra ID authentication. They configure conditional access policies to require MFA from outside the corporate network. The DBA sets an Entra ID admin group and creates contained users for each team. When an employee leaves, the IT department disables the user in Entra ID, and database access is instantly revoked. Performance is acceptable—token acquisition adds ~1 second to connection time. Common issues include token expiration (tokens last 1 hour by default; long-running queries may need token refresh). They mitigate by using connection pooling and setting Persist Security Info=False.
Enterprise Scenario 2: Legacy Application with SQL Authentication
A healthcare provider runs a legacy application that hardcodes a SQL login and password. The application cannot be modified to support OAuth 2.0. They must use SQL Authentication. The DBA creates a SQL login with a strong password, rotates it quarterly, and restricts the IP range via firewall. They enable auditing to track login attempts. The risk is that if the password is compromised, an attacker can connect from anywhere (unless IP restricted). They also face the challenge of password expiration—if the password changes, the application breaks until updated. This scenario is common for older apps and is a key reason Microsoft recommends migrating to Entra ID.
Enterprise Scenario 3: Microservices Using Managed Identities
A SaaS company runs microservices on Azure App Service that access Azure SQL. Each service has a system-assigned managed identity. The DBA creates a contained user for each managed identity using CREATE USER [<app-service-name>] FROM EXTERNAL PROVIDER;. The services connect without any credentials—the Azure infrastructure automatically provides tokens. This eliminates secrets management. The DBA grants least-privilege permissions per service. A common misconfiguration is assigning the wrong managed identity or forgetting to enable 'Allow Azure services' in the firewall. When misconfigured, connection errors like 'Login failed for user '' (empty)' occur because the token is not recognized.
DP-900 Exam Focus: Authentication Methods (Objective 2.1)
The DP-900 exam tests your understanding of the differences between SQL and Entra ID authentication, not the deep technical configuration. You should know:
Which authentication method supports MFA? (Entra ID only)
Which method requires a server admin to be configured first? (Entra ID; the Entra ID admin)
Which method uses contained database users? (Entra ID; SQL can use either server logins or contained users)
Which method is recommended by Microsoft? (Entra ID)
What is the default authentication for new servers? (Entra ID only)
Common Wrong Answers and Why Candidates Choose Them: 1. 'SQL Authentication supports MFA.' — Wrong. Candidates confuse SQL Authentication with Windows Authentication (which can support MFA via Kerberos in on-premises). Azure SQL SQL Authentication has no MFA capability. 2. 'Entra ID authentication requires a SQL login in master.' — Wrong. Entra ID users are created as contained database users, not server logins. However, the Entra ID admin is a special server-level principal. 3. 'You can use SQL Authentication without enabling it during server creation.' — Wrong. If you choose 'Use only Microsoft Entra ID authentication' during creation, SQL Authentication is permanently disabled. You must recreate the server to enable it. 4. 'Service principals cannot connect to Azure SQL.' — Wrong. Service principals (application identities) can be used as Entra ID users and are common for automated processes.
Numbers and Terms to Memorize:
- The default authentication is 'Microsoft Entra ID only' (formerly Azure AD only).
- The syntax for creating an Entra ID user: CREATE USER [user@domain.com] FROM EXTERNAL PROVIDER.
- The Entra ID admin must be set before any Entra ID user can connect.
- SQL Authentication passwords are stored in sys.sql_logins.
- Entra ID tokens are valid for 1 hour by default (not tested, but good to know).
Edge Cases: - If you disable SQL Authentication after creating SQL logins, those logins become unusable. - Entra ID guest users (from other tenants) can be added as users if the Entra ID tenant allows external identities. - For Azure SQL Managed Instance, you can also use Windows Authentication via Kerberos (not in scope for DP-900).
How to Eliminate Wrong Answers: - If the question mentions MFA, conditional access, or passwordless, the answer involves Entra ID. - If the question mentions 'server-level login', it's SQL Authentication (or Windows Auth for MI). - If the question asks about 'recommended method', choose Entra ID. - If the question says 'no additional identity provider needed', it's SQL Authentication.
SQL Authentication uses username/password stored in the database; no MFA support.
Microsoft Entra ID authentication uses OAuth 2.0 tokens; supports MFA and conditional access.
New Azure SQL servers default to 'Microsoft Entra ID only' authentication.
An Entra ID admin must be configured before any Entra ID user can connect.
Entra ID users are created as contained database users with `CREATE USER ... FROM EXTERNAL PROVIDER`.
Service principals and managed identities can be used as Entra ID users for applications.
SQL Authentication logins are created with `CREATE LOGIN` in master database, then mapped to database users.
These come up on the exam all the time. Here's how to tell them apart.
SQL Authentication
Credentials stored in Azure SQL master database
No MFA support
Password management done by DBA
Server-level logins required
Works without internet connectivity to Entra ID
Microsoft Entra ID Authentication
Credentials managed by Microsoft Entra ID
MFA supported natively
Password policies managed by Entra ID tenant
Uses contained database users (no server login)
Requires outbound connectivity to login.microsoftonline.com
Mistake
SQL Authentication supports Multi-Factor Authentication.
Correct
SQL Authentication does not support MFA. MFA is only available with Microsoft Entra ID authentication because it leverages the Entra ID authentication stack.
Mistake
You can use Entra ID authentication without configuring an Entra ID administrator.
Correct
An Entra ID administrator must be set at the server level before any Entra ID user can connect. This admin creates the first contained users.
Mistake
Entra ID users are created as server-level logins in the master database.
Correct
Entra ID users are created as contained database users using `CREATE USER ... FROM EXTERNAL PROVIDER` within a specific database. They do not have server-level logins.
Mistake
SQL Authentication is enabled by default on new Azure SQL servers.
Correct
The default authentication method for new servers is 'Microsoft Entra ID only'. You must explicitly choose to enable SQL Authentication during creation.
Mistake
Service principals and managed identities cannot authenticate to Azure SQL.
Correct
Service principals and managed identities are supported as Entra ID users. They can be added with `CREATE USER [app-name] FROM EXTERNAL PROVIDER` and used for application access.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SQL Authentication uses a username and password stored in the Azure SQL server's master database. The DBA manages passwords and there is no support for MFA. Microsoft Entra ID authentication uses identities from Azure's cloud directory; it supports MFA, conditional access, and eliminates the need for password management in the database. Entra ID authentication is the recommended method.
If the server was created with 'Microsoft Entra ID only', you cannot enable SQL Authentication later without recreating the server. If it was created with 'Use both SQL and Microsoft Entra ID authentication', SQL Authentication is already enabled. You can check in the Azure portal under the server's 'Authentication' settings.
No, SQL Authentication does not support MFA. To use MFA, you must use Microsoft Entra ID authentication with a client that supports interactive authentication (e.g., SSMS with 'Azure Active Directory - Universal with MFA').
A contained database user is a user that exists only within a specific database and is not tied to a server-level login. For Entra ID authentication, users are always contained. The syntax is `CREATE USER [user@domain.com] FROM EXTERNAL PROVIDER`. For SQL Authentication, users can be contained as well, but typically they are mapped to server logins.
First, ensure the service principal exists in your Entra ID tenant. Then, as an Entra ID admin, connect to the database and run `CREATE USER [app-name] FROM EXTERNAL PROVIDER;`. The service principal can then connect using its client credentials or managed identity.
If you disable SQL Authentication (by switching to 'Microsoft Entra ID only'), existing SQL logins become unusable. You will not be able to connect using those credentials. Only Entra ID users can connect.
Yes, if you select 'Use both SQL and Microsoft Entra ID authentication' during server creation. Both methods are then available. You can have SQL logins and Entra ID users coexisting.
You've just covered Azure SQL Authentication: SQL vs Entra ID — now see how well it sticks with free DP-900 practice questions. Full explanations included, no account needed.
Done with this chapter?