Authentication in SQL database in Microsoft Fabric
Applies to: ✅ SQL database in Microsoft Fabric
This article explains authentication for SQL databases.
Like other Microsoft Fabric item types, SQL databases rely on Microsoft Entra authentication.
To successfully authenticate to a SQL database, a Microsoft Entra user, a service principal, or their group, must have the Read item permission for the database in Fabric. For information on how to grant a Microsoft Entra identity access to a Fabric workspace or a specific database, see Fabric access controls.
To find the connection string to your SQL database in Fabric, see Connect to your SQL database in Microsoft Fabric.
Note
To enable service principals to connect to Fabric and to SQL databases, you also need to enable the Service principals can use Fabric APIs Fabric tenant setting. To learn how to enable tenant settings, see Fabric Tenant settings.
Connect to a SQL database using Microsoft Entra authentication
You can connect to a database using Microsoft Entra authentication with:
- SQL tools that support Microsoft Entra authentication, including SQL Server Management Studio and the mssql extension with Visual Studio Code.
- Applications that use SQL client drivers supporting Microsoft Entra authentication, including SqlClient, JDBC, ODBC, and OLE DB.
Applications and tools must upgrade drivers to versions that support Microsoft Entra authentication and add an authentication mode keyword in their SQL connection string, like ActiveDirectoryInteractive, ActiveDirectoryServicePrincipal, or ActiveDirectoryPassword.
Create database users for Microsoft Entra identities
If you plan to configure SQL access controls with Transact-SQL, you first need to create database users corresponding to your Microsoft Entra users, service principals, or their groups.
Creating database users isn't required if you use Fabric access controls (workspace roles or item permissions).
For more information about database user management, see:
- CREATE USER (Transact-SQL) (WITH EXTERNAL PROVIDER), ALTER USER (Transact-SQL), and DROP USER (Transact-SQL)
- Create a database user
- Microsoft Entra logins and users with nonunique display names (preview)
Private links
To configure private links in Fabric, see Set up and use private links.
Limitations
- Microsoft Entra ID is the only identity provider SQL database in Fabric supports. Specifically, SQL authentication isn't supported.
- Logins (server principals) aren't supported.
- Only Microsoft Entra users can create database user objects (with CREATE USER (Transact-SQL)) corresponding to Microsoft Entra identities - Microsoft Entra service principals can't.