Authenticate with Microsoft Entra ID in sqlcmd

Applies to: SQL Server Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics Analytics Platform System (PDW) SQL database in Microsoft Fabric

sqlcmd supports a variety of Microsoft Entra authentication models, depending on which version you have installed.

Note

While Microsoft Entra ID is the new name for Azure Active Directory (Azure AD), to prevent disrupting existing environments, Azure AD still remains in some hardcoded elements such as UI fields, connection providers, error codes, and cmdlets. In this article, the two names are interchangeable.

For more information on the difference between sqlcmd versions, see sqlcmd utility.

sqlcmd (Go) supports more Microsoft Entra authentication models, based on the azidentity package. The implementation relies on a Microsoft Entra connector in the go-sqlcmd driver.

Command line arguments

To use Microsoft Entra authentication, you can use one of two command line switches.

-G is (mostly) compatible with its usage in sqlcmd (ODBC). If a username and password are provided, it authenticates using Microsoft Entra password authentication. If a username is provided, it uses Microsoft Entra interactive authentication, which may display a web browser. If no username or password is provided, it uses a DefaultAzureCredential, which attempts to authenticate through various mechanisms.

--authentication-method= can be used to specify one of the following authentication types.

ActiveDirectoryDefault

  • For an overview of the types of authentication this mode uses, see Default Azure Credential.
  • Choose this method if your database automation scripts are intended to run in both local development environments and in a production deployment in Azure. In your development environment, you can use a client secret or an Azure CLI login. Without changing the script from the development environment, you can use a managed identity or client secret on your production deployment.
  • Setting environment variables AZURE_TENANT_ID and AZURE_CLIENT_ID are necessary for DefaultAzureCredential to begin checking the environment configuration and look for one of the following additional environment variables in order to authenticate:
    • Setting environment variable AZURE_CLIENT_SECRET configures the DefaultAzureCredential to choose ClientSecretCredential.
    • Setting environment variable AZURE_CLIENT_CERTIFICATE_PATH configures the DefaultAzureCredential to choose ClientCertificateCredential if AZURE_CLIENT_SECRET isn't set.
  • Setting environment variable AZURE_USERNAME configures the DefaultAzureCredential to choose UsernamePasswordCredential if AZURE_CLIENT_SECRET and AZURE_CLIENT_CERTIFICATE_PATH aren't set.

ActiveDirectoryIntegrated

This method is currently not implemented, and falls back to ActiveDirectoryDefault.

ActiveDirectoryPassword

  • This method authenticates using a username and password. It doesn't work if MFA is required.

  • You provide the user name and password using the usual command line switches or SQLCMD environment variables.

  • Set AZURE_TENANT_ID environment variable to the tenant ID of the server if not using the default tenant of the user.

ActiveDirectoryInteractive

This method launches a web browser to authenticate the user.

ActiveDirectoryManagedIdentity

Use this method when running sqlcmd (Go) on an Azure VM that has either a system-assigned or user-assigned managed identity. If using a user-assigned managed identity, set the user name to the Client ID of the managed identity. If using a system-assigned identity, leave user name empty.

This example shows how to connect using a Service Assigned Managed Identity (SAMI):

-S testsrv.database.windows.net -d Target_DB_or_DW --authentication-method ActiveDirectoryManagedIdentity

This example shows how to connect with a User Assigned Managed Identity (UAMI) by adding the Client Id of the user assigned managed identity:

-S testsrv.database.windows.net -d Target_DB_or_DW --authentication-method ActiveDirectoryManagedIdentity -U <user-assigned-managed-identity-client-id>

ActiveDirectoryServicePrincipal

This method authenticates the provided user name as a service principal ID and the password as the client secret for the service principal. Provide a user name in the form <service principal id>@<tenant id>. Set SQLCMDPASSWORD variable to the client secret. If using a certificate instead of a client secret, set AZURE_CLIENT_CERTIFICATE_PATH environment variable to the path of the certificate file.

Environment variables for Microsoft Entra authentication

Some Microsoft Entra authentication settings don't have command line inputs, and some environment variables are consumed directly by the azidentity package used by sqlcmd (Go).

These environment variables can be set to configure some aspects of Microsoft Entra authentication and to bypass default behaviors. In addition to the variables listed previously, the following are specific to sqlcmd (Go), and apply to multiple methods.

SQLCMDCLIENTID

Set this environment variable to the identifier of an application registered in Microsoft Entra, which is authorized to authenticate to Azure SQL Database. Applies to ActiveDirectoryInteractive and ActiveDirectoryPassword methods.