Creating a Custom OAuth Application

SQL Server supports authentication using Azure AD and Azure Service Principal, both of which are OAuth-based.

This topic describes how to:

• create and register custom OAuth application for Azure AD or Azure Service Principal
• create a custom OAuth application for use with client credentials

Azure AD

In portal.azure.com:

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select Azure Active Directory, then applicationRegistrations.
3. Click New registration.
4. Enter a name for the application.
5. Select the desired tenant setup: single- or multi-tenant, and public or private use.
   • If you select the default option, "Accounts in this organizational directory only", you must set the AzureTenant connection property to the Id of the Azure AD Tenant when establishing a connection with the SQL Server Adapter. Otherwise, the authentication attempt fails with an error.
   • If your application is for private use only, specify Accounts in this organization directory only.
   • If you want to distribute your application, choose one of the multi-tenant options.

6. Set the redirect url to http://localhost:33333 (the adapter's default) OR specify a different port and set CallbackURL to the exact reply URL you defined.
7. Click Register to register the new application. An application management screen displays.
   Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant.
8. Navigate to Certificates & Secrets and define the application authentication type. There are two types of authentication available: certificate (recommended) or client secret.
   • For certificate authentication: In Certificates & Secrets, select Upload certificate, then upload the certificate from your local machine.
   • For creating a new client secret: In Certificates & Secrets, select New Client Secret for the application and specify its duration. After the client secret is saved, SQL Server displays the key value. Copy this value, as it is displayed only once. This value becomes the OAuthClientSecret.

9. Select API Permissions > Add > Delegated permissions.
10. Save your changes.
11. If you have specified the use of permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page.
12. Set the AuthScheme to AzureAD. This is required to create users for the OAuth app.
13. Add the user to the database by running: CREATE USER [OAuth_APP] FROM EXTERNAL PROVIDER. This command must be run by the SQL Active Directory admin asssigned to the SQL Server instance.
14. Enable the Directory readers role for the Active Directory admin user.

Azure Service Principal

To use Azure Service Principal authentication, you must set up the ability to assign a role to the authentication application, then register an application with the Azure AD tenant to create a new Service Principal. That new Service Principal can then leverage the assigned role-based access control to access resources in your subscription.

In portal.azure.com:

1. Create a custom OAuth AD application, as described above.
2. Use the search bar to search for the Subscriptions service.
3. Open the Subscriptions page.
4. Select the subscription to which to assign the application.
5. Open the Access control (IAM).
6. Select Add > Add role assignment. SQL Server opens the Add role assignment page.
7. Assign your custom Azure AD application the role of Owner.

Consent for Client Credentials

OAuth supports the use of client credentials to authenticate. In a client credentials OAuth flow, credentials are created for the authenticating application itself. The auth flow acts just like the usual auth flow except that there is no prompt for an associated user to provide credentials. All tasks accepted by the application are executed outside of the context of a default user.

Note: Since the embedded OAuth credentials authenticate on a per-user basis, you cannot use them in a client OAuth flow. You must always create a custom OAuth application to use client credentials.

In portal.azure.com:

1. Create a custom OAuth application, as described above.
2. Navigate to App Registrations.
3. Find the application you just created, and open API Permissions.
4. Select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated and Application.
5. Under Application Permissions, select the permissions you require for your integration.

Client OAuth Flow With a Certificate

All permissions related to the client OAuth flow require admin consent. This means the application embedded with the SQL Server Adapter cannot be used in the client OAuth flow. You must create your own OAuth application in order to use client credentials, as described above.

After your OAuth application is created:

1. Return to portal.azure.com.
2. Navigate to App Registration.
3. Find the application you just created.
4. Under API Permissions, select the Microsoft Graph permissions.
   There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
5. Select the permissions that apply to your particular integration.

Creating a Custom OAuth Application

SQL Server supports authentication using Azure AD and Azure Service Principal, both of which are OAuth-based.

This topic describes how to:

• create and register custom OAuth application for Azure AD or Azure Service Principal
• create a custom OAuth application for use with client credentials

Azure AD

In portal.azure.com:

1. Log in to https://portal.azure.com.
2. In the left-hand navigation pane, select Azure Active Directory, then applicationRegistrations.
3. Click New registration.
4. Enter a name for the application.
5. Select the desired tenant setup: single- or multi-tenant, and public or private use.
   • If you select the default option, "Accounts in this organizational directory only", you must set the AzureTenant connection property to the Id of the Azure AD Tenant when establishing a connection with the SQL Server Adapter. Otherwise, the authentication attempt fails with an error.
   • If your application is for private use only, specify Accounts in this organization directory only.
   • If you want to distribute your application, choose one of the multi-tenant options.

6. Set the redirect url to http://localhost:33333 (the adapter's default) OR specify a different port and set CallbackURL to the exact reply URL you defined.
7. Click Register to register the new application. An application management screen displays.
   Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant.
8. Navigate to Certificates & Secrets and define the application authentication type. There are two types of authentication available: certificate (recommended) or client secret.
   • For certificate authentication: In Certificates & Secrets, select Upload certificate, then upload the certificate from your local machine.
   • For creating a new client secret: In Certificates & Secrets, select New Client Secret for the application and specify its duration. After the client secret is saved, SQL Server displays the key value. Copy this value, as it is displayed only once. This value becomes the OAuthClientSecret.

9. Select API Permissions > Add > Delegated permissions.
10. Save your changes.
11. If you have specified the use of permissions that require admin consent (such as the Application Permissions), you can grant them from the current tenant on the API Permissions page.
12. Set the AuthScheme to AzureAD. This is required to create users for the OAuth app.
13. Add the user to the database by running: CREATE USER [OAuth_APP] FROM EXTERNAL PROVIDER. This command must be run by the SQL Active Directory admin asssigned to the SQL Server instance.
14. Enable the Directory readers role for the Active Directory admin user.

Azure Service Principal

To use Azure Service Principal authentication, you must set up the ability to assign a role to the authentication application, then register an application with the Azure AD tenant to create a new Service Principal. That new Service Principal can then leverage the assigned role-based access control to access resources in your subscription.

In portal.azure.com:

1. Create a custom OAuth AD application, as described above.
2. Use the search bar to search for the Subscriptions service.
3. Open the Subscriptions page.
4. Select the subscription to which to assign the application.
5. Open the Access control (IAM).
6. Select Add > Add role assignment. SQL Server opens the Add role assignment page.
7. Assign your custom Azure AD application the role of Owner.

Consent for Client Credentials

OAuth supports the use of client credentials to authenticate. In a client credentials OAuth flow, credentials are created for the authenticating application itself. The auth flow acts just like the usual auth flow except that there is no prompt for an associated user to provide credentials. All tasks accepted by the application are executed outside of the context of a default user.

Note: Since the embedded OAuth credentials authenticate on a per-user basis, you cannot use them in a client OAuth flow. You must always create a custom OAuth application to use client credentials.

In portal.azure.com:

1. Create a custom OAuth application, as described above.
2. Navigate to App Registrations.
3. Find the application you just created, and open API Permissions.
4. Select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated and Application.
5. Under Application Permissions, select the permissions you require for your integration.

Client OAuth Flow With a Certificate

All permissions related to the client OAuth flow require admin consent. This means the application embedded with the SQL Server Adapter cannot be used in the client OAuth flow. You must create your own OAuth application in order to use client credentials, as described above.

After your OAuth application is created:

1. Return to portal.azure.com.
2. Navigate to App Registration.
3. Find the application you just created.
4. Under API Permissions, select the Microsoft Graph permissions.
   There are two distinct sets of permissions: Delegated permissions and Application permissions. The permissions used during client credential authentication are under Application Permissions.
5. Select the permissions that apply to your particular integration.