Documentation
Connections
Microsoft SQL Server
Generating Azure Credentials

Generating Azure Credentials

This article explains how to create the Application (Client) ID and Client Secret required for Azure Active Directory (Azure AD) authentication using a service principal.

You will use these values as:

  • Username → Application (Client) ID
  • Password → Client Secret

Prerequisites

  • An Azure account
  • Permission to create app registrations in Azure Active Directory
  • Access to the Azure Portal

Step 1: Open Azure Active Directory

  1. Sign in to the Azure Portal: https://portal.azure.com
  2. In the left-hand navigation, select Azure Active Directory
  3. Select App registrations

Step 2: Register a new application

  1. Click New registration
  2. Enter a Name (for example: Database Access App)
  3. For Supported account types, select:
    • Accounts in this organizational directory only (Single tenant)
      (recommended for database access)
  4. Leave Redirect URI empty
  5. Click Register

Step 3: Copy the Application (Client) ID

After registration:

  1. On the application Overview page
  2. Copy the value labeled Application (client) ID

This value is your Client ID and will be used as the Username when configuring the database connection.

Step 4: Create a Client Secret

  1. In the application menu, select Certificates & secrets
  2. Under Client secrets, click New client secret
  3. Enter a Description (for example: Database Access Secret)
  4. Choose an Expiration period
  5. Click Add

⚠️ Important:
Copy the secret value immediately. It will not be shown again.

This value is your Client Secret and will be used as the Password.

Step 5: Grant database access to the application

The application must be granted access to the target database.

For Azure SQL Database / Managed Instance

  1. Connect to the database as an administrator
  2. Create a user for the Azure AD application
  3. Grant the required database roles (for example db_datareader, db_datawriter, or custom roles)

The exact permissions depend on your security requirements.

Step 6: Use the values in the connection configuration

When configuring the database connection:

  • Enable Azure AD Authentication
  • Set Username to the Application (Client) ID
  • Set Password to the Client Secret

No interactive sign-in is required.

Common mistakes and troubleshooting

Client Secret expired

  • Create a new client secret and update the connection configuration

Authentication fails

  • Verify the Application ID and Secret are correct
  • Confirm the application has database-level permissions
  • Ensure the database allows Azure AD authentication

Using the wrong authentication type

  • Only service principal–based Azure AD authentication is supported
  • Interactive login, Managed Identity, and Windows authentication are not supported

Security best practices

  • Store client secrets securely
  • Rotate secrets before they expire
  • Use the minimum required database permissions
  • Do not share client secrets in source code or documentation

Summary

You now have:

  • Application (Client) ID → used as username
  • Client Secret → used as password

These credentials allow secure, non-interactive authentication to Azure-hosted databases using Azure Active Directory.