|
| 1 | +--- |
| 2 | +title: "Enable Microsoft Entra Authentication for SQL Server on Windows Without Azure Arc" |
| 3 | +description: Tutorial on how to set up Microsoft Entra authentication for SQL Server without Azure Arc |
| 4 | +author: PratimDasgupta |
| 5 | +ms.author: prdasgu |
| 6 | +ms.reviewer: vanto |
| 7 | +ms.date: 05/09/2025 |
| 8 | +ms.service: sql |
| 9 | +ms.subservice: security |
| 10 | +ms.topic: tutorial |
| 11 | +monikerRange: ">=sql-server-ver16 || >=sql-server-linux-ver16" |
| 12 | +--- |
| 13 | + |
| 14 | +# Tutorial: Enable Microsoft Entra authentication for SQL Server on Windows without Azure Arc |
| 15 | + |
| 16 | +[!INCLUDE [SQL Server 2022](../../../includes/applies-to-version/sqlserver2022.md)] |
| 17 | + |
| 18 | +This article describes how to authenticate with Microsoft Entra ID without setting up Azure Arc for your on-premises SQL Server 2022 and later versions. Microsoft Entra authentication is a cloud-based identity management service that provides secure access to SQL Server databases. This tutorial guides you through the process of setting up Microsoft Entra authentication for SQL Server on Windows without Azure Arc. |
| 19 | + |
| 20 | +[!INCLUDE [entra-id](../../../includes/entra-id.md)] |
| 21 | + |
| 22 | +In this tutorial, you learn how to: |
| 23 | + |
| 24 | +> [!div class="checklist"] |
| 25 | +> - Add a certificate for SQL Server. |
| 26 | +> - Install adal.dll used for connecting to SQL Server. |
| 27 | +> - Create and register a Microsoft Entra ID application. |
| 28 | +> - Grant application permissions. |
| 29 | +> - Upload the certificate to the application. |
| 30 | +> - Add registry values to enable Microsoft Entra authentication for SQL Server. |
| 31 | +
|
| 32 | +## Prerequisites |
| 33 | + |
| 34 | +- An on-premises SQL Server 2022 or later version. |
| 35 | +- An active [Microsoft Entra ID](/entra/fundamentals/whatis) tenant. |
| 36 | +- This setup uses an application registration to associate SQL Server with Microsoft Entra ID. Follow the guide to [register an application](/entra/identity-platform/quickstart-register-app#register-an-application) in Microsoft Entra ID. |
| 37 | +- Verify that the SQL Server has network connectivity to Azure, specifically to the following Microsoft Entra ID service and addresses: |
| 38 | + - login.windows.net. |
| 39 | + - login.microsoftonline.com. |
| 40 | + - graph.microsoft.com. |
| 41 | + - graph.windows.net. |
| 42 | + - database.windows.net. |
| 43 | + - The full list of IP addresses and URLs aren't needed, but can be found in the article, [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges). |
| 44 | + |
| 45 | +## Obtain a certificate |
| 46 | + |
| 47 | +1. Obtain a certificate to use for the SQL Server and import it into the computer certificate store. We recommend a CA signed certificate. |
| 48 | + 1. Use a unique CN name for the certificate that doesn't match any certificates installed in the certificate store. |
| 49 | + 1. Install the certificate in the computer certificate store. For more information, see [Import the certificate into the local computer store](/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/install-imported-certificates#import-the-certificate-into-the-local-computer-store). |
| 50 | + 1. Add `Read` permissions for the SQL Server service account on the certificate. |
| 51 | + |
| 52 | + :::image type="content" source="media/microsoft-entra-authentication-sql-server-enable-without-arc/certificate-permissions.png" alt-text="Screenshot of the Permissions properties of a certificate."::: |
| 53 | + |
| 54 | +## Install adal.dll |
| 55 | + |
| 56 | +1. Install **adal.dll** for SQL Server. This library is needed for connecting to your SQL Server with Microsoft Entra authentication. You can get **adal.dll** from the latest [Microsoft OLE DB Driver for SQL Server](/sql/connect/oledb/download-oledb-driver-for-sql-server) install. |
| 57 | + |
| 58 | +1. After installing the Microsoft OLE DB Driver for SQL Server, make sure that **adal.dll** is in the folder `C:\windows\system32`. |
| 59 | + |
| 60 | +1. You should also have the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSADALSQL\TargetDir` with the value `C:\windows\system32\adal.dll`. If it doesn't exist, create it. |
| 61 | + |
| 62 | + :::image type="content" source="media/microsoft-entra-authentication-sql-server-enable-without-arc/adal-registry.png" alt-text="Screenshot of the registry key for adal.dll."::: |
| 63 | + |
| 64 | + For more information on Windows registry, see [Windows registry information for advanced users](/troubleshoot/windows-server/performance/windows-registry-advanced-users). |
| 65 | + |
| 66 | +## Create and register a Microsoft Entra ID application |
| 67 | + |
| 68 | +- Go to the [Azure portal](https://portal.azure.com), select **Microsoft Entra ID** > **App Registrations** > **New Registration**. |
| 69 | + 1. Specify a name - The example in this article uses *SQLServerCTP1*. |
| 70 | + 1. Select **Supported account types** and use **Accounts in this organization directory only** |
| 71 | + 1. Don't set a redirect URI |
| 72 | + 1. Select **Register** |
| 73 | + |
| 74 | +See the application registration below: |
| 75 | + |
| 76 | +:::image type="content" source="media/microsoft-entra-authentication-sql-server-enable-without-arc/register-app.png" alt-text="Screenshot of registering application in the Azure portal."::: |
| 77 | + |
| 78 | +## Grant application permissions |
| 79 | + |
| 80 | +Select the newly created application, and on the left side menu, select **API Permissions**. |
| 81 | + |
| 82 | +1. Select **Add a permission** > **Microsoft Graph** > **Application permissions** |
| 83 | + 1. Check **Directory.Read.All** |
| 84 | + 1. Select **Add permissions** |
| 85 | + |
| 86 | +1. Select **Add a permission** > **Microsoft Graph** > **Delegated permissions** |
| 87 | + 1. Check **Application.Read.All** |
| 88 | + 1. Check **Directory.AccessAsUser.All** |
| 89 | + 1. Check **Group.Read.All** |
| 90 | + 1. Check **User.Read.All** |
| 91 | + 1. Select **Add permissions** |
| 92 | + |
| 93 | +1. Select **Grant admin consent** |
| 94 | + |
| 95 | +:::image type="content" source="media/microsoft-entra-authentication-sql-server-enable-without-arc/configured-app-permissions.png" alt-text="Screenshot of application permissions in the Azure portal."::: |
| 96 | + |
| 97 | +> [!NOTE] |
| 98 | +> To grant **Admin consent** to the permissions above, your Microsoft Entra account requires the Privileged Role Administrator role or higher permissions. |
| 99 | +
|
| 100 | +## Upload the certificate |
| 101 | + |
| 102 | +Upload the certificate you created in the section [Obtain a certificate](#obtain-a-certificate) in the `.cer` or `.pem` format to the application registration in the Azure portal. |
| 103 | + |
| 104 | +:::image type="content" source="media/microsoft-entra-authentication-sql-server-enable-without-arc/upload-certificate.png" alt-text="Screenshot uploading a certificate for the application in the Azure portal."::: |
| 105 | + |
| 106 | +## Add registry values to enable Microsoft Entra authentication for SQL Server |
| 107 | + |
| 108 | +Update the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL<version-number>.<instance-name>\MSSQLServer\FederatedAuthentication` with the following values to enable Microsoft Entra authentication for SQL Server. An example of the registry key path for SQL Server 2022 is `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQLServer\FederatedAuthentication`. |
| 109 | + |
| 110 | +> [!WARNING] |
| 111 | +> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk. |
| 112 | +
|
| 113 | +- If the `FederatedAuthentication` key doesn't exist, create it with all of the following values. |
| 114 | +- The first five entries listed need to be updated with the values from the application you created in the previous section. The rest of the entries are default values. |
| 115 | +- The `<sql-server-certificate-name>` is the name of the certificate you created in the section [Obtain a certificate](#obtain-a-certificate) and uploaded to Azure. |
| 116 | +- The `<application-client-id>` is the **Application (client) ID** from the application you created in the section [Create and register a Microsoft Entra ID application](#create-and-register-a-microsoft-entra-id-application). For more information on finding the client ID, see [Client ID](/entra/identity-platform/msal-client-application-configuration#client-id). |
| 117 | +- The `<tenant-id>` is the tenant ID from your Azure tenant. You can find the tenant ID in the Azure portal under **Microsoft Entra ID** > **Overview**. |
| 118 | + |
| 119 | +```plaintext |
| 120 | +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL<version-number>.<instance-name>\MSSQLServer\FederatedAuthentication] |
| 121 | +
|
| 122 | +"AADCertSubjectName"="<sql-server-certificate-name>" |
| 123 | +"AADTenantSpecificSQLServicePrincipalCertSubjectName"="<sql-server-certificate-name>" |
| 124 | +"ClientId"="<application-client-id>" |
| 125 | +"AADTenantSpecificSQLServicePrincipalClientId"="<application-client-id>" |
| 126 | +"PrimaryAADTenant"="<tenant-id>" |
| 127 | +"AADChannelMaxBufferedMessageSize"="200000" |
| 128 | +"AADGraphEndPoint"="graph.windows.net" |
| 129 | +"AADGroupLookupMaxRetryAttempts"="10" |
| 130 | +"AADGroupLookupMaxRetryDuration"="30000" |
| 131 | +"AADGroupLookupRetryInitialBackoff"="100" |
| 132 | +"AuthenticationEndpoint"="login.microsoftonline.com" |
| 133 | +"CacheMaxSize"="300" |
| 134 | +"FederationMetadataEndpoint"="login.windows.net" |
| 135 | +"GraphAPIEndpoint"="graph.windows.net" |
| 136 | +"IssuerURL"="https://sts.windows.net/" |
| 137 | +"MsGraphEndPoint"="graph.microsoft.com" |
| 138 | +"OnBehalfOfAuthority"="https://login.windows.net/" |
| 139 | +"SendX5c"="false" |
| 140 | +"ServicePrincipalName"="https://database.windows.net/" |
| 141 | +"ServicePrincipalNameForArcadia"="https://sql.azuresynapse.net" |
| 142 | +"ServicePrincipalNameForArcadiaDogfood"="https://sql.azuresynapse-dogfood.net" |
| 143 | +"ServicePrincipalNameNoSlash"="https://database.windows.net" |
| 144 | +"STSURL"="https://login.windows.net/" |
| 145 | +"ClientCertBlackList"="" |
| 146 | +``` |
| 147 | + |
| 148 | +For more information on Windows registry, including backing up, editing, and restoring registry keys, see [Windows registry information for advanced users](/troubleshoot/windows-server/performance/windows-registry-advanced-users). |
| 149 | + |
| 150 | +## Testing authentication |
| 151 | + |
| 152 | +After setting up the server and editing the registry values, Microsoft Entra authentication should be functional. Test the setup by creating logins using the following T-SQL commands: |
| 153 | + |
| 154 | +```sql |
| 155 | +CREATE LOGIN [<admin@domain.com>] FROM EXTERNAL PROVIDER |
| 156 | +``` |
| 157 | + |
| 158 | +## Common issues |
| 159 | + |
| 160 | +You might see the following error: |
| 161 | + |
| 162 | +`Keyset does not exist (AdalDll) with error code: 21` |
| 163 | + |
| 164 | +This error could be due to permission issues on the certificate. Make sure that the SQL Server service account has `Read` permissions on the certificate. If the issue persists, make sure that the certificate has a unique CN name that doesn't match any other certificates in the certificate store. |
| 165 | + |
| 166 | +## Related content |
| 167 | + |
| 168 | +- [Tutorial: Set up Microsoft Entra authentication for SQL Server](azure-ad-authentication-sql-server-setup-tutorial.md) |
0 commit comments