Exploring SSMA Copilot’s architecture for seamless, trustworthy code migration.
The Problem We Set Out to Solve
Migrating from Oracle PL/SQL to SQL Server T‑SQL is notoriously complex. While SSMA’s rule engine covers hundreds of conversion rules, edge cases, custom logic, and nuanced syntax but it often slips through. Developers end up spending hours manually fixing scripts, validating correctness, and worrying about regressions.
The Copilot was built to tackle this pain point: augment SSMA’s rule engine with large language models (LLMs) that can reason about tricky conversions, explain their logic, and accelerate the migration process. But building trust in AI‑generated code meant we had to design an architecture that was controllable, reliable, and secure.
SSMA Code Conversion Copilot was released back in the month of May and some of the use cases are elaborated here. This blog talks about the inner working of Copilot.
⚙️ Semantic Kernel for Skill / Plugin Management
At the heart of SSMA Copilot lies Semantic Kernel, Microsoft’s open‑source framework for integrating LLMs. It offers two big capabilities:
- Prompt management — defining prompts as reusable “skills” with parameters like model, temperature, and token count.
- Agentic orchestration — automating workflows by chaining tools and prompts together.
For Copilot, we deliberately chose only prompt management at this point. We have also added native skills such as checking the correctness of syntax and semantics but have not used agentic orchestration for the current implementation.
❌ Why Not Agentic Features?
Agentic orchestration can be powerful, but in practice it wasn’t reliable enough for production migrations. Tool selection logic sometimes failed, leading to incorrect validations or spurious edits. Moreover, we saw an issue with latency. Instead, we implemented a deterministic workflow that gave us full control.
✅ Manual Orchestration Workflow
Our workflow looks like this (please refer to the diagram):
- Partial Migration: SSMA generates a baseline conversion.
- Copilot Authentication: The Copilot is authenticated using the inputs provided by the user. This is where the model is also decided. Alternately, the user can use the managed endpoint that is controlled by Microsoft.
- LLM Completion: Copilot fills in gaps. Moreover, it explains the solution, points out the error that it is trying to resolve in simple language.
- Parsing & Compilation: A target‑dialect parser checks syntax. This catches unsupported constructs or binding issues far more reliably than prompt tuning.
- Spurious Edit Detection: LLMs are instructed to only enhance flagged portions of code. Any edits to “correct” blocks incur penalties, with a strict threshold of zero spurious edits allowed.
- Query Execution & Data Generation: Where possible, we generate minimal synthetic data (two rows per table) to validate equivalence between source and target queries.
- Semantic Equivalence Checks: For cases where execution isn’t feasible, we use LLM‑based scoring to judge logical fidelity.
This loop repeats until syntactic and semantic correctness is achieved. By using this workflow, we avoided regression spirals and ensured predictable outcomes across dialects. This workflow was tested using our built-in evaluation framework which has leveraged the rich test cases of SSMA.
🔑 Feature Comparison
Managed Endpoint Authentication was released with SSMA 10.4 in November 2025.
|
|
Managed Endpoint |
BYOK |
|
Provisioning OpenAI Endpoint |
No |
Yes |
|
LLM Model Selection |
Automatic |
Manual |
|
Authentication |
Mandatory Entra ID |
OpenAI Endpoint and Key |
|
Private Endpoint Support |
No |
Yes |
|
Cross Tenant Dependency* |
Yes |
No |
|
Pricing |
Free |
Consumption in actuals |
*Cross Tenant Dependency: The endpoint is hosted in Microsoft tenant while the authentication happens in the user tenant.
🔒 Privacy and Data Handling
A critical point: we don’t store your data. The scripts you provide are used only for generating the migration output. Once the process completes, the data is flushed. No proprietary code or schema information is retained.
This design ensures:
- Security: We run OpenAI in Microsoft tenant following all security protocols.
- Trust: Copilot is a tool, not a repository.
- Compliance: Aligns with enterprise privacy expectations.
🌟 Why This Matters
By combining Semantic Kernel framework, SSMA Copilot delivers reliable migrations without sacrificing flexibility. And with the managed endpoint, it’s now easier and safer than ever to adopt — no keys, no storage, no friction.
This isn’t just about faster migrations. It’s about building trust in AI‑assisted workflows, ensuring correctness, and giving enterprises confidence that their data is secure.
Get started with your Copilot based migration journey using SSMA for Oracle
Microsoft