Many of us might prefer to connect to Azure SQL Server using a custom domain name (like devsqlserver.mycompany.com) rather than the default fully qualified domain name (devsqlserver.database.windows.net), often because of application-specific or compliance reasons. This article details how you can accomplish this when logging in with Microsoft Entra ID (for example, user@mycompany.com) in Azure SQL Database specific environment. Frequently, users encounter errors similar to the one described below during this process.
Before you start: If you use SQL authentication (SQL username/password), the steps are different. Refer the following article for that scenario:
How to use different domain name to connect to Azure SQL DB Server | Microsoft Community Hub
With SQL authentication, you can include the server name in the login (for example, username@servername). With Microsoft Entra ID authentication, you don’t do that—so your custom DNS name must follow one important rule.
Key requirement for Microsoft Entra ID authentication
In an Azure SQL Database (PaaS) environment, the platform relies on the server name portion of the Fully Qualified Domain Name (FQDN) to correctly route incoming connection requests to the appropriate logical server.
When you use a custom DNS name, it is important that the name starts with the exact Azure SQL server name (the part before .database.windows.net).
Why this is required:
- Azure SQL Database is a multi-tenant PaaS service, where multiple logical servers are hosted behind shared infrastructure.
- During the connection process (especially with Microsoft Entra ID authentication), Azure SQL uses the server name extracted from the FQDN to:
- Identify the correct logical server
- Route the connection internally within the platform
- Validate the authentication context
This behavior aligns with how Azure SQL endpoints are designed and resolved within Microsoft’s managed infrastructure.
If your custom DNS name doesn’t start with the Azure SQL server name, Azure can’t route the connection to the correct server. Sign-in may fail and you might see error 40532 (as shown above). To fix this, change the custom DNS name so it starts with your Azure SQL server name.
Example: if your server is devsqlserver.database.windows.net, your custom name must start with 'devsqlserver'
devsqlserver.mycompany.com
devsqlserver.contoso.com
devsqlserver.mydomain.com
Step-by-step: set up and connect
- Pick the custom name. It must start with your server name. Example: use devsqlserver.mycompany.com (not othername.mycompany.com).
- Create DNS records for the custom name. Create a CNAME or DNS alias to point the custom name to your Azure SQL server endpoint (public) or to the private endpoint IP (private) as per the blog mentioned above.
- Check DNS from your computer. Make sure devsqlserver.mycompany.com resolves to the right address before you try to connect.
- Connect with Microsoft Entra ID. In SSMS/Azure Data Studio, set Server to your custom server name and select a Microsoft Entra ID authentication option (for example, Universal with MFA).
- Sign in and connect. Use your Entra ID (for example, user@mycompany.com).
Example:
Also, when you connect to Azure SQL Database using a custom domain name, you might see the following error:
“The target principal name is incorrect”
Example:
This happens because Azure SQL’s SSL/TLS certificate is issued for the default server name (for example, servername.database.windows.net), not for your custom DNS name.
During the secure connection process, the client validates that the server name you are connecting to matches the name in the certificate. Since the custom domain does not match the certificate, this validation fails, resulting in the error.
This is expected behavior and is part of standard security checks to prevent connecting to an untrusted or impersonated server.
To proceed with the connection, you can configure the client to trust the server certificate by:
- Setting Trust Server Certificate = True in the client settings, or
- Adding TrustServerCertificate=True in the connection string
This bypasses the strict name validation and allows the connection to succeed.
Note: Please use the latest client drivers (ODBC/JDBC/.NET, etc.). In some old driver versions, the 'TrustServerCertificate' setting may not work properly, and you may still face connection issues with the same 'target principal name is incorrect' error. So, it is always better to keep drivers updated for smooth connectivity with Azure SQL.
Applies to both public and private endpoints: This naming requirement and approach work whether you connect over the public endpoint or through a private endpoint for Azure SQL Database scenario, as long as DNS resolution for the custom name is set up correctly for your network.
Microsoft