Home
%3CLINGO-SUB%20id%3D%22lingo-sub-1269735%22%20slang%3D%22en-US%22%3EAzure%20AD%20pass-through%20and%20password%20hash%20authentication%20support%20for%20SQL%20DB%2C%20DW%20and%20Managed%20Instance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1269735%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20announcing%20support%20for%20Azure%20AD%20pass-through%20and%20password%20hash%20authentication%20for%20Azure%20SQL%20DB%20(single%20database%20and%20database%20pools)%2C%20Managed%20Instance%2C%20and%20Azure%20Synapse%20(formerly%20SQL%20DW).%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EAzure%20AD%20password%20hash%20authentication%3C%2FSTRONG%3E%20is%20the%20simplest%20way%20to%20enable%20authentication%20for%20on-premises%20Active%20Directory%20users%20in%20Azure%20AD.%20Users%20are%20synchronized%20with%20Azure%20AD%20and%20password%20validation%20occurs%20in%20the%20cloud%20using%20the%20same%20username%20and%20password%20that%20is%20used%20in%20on-premises%20environments.%20No%20additional%20infrastructure%20is%20required.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EAzure%20AD%20pass-through%20authentication%3C%2FSTRONG%3E%20provides%20a%20password%20validation%20mechanism%20that%20validate%20users%20directly%20with%20on-premises%20Active%20Directory%2C%20outside%20the%20cloud.%20Pass-through%20authentication%20does%20not%20require%20ADFS%20or%20other%20third-party%20federation%20services.%3C%2FLI%3E%0A%3CLI%3EEach%20of%20these%20authentication%20methods%20can%20be%20configured%20by%20Azure%20AD%20Connect%2C%20allowing%20you%20to%20provision%20users%20in%20the%20cloud.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAzure%20AD%20pass-through%20and%20password%20hash%20authentication%20are%20both%20part%20of%20the%20AAD%20hybrid%20authentication%20solution.%20See%20the%20article%2C%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fhybrid%2Fchoose-ad-authn%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EChoose%20the%20right%20authentication%20method%20for%20your%20Azure%20Active%20Directory%20hybrid%20identity%20solution%3C%2FA%3E.%20Both%20authentication%20methods%20support%20seamless%20single%20sign-on%20authentication%2C%20allowing%20users%20to%20authenticate%20with%20Azure%20SQL%20using%20integrated%20authentication%20with%20Windows%20credentials.%3C%2FP%3E%0A%3CP%3EFor%20information%20on%20setting%20up%20and%20synchronizing%20Azure%20AD%20hybrid%20identities%2C%20see%20the%20following%20articles%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EPassword%20hash%20authentication%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-password-hash-synchronization%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EImplement%20password%20hash%20synchronization%20with%20Azure%20AD%20Connect%20sync%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EPass-through%20authentication%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Factive-directory%2Fhybrid%2Fhow-to-connect-pta-quick-start%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Active%20Directory%20Pass-through%20Authentication%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EBefore%20connecting%20with%20Azure%20SQL%2C%20a%20proper%20Azure%20AD%20setup%20for%20Azure%20AD%20pass-through%20and%20password%20hash%20authentication%20must%20be%20executed%2C%20according%20to%20the%20above%20documentation.%20This%20will%20allow%20users%20to%20be%20synchronized%20with%20Azure%20AD%20and%20have%20access%20to%20the%20Azure%20portal.%20These%20initial%20steps%20are%20independent%20from%20the%20Azure%20SQL%20setup%2C%20and%20as%20prerequisites%2C%20must%20be%20executed%20prior%20to%20connecting%20with%20Azure%20SQL%20if%20you%20intend%20to%20use%20pass-through%20or%20password%20hash%20authentication.%3C%2FP%3E%0A%3CP%3EOnce%20the%20setup%20and%20password%20synchronization%20in%20Azure%20AD%20is%20completed%2C%20the%20status%20for%20each%20authentication%20method%20can%20be%20checked%20in%20the%20Azure%20portal%20using%20Azure%20AD%20connect.%3C%2FP%3E%0A%3CP%3EThe%20snapshot%20below%20shows%20the%20Azure%20AD%20connect%20status%20for%20pass-through%20authentication%20with%20seamless%20single%20sign-on%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Last1.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F181487i9CE2EDBB296E6260%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Last1.png%22%20alt%3D%22Last1.png%22%20%2F%3E%3C%2FSPAN%3EOnce%20the%20setup%20is%20completed%20successfully%20for%20Azure%20AD%2C%20you%20can%20create%20users%20in%20Azure%20SQL%20that%20map%20to%20Azure%20AD%20principals.%20See%20the%20Azure%20AD%20administrator%20and%20Azure%20AD%20user%20creation%20section%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-aad-authentication-configure%3Ftabs%3Dazure-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigure%20and%20manage%20Azure%20Active%20Directory%20authentication%20with%20SQL%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAll%20three%20main%20authentication%20mechanisms%3A%20user-password%2C%20integrated%2C%20and%20interactive%20authentication%20(known%20also%20as%20universal%20with%20MFA)%2C%20are%20supported%20for%20pass-though%20and%20password%20hash%20authentication%20using%20SQL%20tools.%20The%20same%20applies%20to%20authentication%20keywords%20used%20in%20the%20client%20applications.%20See%20SSMS%20and%20client%20application%20sections%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-aad-authentication-configure%3Ftabs%3Dazure-powershell%23using-an-azure-ad-identity-to-connect-using-ssms-or-ssdt%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigure%20and%20manage%20Azure%20Active%20Directory%20authentication%20with%20SQL%3C%2FA%3E.%26nbsp%3B%20For%20integrated%20authentication%2C%20seamless%20single%20sign-on%20for%20pass-through%20and%20password%20hash%20must%20be%20enabled.%3C%2FP%3E%0A%3CP%3EThe%20snapshot%20below%20shows%20pass-through%20authentication%20with%20managed%20instance%20using%20SSMS%20integrated%20authentication%20executed%20for%20a%20user%20logged%20into%20an%20Azure%20VM%20with%20Windows%20domain%20enabled.%20The%20users%20are%20synchronized%20with%20Azure%20AD%20and%20setup%20for%20seamless%20single%20sign-on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Last2.png%22%20style%3D%22width%3A%20600px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F181486i0F1FAA66B60C08BB%2Fimage-dimensions%2F600x361%3Fv%3D1.0%22%20width%3D%22600%22%20height%3D%22361%22%20title%3D%22Last2.png%22%20alt%3D%22Last2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3BFor%20more%20information%20see%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-aad-authentication-configure%3Ftabs%3Dazure-powershell%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigure%20and%20manage%20Azure%20Active%20Directory%20authentication%20with%20SQL%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1269735%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22lia-align-center%22%3E%3CSTRONG%3EAzure%20AD%20pass-through%20and%20password%20hash%20authentication%20support%20for%20%3C%2FSTRONG%3E%3CSTRONG%3ESQL%20DB%2C%26nbsp%3B%20Managed%20Instance%2C%20and%20Azure%20Synapse%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%20class%3D%22lia-align-center%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1269735%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

We are announcing support for Azure AD pass-through and password hash authentication for Azure SQL DB (single database and database pools), Managed Instance, and Azure Synapse (formerly SQL DW).

  • Azure AD password hash authentication is the simplest way to enable authentication for on-premises Active Directory users in Azure AD. Users are synchronized with Azure AD and password validation occurs in the cloud using the same username and password that is used in on-premises environments. No additional infrastructure is required.
  • Azure AD pass-through authentication provides a password validation mechanism that validate users directly with on-premises Active Directory, outside the cloud. Pass-through authentication does not require ADFS or other third-party federation services.
  • Each of these authentication methods can be configured by Azure AD Connect, allowing you to provision users in the cloud.

Azure AD pass-through and password hash authentication are both part of the AAD hybrid authentication solution. See the article, Choose the right authentication method for your Azure Active Directory hybrid identity solution. Both authentication methods support seamless single sign-on authentication, allowing users to authenticate with Azure SQL using integrated authentication with Windows credentials.

For information on setting up and synchronizing Azure AD hybrid identities, see the following articles:

Before connecting with Azure SQL, a proper Azure AD setup for Azure AD pass-through and password hash authentication must be executed, according to the above documentation. This will allow users to be synchronized with Azure AD and have access to the Azure portal. These initial steps are independent from the Azure SQL setup, and as prerequisites, must be executed prior to connecting with Azure SQL if you intend to use pass-through or password hash authentication.

Once the setup and password synchronization in Azure AD is completed, the status for each authentication method can be checked in the Azure portal using Azure AD connect.

The snapshot below shows the Azure AD connect status for pass-through authentication with seamless single sign-on enabled.

 

Last1.pngOnce the setup is completed successfully for Azure AD, you can create users in Azure SQL that map to Azure AD principals. See the Azure AD administrator and Azure AD user creation section in Configure and manage Azure Active Directory authentication with SQL.

All three main authentication mechanisms: user-password, integrated, and interactive authentication (known also as universal with MFA), are supported for pass-though and password hash authentication using SQL tools. The same applies to authentication keywords used in the client applications. See SSMS and client application sections in Configure and manage Azure Active Directory authentication with SQL.  For integrated authentication, seamless single sign-on for pass-through and password hash must be enabled.

The snapshot below shows pass-through authentication with managed instance using SSMS integrated authentication executed for a user logged into an Azure VM with Windows domain enabled. The users are synchronized with Azure AD and setup for seamless single sign-on.

 

Last2.png

   For more information see Configure and manage Azure Active Directory authentication with SQL..