Training
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to:
SQL Server
Azure SQL Database
Azure SQL Managed Instance
Azure Synapse Analytics
Analytics Platform System (PDW)
SQL database in Microsoft Fabric
sqlcmd supports a variety of Microsoft Entra authentication models, depending on which version you have installed.
Note
While Microsoft Entra ID is the new name for Azure Active Directory (Azure AD), to prevent disrupting existing environments, Azure AD still remains in some hardcoded elements such as UI fields, connection providers, error codes, and cmdlets. In this article, the two names are interchangeable.
To find out which variant and version of sqlcmd is installed on your system, see Check installed version of sqlcmd utility. For information on how to get sqlcmd, see Download and install the sqlcmd utility.
sqlcmd (Go) supports more Microsoft Entra authentication models, based on the azidentity package. The implementation relies on a Microsoft Entra connector in the go-sqlcmd driver.
To use Microsoft Entra authentication, you can use one of two command line switches.
-G
is (mostly) compatible with its usage in sqlcmd (ODBC). If a username and password are provided, it authenticates using Microsoft Entra password authentication. If a username is provided, it uses Microsoft Entra interactive authentication, which can display a web browser. If no username or password is provided, it uses a DefaultAzureCredential
, which attempts to authenticate through various mechanisms.
--authentication-method=
can be used to specify one of the following authentication types.
AZURE_TENANT_ID
and AZURE_CLIENT_ID
are necessary for DefaultAzureCredential
to begin checking the environment configuration and look for one of the following additional environment variables in order to authenticate:
AZURE_CLIENT_SECRET
configures the DefaultAzureCredential
to choose ClientSecretCredential
.AZURE_CLIENT_CERTIFICATE_PATH
configures the DefaultAzureCredential
to choose ClientCertificateCredential
if AZURE_CLIENT_SECRET
isn't set.DefaultAzureCredential
to choose UsernamePasswordCredential
if AZURE_CLIENT_SECRET
and AZURE_CLIENT_CERTIFICATE_PATH
aren't set.This method is currently not implemented, and falls back to ActiveDirectoryDefault
.
This method authenticates using a username and password. It doesn't work if MFA is required.
You provide the user name and password using the usual command line switches or SQLCMD
environment variables.
Set AZURE_TENANT_ID
environment variable to the tenant ID of the server if not using the default tenant of the user.
This method launches a web browser to authenticate the user.
Use this method when running sqlcmd (Go) on an Azure VM that has either a system-assigned or user-assigned managed identity. If using a user-assigned managed identity, set the user name to the Client ID of the managed identity. If using a system-assigned identity, leave user name empty.
This example shows how to connect using a Service Assigned Managed Identity (SAMI):
sqlcmd -S testsrv.database.windows.net -d Target_DB_or_DW --authentication-method ActiveDirectoryManagedIdentity
This example shows how to connect with a User Assigned Managed Identity (UAMI) by adding the Client Id of the user assigned managed identity:
sqlcmd -S testsrv.database.windows.net -d Target_DB_or_DW --authentication-method ActiveDirectoryManagedIdentity -U <user-assigned-managed-identity-client-id>
This method authenticates the provided user name as a service principal ID and the password as the client secret for the service principal. Provide a user name in the form <application (client) ID>
. Set SQLCMDPASSWORD
variable to the client secret. If using a certificate instead of a client secret, set AZURE_CLIENT_CERTIFICATE_PATH
environment variable to the path of the certificate file.
sqlcmd -S testsrv.database.windows.net -d Target_DB_or_DW --authentication-method ActiveDirectoryServicePrincipal -U <Application (client) ID> -P <client secret>
Some Microsoft Entra authentication settings don't have command line inputs, and some environment variables are consumed directly by the azidentity
package used by sqlcmd (Go).
These environment variables can be set to configure some aspects of Microsoft Entra authentication and to bypass default behaviors. In addition to the variables listed previously, the following are specific to sqlcmd (Go), and apply to multiple methods.
Set this environment variable to the identifier of an application registered in Microsoft Entra, which is authorized to authenticate to Azure SQL Database. Applies to ActiveDirectoryInteractive
and ActiveDirectoryPassword
methods.
Training
Certification
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Events
Sep 15, 6 AM - Sep 17, 3 PM
The best SQL community-led learning event. Sept 2025. Save €200 with code FABLEARN.
Get registeredAsk Learn is an AI assistant that can answer questions, clarify concepts, and define terms using trusted Microsoft documentation.
Please sign in to use Ask Learn.
Sign in