Windows Authentication for Entra ID for Azure SQL MI

Question

Windows Authentication for Entra ID for Azure SQL MI

Zahid Yaqub 0

Hi Team,

I recently come across a use case where we have to use Windows Authentication for Entra ID for SQL MI. My question is based on Microsoft documentation

https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/winauth-azuread-setup?view=azuresql

There are two options.

Options 1 Modern interactive flow

Options 2 Incoming trust-based flow

Proceeding with Option 2 (Incoming trust blased flow) the authentication flow works some as the following

User's image

If above is correct. Can anyone confirm we have to synchronize service accounts and users to Entra IS that are used by applications? Does the client (running application ot SQL management studio) require access to Entra ID or it will be requested by on-premises AD on behalf of application server

Regards,

Zahid

Abhisek Mishra 85 Reputation points Microsoft External Staff Moderator

2025-08-28T15:02:06.9633333+00:00
Hello @Zahid Yaqub ,

Adding to the previous answer.

Yes, in your case you must synchronize all on-premise users and service accounts that will authenticate to Azure SQL MI into Microsoft Entra ID using Entra Connect.
In the incoming trust-based flow, authentication is initiated within the on-premises environment, but the identity validation and token issuance are handled by Microsoft Entra ID. This is because Azure SQL Managed Instance is integrated with Entra ID for access control, and it uses the Kerberos ticket - issued via the proxy - to resolve the user identity in Entra ID. If the corresponding account does not exist in Entra ID, the authentication will fail, even if the Kerberos exchange with the on-premises Active Directory is successful.

No, the client itself does not need direct access to Entra ID. Here, authentication is handled by the on-premises Active Directory (AD) domain controller, which issues a Kerberos ticket for the user. This ticket is then trusted by Microsoft Entra ID, enabling Azure SQL Managed Instance (SQL MI) to accept the authentication. As a result, the application server or SQL Server Management Studio (SSMS) client only needs to be domain-joined and capable of requesting Kerberos tickets from the on-prem AD; it does not require direct access to Entra ID. Please let us know if you need any additional help or information.
Abhisek Mishra 85 Reputation points Microsoft External Staff Moderator

2025-08-29T11:55:13.0033333+00:00

Hello @Zahid Yaqub ,

I hope you had a chance to review the responses. If it addressed your query, please do let us know.

1 answer

Your answer

Abhisek Mishra 85 Reputation points Microsoft External Staff Moderator

2025-08-28T15:02:06.9633333+00:00

Hello @Zahid Yaqub ,

Adding to the previous answer.

Yes, in your case you must synchronize all on-premise users and service accounts that will authenticate to Azure SQL MI into Microsoft Entra ID using Entra Connect.
In the incoming trust-based flow, authentication is initiated within the on-premises environment, but the identity validation and token issuance are handled by Microsoft Entra ID. This is because Azure SQL Managed Instance is integrated with Entra ID for access control, and it uses the Kerberos ticket - issued via the proxy - to resolve the user identity in Entra ID. If the corresponding account does not exist in Entra ID, the authentication will fail, even if the Kerberos exchange with the on-premises Active Directory is successful.

No, the client itself does not need direct access to Entra ID. Here, authentication is handled by the on-premises Active Directory (AD) domain controller, which issues a Kerberos ticket for the user. This ticket is then trusted by Microsoft Entra ID, enabling Azure SQL Managed Instance (SQL MI) to accept the authentication. As a result, the application server or SQL Server Management Studio (SSMS) client only needs to be domain-joined and capable of requesting Kerberos tickets from the on-prem AD; it does not require direct access to Entra ID. Please let us know if you need any additional help or information.
Abhisek Mishra 85 Reputation points Microsoft External Staff Moderator

2025-08-29T11:55:13.0033333+00:00

Hello @Zahid Yaqub ,

I hope you had a chance to review the responses. If it addressed your query, please do let us know.

Answer 1

Hi Zahid,

For the users you will need Entra Connect Hybrid setup so users are sync to Entra ID, Yes the Server/Client accessing SQL Mgmt Studio will require access to the URLs to access the Managed Instance and it is in the below link.

For authentication and supported identitied check this :

User's image

For connectivity you will need to setup Private endpoint and detailed steps are listed here - https://learn.microsoft.com/en-us/azure/azure-sql/managed-instance/private-endpoint-overview?view=azuresql&tabs=separate-vnets

For SSO Authentication you will need to setup the Entra Connect - https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso

Hope this helps.

JS

==

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Share via

Windows Authentication for Entra ID for Azure SQL MI

1 answer

Your answer