Edit

Share via


How Windows Authentication for Azure SQL Managed Instance is implemented with Microsoft Entra ID and Kerberos

Windows Authentication for Azure SQL Managed Instance principals in Microsoft Entra ID (formerly Azure Active Directory) enables customers to move existing services to the cloud while maintaining a seamless user experience. It provides the basis for security infrastructure modernization. To enable Windows Authentication for Microsoft Entra principals, you'll turn your Microsoft Entra tenant into an independent Kerberos realm and create an incoming trust in the customer domain.

This configuration allows users in the customer domain to access resources in your Microsoft Entra tenant. It won't allow users in the Microsoft Entra tenant to access resources in the customer domain.

The following diagram gives an overview of how Windows Authentication is implemented for a SQL managed instance using Microsoft Entra ID and Kerberos:

An overview of authentication: a client submits an encrypted Kerberos ticket as part of an authentication request to a SQL managed instance. The SQL managed instance submits the encrypted Kerberos ticket to Microsoft Entra ID, which exchanges it for a Microsoft Entra token that is returned as the SQL managed instance. The SQL managed instance uses this token to authenticate the user.

- [Troubleshoot Windows Authentication for Microsoft Entra principals on Azure SQL Managed Instance](winauth-azuread-troubleshoot.md)