# Microsoft SQL Server (Azure AD) ## Overview This guide describes how to add a Microsoft SQL Server (Azure AD) database as a datasource in StrongDM. When the resource is added, StrongDM proxies client connections through a [node](https://docs.strongdm.com/admin/networking) (gateway, relay, or proxy cluster). This enables centralized access control, credential management, and audit logging. This resource type only supports Azure Active Directory (AD) authentication. For other options, see the [Microsoft SQL Server](https://docs.strongdm.com/admin/resources/datasources/microsoft-sql-server) and [Microsoft SQL Server (Kerberos)](https://docs.strongdm.com/admin/resources/datasources/microsoft-sql-server-kerberos) resource types. Use this guide to complete all necessary preparations to add this resource to your StrongDM environment; input the correct properties in the Admin UI, CLI, SDKs, or Terraform provider; and test for a successful connection. For general information about how to add a database as a resource in StrongDM, see our main guide, [Add a Datasource](https://docs.strongdm.com/admin/resources/datasources). ## Supported Versions and Clients {% hint style="info" %} StrongDM supports Microsoft SQL Server versions 2016, 2017, 2019, 2022, and 2025. {% endhint %} StrongDM supports Microsoft SQL Server instances using Azure Active Directory authentication. Only SQL Servers that are configured to accept Azure AD clients are compatible. StrongDM works with standard SQL Server clients and drivers that support Azure AD authentication, including: * Tools such as sqlcmd, Azure Data Studio, and SSMS * Application libraries/drivers (for example, JDBC/ODBC, .NET SqlClient, or Node.js mssql) with Azure AD support * GUI clients that allow specifying Azure AD credentials or service principals ## Prerequisites To add your resource in StrongDM, you need to meet several technical and configuration prerequisites. Please ensure that the following requirements are met. In StrongDM, you must have the following: * Administrator permission level * At least one operational StrongDM node (gateway, relay, or proxy cluster) that can reach the SQL Server endpoint (hostname and port) * If using secrets management tools for storing your database credentials, a Secret Store configured in StrongDM {% hint style="info" %} To verify that the resource is accessible by the node, log in to the gateway or relay and use Netcat: `nc -zv ` (in this example, `nc -zv testdb-01.fancy.org 3306`). If your gateway server can connect to this hostname, proceed. Netcat is a tool for checking various hostnames and ports by either sending data (a ping) or checking for listeners on the ports. The command in the aforementioned example use "-z" to check for listeners without sending data and "-v" to show verbose output. If you don't have Netcat, you can install the Netcat package with whatever package manager you are using, such as "apt-get install netcat". {% endhint %} On the SQL Server/Azure side, you must have the following: * A Microsoft SQL Server instance configured for Azure AD authentication * An Azure AD application registration (client) with a client ID and client secret to authenticate against the SQL Server resource via AD * The Azure AD user or service principal granted access on the SQL Server (login permissions) to connect using that AD identity * Network configuration (firewall, VNet, etc.) that allows the StrongDM node(s) to reach the SQL Server host and port (`1433`) ## Azure Setup This section explains one way to create and configure a new app registration in Azure Active Directory, add an admin user, and give the user proper permissions to connect to your SQL database. If your registered app is not yet configured, please follow these steps for guidance. Note that your particular configuration may differ slightly from these instructions. ### Set up your SQL database 1. Sign in to the Azure portal using an account with administrator permission. 2. Select **Azure SQL Database** from the services at the top of the page. Click **Create** and follow the creation wizard instructions. 3. Once creation is complete, go to Azure Active Directory and click **Set admin**. 4. Set the admin to a user that you have the password for, in the format `username@some.azure.ad.url.com`. Be sure to copy the admin name for later use. 5. From the **Networking** blade, add your IP address to the firewall rules. 6. Click into the database and copy the server name, which is in the format `example-server.database.windows.net`. ### Create a new Azure app registration Next, you need to create an Azure app registration. 1. Search for "app registrations" and click on **New Registrations**. Enter the display name to use for the app, and copy the display name for later use. 2. Click **Register** and then open the newly created app registration. 3. Copy the **Application (client) ID** and the **Directory (tenant) ID** for later use. 4. Go to the **Certificates and Secrets** blade and click **New Client Secret**. 5. Name the new client secret, and then copy the value of the client secret for later use. You may not be able to see it again. ### Add the user to the database Next, you need to add the user to the DB and grant it permissions. One tool you can use for this is SQL Server Management Studio installed in an Azure VM. Other tools that enable the same work shown below should work as well. 1. RDP into the VM and open SQL Server Management Studio. 2. In the object explorer, click **Connect**. Then click **Database Engine**. 3. Enter the name of the server that you saved in a previous step (in our example, `example-server.database.windows.net`). 4. Enter the admin username (in our example, `username@some.azure.ad.url.com`) and the password, and connect. 5. In the object explorer, find the database you created. Right-click on it and select **New Query**. 6. You need to run a few queries to give your app registration proper permissions. In the following examples, make sure you replace `` with the display name of your app registration. ``` CREATE USER FROM EXTERNAL PROVIDER; ``` Set database role permissions: ``` ALTER ROLE db_datareader ADD MEMBER ; ALTER ROLE db_datawriter ADD MEMBER ; ALTER ROLE db_ddladmin ADD MEMBER ; ``` Grant database permissions: ``` GRANT VIEW DATABASE STATE TO ``` Grant permission to specific objects: ``` GRANT SELECT ON [dbo].[promotion] TO GRANT EXECUTE ON [dbo].[sp_procedure] TO GRANT UPDATE ON [dbo].[promotion] TO ``` ## Resource Management in StrongDM After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs. {% tabs %} {% tab title="Admin UI" %} **Set up and Manage With the Admin UI** If using the Admin UI to add your Microsoft SQL Server as a resource to StrongDM, use the following steps. 1. Log in to the StrongDM Admin UI. 2. Go to **Resources** > **Managed Resources**. 3. Click **Add Resource**. 4. For **Resource Type**, select **Microsoft SQL Server (Azure AD)**. 5. Complete all required [configuration properties](#configuration-properties) for your selected datasource type. 6. Click **Create** to save the resource. 7. Click the resource name to view status, diagnostic information, and setting details. {% endtab %} {% tab title="CLI" %} **Set up and Manage With the CLI** This section provides an example of how to add the resource using the StrongDM CLI. For more information and examples, please see the [CLI Reference](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli) documentation. ``` # Add Microsoft SQL Server (Azure AD) datasource sdm admin datasources add mssqlAzureAD sqlserver-azprod --hostname="sqlserver-azprod.database.windows.net" --port=1433 --client-id="your-app-client-id" --secret="your-app-client-secret" --bind-interface="127.0.0.1" --egress-filter="tag:env=production" --port-override="15433" --proxy-cluster-id="n-1a2b345c67890123" --secret-store-id="se-e1b2" --subdomain="sqlserver-azprod" --tags="env=production,team=appdata" ``` {% endtab %} {% tab title="Terraform" %} **Set up and Manage With Terraform** This section provides an example of how to configure and manage the resource using the Terraform provider. For more information and examples, please see the [Terraform provider](https://github.com/strongdm/terraform-provider-sdm) documentation. ``` # Install StrongDM provider terraform { required_providers { sdm = { source = "strongdm/sdm" version = "16.5.0" } } } # Configure StrongDM provider provider "sdm" { # Add API access key and secret key from Admin UI api_access_key = "njjSn...5hM" api_secret_key = "ziG...=" } # Create Microsoft SQL Server (Azure AD) resource resource "sdm_mssqlazuread" "sqlserver_azprod" { name = "sqlserver-azprod" hostname = "sqlserver-azprod.database.windows.net" port = 1433 client_id = "your-app-client-id" secret = "your-app-client-secret" bind_interface = "127.0.0.1" egress_filter = "tag:env=production" port_override = 15433 proxy_cluster_id = "n-1a2b345c67890123" secret_store_id = "se-e1b2" subdomain = "sqlserver-azprod" tags = { env = "production" team = "appdata" } } ``` {% endtab %} {% tab title="SDKs" %} **Set up and manage with SDKs** In addition to the Admin UI, CLI, and Terraform, you may configure and manage your resource with any of the following SDK options: Go, Java, Python, and Ruby. Please see the following references for more information and examples. | Language | Reference | GitHub | Examples | | ------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | Go | [pkg.go.dev](https://pkg.go.dev/github.com/strongdm/strongdm-sdk-go/v16) | [strongdm-sdk-go](https://github.com/strongdm/strongdm-sdk-go) | [Go SDK Examples](https://github.com/strongdm/strongdm-sdk-go-examples) | | Java | [javadoc](https://strongdm.github.io/strongdm-sdk-java-docs/) | [strongdm-sdk-java](https://github.com/strongdm/strongdm-sdk-java) | [Java SDK Examples](https://github.com/strongdm/strongdm-sdk-java-examples) | | Python | [pdocs](https://strongdm.github.io/strongdm-sdk-python-docs/) | [strongdm-sdk-python](https://github.com/strongdm/strongdm-sdk-python) | [Python SDK Examples](https://github.com/strongdm/strongdm-sdk-python-examples) | | Ruby | [RubyDoc](https://www.rubydoc.info/gems/strongdm) | [strongdm-sdk-ruby](https://github.com/strongdm/strongdm-sdk-ruby) | [Ruby SDK Examples](https://github.com/strongdm/strongdm-sdk-ruby-examples) | | {% endtab %} | | | | | {% endtabs %} | | | | ## **Configuration Properties** The following configuration properties are required to define a Microsoft SQL Server datasource in StrongDM. These settings control how StrongDM connects to the database, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM. {% hint style="info" %} If you are connecting an Azure SQL Server resource, you must enable the **Override Default Database** option. {% endhint %} | Property | Requirement | Description | | --------------------------------------- | ----------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Display Name** | Required | Meaningful name to display the resource throughout StrongDM; exclude special characters like quotes (") or angle brackets (< or >) | | **Resource Type** | Required | **Microsoft SQL Server (Azure AD)** | | **Proxy Cluster** | Required | Defaults to "None (use gateways)"; if using [proxy clusters](https://docs.strongdm.com/admin/networking/proxy-clusters), select the appropriate cluster to proxy traffic to this resource | | **Hostname** | Required | Hostname for your Microsoft SQL Server database resource; [must be accessible](#prerequisites) to a gateway or relay | | **Port** | Required | Port to use when connecting to your Microsoft SQL Server database; default port value is **1433** | | **Connectivity Mode** | Required | Select either **Virtual Networking Mode**, which lets users connect to the resource with a software-defined, IP-based network; or **Loopback Mode**, which allows users to connect to the resource using the local loopback adapter in their operating system; this field is shown if [Virtual Networking Mode](https://docs.strongdm.com/admin/clients/client-networking/virtual-networking-mode) enabled for your organization | | **IP Address** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, an IP address value in the configured Virtual Networking Mode subnet in the organization network settings; if **Loopback Mode** is the selected connectivity mode, an IP address value in the configured Loopback IP range in the organization network settings (by default, `127.0.0.1`); if not specified, an available IP address in the configured IP address space for the selected connectivity mode will be automatically assigned; this field is shown if [Virtual Networking Mode](https://docs.strongdm.com/admin/clients/client-networking/virtual-networking-mode) and/or [multi-loopback mode](https://docs.strongdm.com/admin/clients/client-networking/loopback-ip-ranges) is enabled for your organization | | **Port Override** | Optional | If **Virtual Networking Mode** is the selected connectivity mode, a port value between 1 and 65535 that is not already in use by another resource with the same IP address; if **Loopback Mode** is the selected connectivity mode, a port value between 1024 to 64999 that is not already in use by another resource with the same IP address; when left empty with Virtual Networking Mode, the system assigns the default port to this resource; when left empty for Loopback Mode, an available port that is not already in use by another resource is assigned; preferred port also can be modified later from the [Port Overrides settings](https://docs.strongdm.com/admin/resources/port-overrides) | | **DNS** | Optional | If Virtual Networking Mode is the selected connectivity mode, a unique hostname alias for this resource; when set, causes the desktop app to display this resource's human-readable DNS name (for example, `k8s.my-organization-name`) instead of the bind address that includes IP address and port (for example, `100.64.100.100:5432`) | | **Database** | Optional | Database name you would like to connect to using this datasource | | **Secret Store** | Optional | Credential store location; defaults to none (credentials are stored in StrongDM resource configuration); learn more about [Secret Store](#secret-store-options) options | | **Client ID** | Required | Application (Client) ID value from app registration | | **Secret** | Required | Microsoft Entra (formerly Azure AD) client secret (application password) with which to authenticate | | **Schema** | Optional | Name of the schema that should be used if the user belongs to a particular schema | | **Override Default Database** | Optional | By default, StrongDM limits all connections to the configured database. Uncheck the box to disable this option. If this option is deselected, the value entered in the **Database** field is only used for healthchecks, not for user connections. When accessing the database via StrongDM, users need to explicitly pass the database name they wish to connect to in the connection string. If they do not, the value of the **Username** field is passed in as the database name. This is the default behavior of the database type. | | **Tenant ID** | Required | Microsoft Entra (formerly Azure AD) Directory ID with which to authenticate | | **Allow Deprecated Encryption Methods** | Optional | When selected, allows deprecated encryption protocols (for example, TLS 1.0) to be used for this resource | | **Resource Tags** | Optional | Datasource [Tags](https://app.gitbook.com/s/4XOJmXFslCMVCzIG2rKp/cli/tags "mention") consisting of key-value pairs `=` (for example, `env=dev`) | ### Secret Store options By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool. Non-StrongDM options appear in the **Secret Store** dropdown if they are created under **Network** > **Secret Stores**. When you select another Secret Store type, its unique properties display. For more details, see [Configure Secret Store Integrations](https://docs.strongdm.com/admin/access/secret-stores). ### Resource status After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the **Health** icon indicates a positive, green status. When the resource does not display a positive status, click the resource name to go to the **Diagnostics** tab and check for errors. ## Test the Connection After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly. 1. Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to **Access** > **Roles**, and verify that the resource is attached to a role you’re in. 2. In the CLI, run `sdm status` to list the available datasources. Ensure that the resource appears in your list of accessible datasources. 3. Start a session to the resource, as in the following example: ```bash sdm connect sqlserver-azprod ``` 4. Connect using a SQL Server client (for example, using `sqlcmd`, Azure Data Studio, or another tool that supports Azure AD authentication). Use `sqlserver-azprod` and the configured AD credentials (client ID, secret) to connect. For example with `sqlcmd` (the `-G` flag enables Azure AD authentication in `sqlcmd`): ``` sqlcmd -S localhost, -d -G ``` 5. Run a simple command, such as: ``` SELECT @@VERSION; ``` 6. In the StrongDM Admin UI, check **Logs > Queries** (and **Logs > Connections**) to ensure that your session and SQL statements were captured. When these steps succeed, you’re ready to connect to your resource through StrongDM. ### Help If you still encounter issues, please consult the [StrongDM Help Center](https://help.strongdm.com/hc/en-us). Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health: * Resource name or ID * CLI error output or logs * Node name and region --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.strongdm.com/admin/resources/datasources/microsoft-sql-server-azure-ad.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.