Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use these Microsoft SQL security samples to compare how Data API builder (DAB) authenticates to SQL, validates users, and enforces per-user access. Each sample is self-contained, but the series moves from basic credentials to user-delegated Azure SQL access.
Choose a quickstart
Start with the question that matches your goal.
| If you want to... | Use this quickstart |
|---|---|
| Learn the simplest DAB-to-SQL connection pattern | Username/password |
| Remove SQL passwords from Azure configuration | Managed identity |
| Add Microsoft Entra token validation before requiring sign-in | Microsoft Entra |
| Filter rows in DAB by using token claims | DAB policies |
| Filter rows in SQL by using database-enforced row-level security | SQL row-level security |
| Let Azure SQL authenticate the signed-in user directly | On-behalf-of to Azure SQL |
Decision tree
- Do you only need a basic working sample?
- Use Username/password.
- Do you want passwordless DAB-to-Azure SQL access?
- Use Managed identity.
- Do you need DAB to validate Microsoft Entra tokens?
- Use Microsoft Entra.
- Do signed-in users need to see only their own rows?
- If DAB should enforce the filter, use DAB policies.
- If SQL should enforce the filter, use SQL row-level security.
- Do audit logs or database policies need the actual signed-in user as the SQL identity?
Compare the security model
The DAB authentication provider column shows the effective value for runtime.host.authentication.provider. If the configuration omits this setting, DAB uses Unauthenticated. Except for the username/password and on-behalf-of samples, local runs use SQL credentials and Azure deployments use managed identity. The on-behalf-of sample also sets data-source.user-delegated-auth.provider to EntraId.
| Quickstart | User to web app | Web app to DAB | DAB authentication provider | DAB to SQL |
|---|---|---|---|---|
| Username/password | Anonymous | Anonymous | Unauthenticated |
SQL credentials |
| Managed identity | Anonymous | Anonymous | Unauthenticated |
Managed identity in Azure |
| Microsoft Entra | Anonymous | Anonymous | EntraId |
Managed identity in Azure |
| DAB policies | Microsoft Entra sign-in | Bearer token | EntraId |
Managed identity in Azure |
| SQL row-level security | Microsoft Entra sign-in | Bearer token | EntraId |
Managed identity in Azure |
| On-behalf-of to Azure SQL | Microsoft Entra sign-in | Bearer token | EntraId |
User-delegated token to Azure SQL |