Entra ID MFA Authentication Entra ID MFA Authentication

Entra ID MFA Authentication

SQL Prompt now uses a dedicated Microsoft Entra ID application to authenticate users to Azure SQL Database instances.

The permissions requested are limited to those required to access the database as your user, and your data remains within your infrastructure at all times. Redgate do not have any access to your databases, and SQL Prompt does not have access to any other services beyond Azure SQL Database.

Depending on your organization's Microsoft Entra ID policies, you may require approval from your Microsoft Entra ID administrator to grant SQL Prompt access when you first connect to an Azure SQL Database. They can review and approve this request by visiting Enterprise Applications, then Admin Consent Requests, in the Microsoft Azure portal.

The pop-up window asking to grant consent should only appear when connecting to Azure using Entra ID with MFA. If it's an on-prem SQL Server, it shouldn't appear. 

If you are connecting to an Azure instance and you're unable to grant consent, the window will continue to appear. There's no explicit way to disable it but you can click back to SSMS so that the main SSMS window is the active window with the auth window in the background. 

SQL Prompt requires the consent so that it has access to the DBs metadata, objects and object names, so that it can provide code suggestions. Without the consent, SQL Prompt would not be able to offer code suggestions or display object definition. 

The change to a multi-tenant Entra ID app registration was due to a change made by Microsoft. Previously, SQL Prompt was using a public app of Microsoft for Authentication. This app provided the required data sharing permission to SQL Prompt. The client ID and redirect URI associated with this app were used to fetch the token used for Authentication. Microsoft have now deprecated the redirect URI associated with the app.