Reference Microsoft.Data.SqlClient.Extensions.Azure in SqlServer client integrations for Entra ID auth#18149
Open
0xharkirat wants to merge 1 commit into
Open
Conversation
0xharkirat
requested review from
eerhardt,
radical and
sebastienros
as code owners
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 18149Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 18149" |
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR ensures that Microsoft Entra ID (Active Directory) authentication works out of the box with the Aspire SQL Server integrations after Microsoft.Data.SqlClient 7.0 moved the Entra ID authentication providers into a separate package (Microsoft.Data.SqlClient.Extensions.Azure).
Changes:
- Adds a reference to
Microsoft.Data.SqlClient.Extensions.Azure(v1.0.0) in both theAspire.Microsoft.Data.SqlClientandAspire.Microsoft.EntityFrameworkCore.SqlServercomponent projects so Entra ID auth providers self-register automatically. - Adds regression tests verifying that
ActiveDirectoryDefaultandActiveDirectoryManagedIdentityauthentication providers are registered. - Documents the Entra ID authentication behavior and the new transitive dependency in both components' README files.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| Directory.Packages.props | Pins Microsoft.Data.SqlClient.Extensions.Azure at version 1.0.0 in central package management. |
| Aspire.Microsoft.Data.SqlClient.csproj | Adds Microsoft.Data.SqlClient.Extensions.Azure package reference with explanatory comment. |
| Aspire.Microsoft.EntityFrameworkCore.SqlServer.csproj | Adds Microsoft.Data.SqlClient.Extensions.Azure package reference with explanatory comment. |
| Aspire.Microsoft.Data.SqlClient/README.md | Documents Entra ID auth support and the new transitive Azure.Identity dependency. |
| Aspire.Microsoft.EntityFrameworkCore.SqlServer/README.md | Documents Entra ID auth support and the new transitive Azure.Identity dependency. |
| AspireSqlServerSqlClientExtensionsTests.cs | Adds regression test confirming Entra ID auth providers are registered. |
| AspireSqlServerEFCoreSqlClientExtensionsTests.cs | Adds regression test confirming Entra ID auth providers are registered. |
0xharkirat
force-pushed
the
fix/sqlserver-entra-id-auth-provider
branch
from
bfde849 to
c77158b
Compare
Microsoft.Data.SqlClient 7.0 moved the Microsoft Entra ID (Active Directory) authentication providers out of the core driver and into the separate Microsoft.Data.SqlClient.Extensions.Azure package. Aspire's Azure SQL hosting integration emits connection strings using Authentication="Active Directory Default" by default, so without that package, consuming apps fail at runtime with: "Cannot find an authentication provider for 'ActiveDirectoryDefault'". This passes local dev (the SQL container uses SA-password auth) and only surfaces in production against Azure SQL. Add the package reference to the Aspire.Microsoft.Data.SqlClient and Aspire.Microsoft.EntityFrameworkCore.SqlServer client integrations (plus a central PackageVersion). The EF integration only references SqlClient transitively, so it needs the explicit reference too. The package self-registers the providers (the driver lazy-loads the extension assembly on the first GetProvider lookup). Document the behavior in both integration READMEs and add a regression test to each test project that asserts SqlAuthenticationProvider.GetProvider resolves for ActiveDirectoryDefault and ActiveDirectoryManagedIdentity. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0xharkirat
force-pushed
the
fix/sqlserver-entra-id-auth-provider
branch
from
c77158b to
1eb5333
Compare
Contributor
|
Retrying the failed CI jobs for this pull request from the CI run attempt. The rerun is being tracked in the rerun attempt. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fixes #18148.
Microsoft.Data.SqlClient7.0 moved the Microsoft Entra ID (Active Directory) authentication providers out of the core driver into the separateMicrosoft.Data.SqlClient.Extensions.Azurepackage. Aspire'sAspire.Hosting.Azure.Sqlintegration emits a connection string usingAuthentication="Active Directory Default"by default, but the client integrations that consume it don't reference the provider package, so deployed apps using managed identity against Azure SQL throwCannot find an authentication provider for 'ActiveDirectoryDefault'at runtime. It passes local dev (the container path uses SQL auth) and only fails in production.This adds
Microsoft.Data.SqlClient.Extensions.Azureto both SqlServer client integrations so Entra connection strings work out of the box:Directory.Packages.props: centralPackageVersion1.0.0(companion release to the pinned SqlClient 7.0.1).Aspire.Microsoft.Data.SqlClientandAspire.Microsoft.EntityFrameworkCore.SqlServer: package reference (explicit in both; EF gets SqlClient only transitively and would not otherwise get the provider).Azure.Identity.SqlAuthenticationProvider.GetProvider(...)resolves forActiveDirectoryDefault/ActiveDirectoryManagedIdentity. Both fail before the change and pass after; full suites pass with no regressions.Trade-off: these integrations now pull
Azure.Identitytransitively onto all consumers (including non-Entra users). This is the unavoidable cost of out-of-the-box managed-identity support and restores pre-7.0 behavior; no AOT/trim regression (both alreadyIsAotCompatible=false), and it's consistent with sibling Aspire Azure integrations that already bundleAzure.Identity.Checklist
🤖 Generated with Claude Code