Skip to content

Microsoft Entra ID

Note

This feature is available in Lite, Enterprise, Ultimate and Team editions only.

DBeaver comes with Microsoft Entra ID (formerly Azure AD) authentication support, allowing secure access to your databases.

Info

The official Entra documentation.

Prerequisites

Make sure you have:

  • an active Azure account with the appropriate permissions
  • a Microsoft Entra ID application is registered and configured by your administrator.

Info

For more details on permissions, see Azure permissions.

Microsoft Entra ID configuration

To enable authorization with the Microsoft platform, you need a registered application in Azure. If one doesn't exist, create and configure it as follows:

  1. Register an application Create a new enterprise application in Microsoft Entra by following the steps in the official Microsoft documentation.

  2. Configure application secrets DBeaver uses the OpenID Connect protocol for authorization with Microsoft Entra ID. To enable this, configure application secrets. Detailed instructions are available in the official Microsoft documentation.

    Important

    Record the value of the client secret immediately after creating it. It can only be viewed once. If you miss this step, you’ll need to create a new secret.

Configure an authentication type

Default credentials

Use this when you do not want to store secrets in DBeaver.

  1. Open Edit connection.
  2. On Connection settings, set Credentials to Default credentials.
  3. (Optional) If database access is granted through an Entra ID group, enter the AD Group name.

  4. (Optional) Review Use legacy token permissions.

    • keep it unchecked in almost all cases
    • enable it only if your DBA or admin specifically instructs you

    Info

    This option forces the connection to use older token scopes and claim formats for backward compatibility with databases or drivers that don’t fully support modern Microsoft Entra ID permissions.

  5. Click Test connection, then Save.

Tip

To see how DefaultAzureCredential picks a provider, see DefaultAzureCredential overview.

Environment variables

Set these before starting DBeaver if you want to guide how the SDK gets a token.

  • If you use the environment-variable credential

    • AZURE_CLIENT_ID — your app’s client ID
    • AZURE_TENANT_ID — your Microsoft Entra directory (tenant) ID
    • then either:
      • AZURE_CLIENT_SECRET, or
      • AZURE_CLIENT_CERTIFICATE_PATH and AZURE_CLIENT_CERTIFICATE_PASSWORD (optional, for .pfx)

  • If you use managed identity

    • for a user-assigned identity: AZURE_CLIENT_ID
    • for a system-assigned identity: no variables are required
    • (available only in Azure environments like VM, App Service, or Function App)
macOS
launchctl setenv AZURE_CLIENT_ID <value>
launchctl setenv AZURE_TENANT_ID <value>
# optional
launchctl setenv AZURE_CLIENT_SECRET <value>
launchctl setenv AZURE_CLIENT_CERTIFICATE_PATH /path/to/cert.pfx
launchctl setenv AZURE_CLIENT_CERTIFICATE_PASSWORD <value>

Tip

Restart DBeaver (or log out and back in) after running these commands. Variables set with launchctl are visible only to new GUI apps.

Linux
export AZURE_CLIENT_ID=<value>
export AZURE_TENANT_ID=<value>
# optional
export AZURE_CLIENT_SECRET=<value>
export AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pfx
export AZURE_CLIENT_CERTIFICATE_PASSWORD=<value>

Tip

These variables work only in the current terminal session. Add them to ~/.bashrc or ~/.profile to make them persistent when is launched from the desktop.

Windows

Set variables as User variables in System Properties - Environment Variables, then restart DBeaver.

Or set them from PowerShell:

setx AZURE_CLIENT_ID "<value>"
setx AZURE_TENANT_ID "<value>"
# optional
setx AZURE_CLIENT_SECRET "<value>"
setx AZURE_CLIENT_CERTIFICATE_PATH "C:\path\to\cert.pfx"
setx AZURE_CLIENT_CERTIFICATE_PASSWORD "<value>"

Enterprise application

Use this for user sign-in without storing a secret in DBeaver.

  1. Open Edit connection.
  2. Set Credentials to Enterprise application.

  3. Enter the values below:

    Field in DBeaver What to enter Where to find in the Azure portal Reference
    Client ID Your application’s Application (client) ID Microsoft Entra ID - App registrations - Your app - Overview Copy the application ID (client ID)
    Tenant ID Your Directory (tenant) ID Microsoft Entra ID - Overview - Tenant ID Find your tenant ID
    AD Group name (Optional) The exact Entra group name that was granted database access Microsoft Entra ID - Groups - Your group - Overview Create a group and add members

  4. (Optional) Review Use legacy token permissions.

    • keep it unchecked in almost all cases
    • enable it only if your DBA or admin specifically instructs you

    Info

    This option forces the connection to use older token scopes and claim formats for backward compatibility with databases or drivers that don’t fully support modern Microsoft Entra ID permissions.

  5. Click Test connection, then Save.

Info

For information on creating the application in Azure, see Register an app.

Client secret

Use this for service connections where an app authenticates with a secret.

  1. Open Edit connection.
  2. Set Credentials to Client secret.

  3. Enter the values below:

    Field in DBeaver What to enter Where to find in the Azure portal Reference
    Client ID Your app’s Application (client) ID Microsoft Entra ID - App registrations - Your app - Overview Copy the client ID
    Tenant ID Your Directory (tenant) ID Microsoft Entra ID - Overview - Tenant ID Find your tenant ID
    Client secret The secret Value (not the Secret ID) Your app - Certificates & secrets - Client secrets Add a client secret
    AD Group name (Optional) The exact Entra group name that was granted database access Microsoft Entra ID - Groups - Your group - Overview Create a group and add members

  4. (Optional) Review Use legacy token permissions.

    • keep it unchecked in almost all cases
    • enable it only if your DBA or admin specifically instructs you

    Info

    This option forces the connection to use older token scopes and claim formats for backward compatibility with databases or drivers that don’t fully support modern Microsoft Entra ID permissions.

  5. Click Test connection, then Save.

Info

For information on creating the secret in Azure, see Add a client secret.

Client certificate

Use this when your org prefers certificates to secrets.

  1. Open Edit connection.
  2. Set Credentials to Client certificate.

  3. Enter the values below:

    Field in DBeaver What to enter Where to find in the Azure portal Reference
    Client ID Your app’s Application (client) ID Microsoft Entra ID - App registrations - Your app - Overview Copy the client ID
    Tenant ID Your Directory (tenant) ID Microsoft Entra ID - Overview - Tenant ID Find your tenant ID
    Client certificate path Local path to the private-key file You generate the cert locally and upload the public cert to Your app - Certificates & secrets - Certificates Certificate credentials
    Client certificate password (Optional) Password for the .pfx, if set when exporting Set during export of the .pfx on your machine Certificate credentials
    AD Group name (Optional) Exact group name that has database access Microsoft Entra ID - Groups - Your group - Overview Create a group and add members

  4. (Optional) Review Use legacy token permissions.

    • keep it unchecked in almost all cases
    • enable it only if your DBA or admin specifically instructs you

    Info

    This option forces the connection to use older token scopes and claim formats for backward compatibility with databases or drivers that don’t fully support modern Microsoft Entra ID permissions.

  5. Click Test connection, then Save.

Info

For information on certificate credentials in Azure, see Certificate credentials.

Troubleshooting

Authentication fails

Group-based authentication fails

If you're using an Entra ID security group to connect to Azure Database for PostgreSQL and see an error like:

password authentication failed for user "<group-name>"

Check the following: