Microsoft Entra ID

Overview

Team Edition comes with Microsoft Entra ID (formerly Azure AD) authentication support, allowing secure access to your databases.

Info

The official Entra documentation.

Pre-requisites for connecting to Azure

• To initiate a connection with Azure, you need to obtain your application credentials.

• Ensure your Azure account is assigned the right roles and permissions. Properly setting up permissions on the Azure portal can help avoid potential access issues during the connection process.

  Info

  See our Azure permissions article for more details.

Application credentials

Team Edition supports the following variables:

Authentication Type	Description	Required credentials	Additional links
Default credentials	Attempt to authenticate through several methods (env vars, CLI, managed identity).	Optionally set: - AZURE_CLIENT_ID - AZURE_TENANT_ID - AZURE_CLIENT_SECRET - or certificate-related vars	DefaultAzureCredential
Enterprise application	Use credentials from your Azure Application.	- AZURE_CLIENT_ID - AZURE_TENANT_ID	Register an app
Client secret	Provide specific credentials from your Azure Application.	- AZURE_CLIENT_ID - AZURE_TENANT_ID - AZURE_CLIENT_SECRET	Use client secret
Client certificate	Utilize certificate-based authentication with your Azure Application.	- AZURE_CLIENT_ID - AZURE_TENANT_ID - AZURE_CLIENT_CERTIFICATE_PATH - AZURE_CLIENT_CERTIFICATE_PASSWORD (optional)	Use client certificate

Note

If you belong to an Azure Entra ID Group, you must add the AD Group name to your Connection configuration. To do this, right-click your database in the Database Navigator, then select Edit Connection. In the dialog that opens, go to the Connection Settings tab and enter your AD group name in the required field.

Set environment variables for authentication

To use the credentials listed above, you need to set them as environment variables in your system.

On macOS

1. Open a terminal.
2. Run:

   launchctl setenv AZURE_CLIENT_ID VALUE
   launchctl setenv AZURE_TENANT_ID VALUE
   launchctl setenv AZURE_CLIENT_SECRET VALUE
   

3. Restart Team Edition.

On Linux

1. Open a terminal.
2. Add the following lines to your shell profile (~/.bashrc, ~/.zshrc, or similar):

   export AZURE_CLIENT_ID=VALUE
   export AZURE_TENANT_ID=VALUE
   export AZURE_CLIENT_SECRET=VALUE
   

3. Apply the changes:

   source ~/.bashrc
   

4. Restart Team Edition.

On Windows

1. Open System Properties -> Environment Variables.
2. Add user or system variables:
3. AZURE_CLIENT_ID
4. AZURE_TENANT_ID
5. AZURE_CLIENT_SECRET
6. Restart Team Edition.

Troubleshooting

Authentication fails

• Check that the Client ID and Tenant ID match the registered application in Azure.
• Make sure the user is assigned in the Azure portal.
• Confirm the app has the required API permissions or roles.
• Make sure required tenant-wide admin consent was granted by the user or an admin.

Group-based authentication fails

If you're using an Entra ID security group to connect to Azure Database for PostgreSQL and see an error like:

password authentication failed for user "<group-name>"

Check the following:

• The Entra ID user is a member of the group.
• The group has database access granted in PostgreSQL.
• You’re using an authentication method that supports Entra ID tokens (like Default credentials or Enterprise application).
• The access token includes group claims, and the required API permissions were granted by an admin.
• Enter the group name in the Azure AD Group field of the connection settings in Team Edition.