Skip to content

[OBO] Add CLI support for user-delegated authentication configuration#3128

Draft
Copilot wants to merge 4 commits intomainfrom
copilot/add-cli-support-obo-delegated-identity
Draft

[OBO] Add CLI support for user-delegated authentication configuration#3128
Copilot wants to merge 4 commits intomainfrom
copilot/add-cli-support-obo-delegated-identity

Conversation

Copy link
Contributor

Copilot AI commented Feb 12, 2026
edited
Loading

Why make this change?

Implements CLI configuration for OBO (On-Behalf-Of) delegated identity as specified in issue #2898. Enables operators to configure per-user Entra ID authentication to Azure SQL via CLI commands instead of manual config file editing.

What is this change?

New Configuration Type

  • UserDelegatedAuthConfig record with Enabled, DatabaseAudience, DisableConnectionPooling, TokenCacheDurationMinutes properties
  • Added to DataSource as optional property with full serialization support

CLI Commands

dab configure --data-source.user-delegated-auth.enabled true
dab configure --data-source.user-delegated-auth.database-audience "https://database.windows.net"

Validation

  • Restricts user-delegated-auth to MSSQL database type only
  • Validates enabled state when setting properties
  • Preserves existing configuration when updating individual fields

Generated Configuration

{
  "data-source": {
    "database-type": "mssql",
    "connection-string": "...",
    "user-delegated-auth": {
      "enabled": true,
      "database-audience": "https://database.windows.net"
    }
  }
}

How was this tested?

  • Unit Tests (12 new tests: 10 CLI configuration, 2 runtime parsing)
  • Integration Tests (verified with PostgreSQL/MySQL rejection scenarios)

Sample Request(s)

Initialize and configure OBO in one workflow:

# Initialize MSSQL config
dab init --database-type mssql --connection-string "Server=myserver.database.windows.net;Database=mydb"

# Enable user-delegated auth
dab configure --data-source.user-delegated-auth.enabled true \
              --data-source.user-delegated-auth.database-audience "https://database.windows.net"

Update audience for existing configuration:

dab configure --data-source.user-delegated-auth.database-audience "https://database.usgovcloudapi.net"

Validation - fails for non-MSSQL:

dab init --database-type postgresql --connection-string "..."
dab configure --data-source.user-delegated-auth.enabled true
# Error: user-delegated-auth is only supported for database-type 'mssql'.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • http://api.nuget.org:443/DigiCertCSRSA4096RootG5.crl
    • Triggering command: /usr/bin/dotnet dotnet build src/Azure.DataApiBuilder.sln grep -l rceOptions nRpcErrorCodes.cs de/node/bin/grep rceOptions s/MySqlGraphQLMu-l nfig/composer/veTryConfigureSettings\|TryUpdateConfiguredDataSourceOptions grep -l rceOptions llectionExtensions.cs rep rceOptions (http block)
  • http://api.nuget.org:443/NETFoundationProjectsCodeSigningCA2.crl
    • Triggering command: /usr/bin/dotnet dotnet build src/Azure.DataApiBuilder.sln grep -l rceOptions nRpcErrorCodes.cs de/node/bin/grep rceOptions s/MySqlGraphQLMu-l nfig/composer/veTryConfigureSettings\|TryUpdateConfiguredDataSourceOptions grep -l rceOptions llectionExtensions.cs rep rceOptions (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[OBO] CLI Support for Enabling OBO Delegated Identity</issue_title>
<issue_description>Implement CLI support for enabling OBO exactly as defined in the design.

  • These CLI Commands should be supported
    dab configure --data-source.user-delegated-auth.enabled true
    dab configure --data-source.user-delegated-auth.database-audience "<audience>"

  • Ensure CLI writes correct config structure

  • Ensure runtime consumes CLI‑produced config

Testing:

  1. CLI sets user-delegated-auth.enabled = true
  2. CLI sets correct database-audience
  3. runtime reads CLI output correctly
  4. invalid CLI input fails deterministically</issue_description>

<agent_instructions>https://microsoft-my.sharepoint.com/:w:/p/anushakolan/IQDsb4patJ52Q65Cp0QHQ-b_Aazplc1go_6k2HccCOYLQNU?e=Bpuv1Z&wdOrigin=TEAMS-MAGLEV.null_ns.rwc&wdExp=TEAMS-TREATMENT&wdhostclicktime=1770765689642&web=1

Follow this design document for more context and questions, understand the requirement of the task, this is the main task, #2898, create the PR accordingly.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 3 commits February 12, 2026 22:37
@anushakolan
Add CLI support for user-delegated-auth configuration
4792325 
Co-authored-by: anushakolan <45540936+anushakolan@users.noreply.github.com>
@anushakolan
Add runtime parsing tests and verify CLI functionality
122f503 
Co-authored-by: anushakolan <45540936+anushakolan@users.noreply.github.com>
@anushakolan
Address code review feedback - improve documentation and validation
be514c8 
Co-authored-by: anushakolan <45540936+anushakolan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add CLI support for enabling OBO delegated identity [OBO] Add CLI support for user-delegated authentication configuration Feb 12, 2026
Copilot AI requested a review from anushakolan February 12, 2026 22:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anushakolan anushakolan Awaiting requested review from anushakolan anushakolan is a code owner

@Aniruddh25 Aniruddh25 Awaiting requested review from Aniruddh25 Aniruddh25 will be requested when the pull request is marked ready for review Aniruddh25 is a code owner

@aaronburtle aaronburtle Awaiting requested review from aaronburtle aaronburtle will be requested when the pull request is marked ready for review aaronburtle is a code owner

@RubenCerna2079 RubenCerna2079 Awaiting requested review from RubenCerna2079 RubenCerna2079 will be requested when the pull request is marked ready for review RubenCerna2079 is a code owner

@souvikghosh04 souvikghosh04 Awaiting requested review from souvikghosh04 souvikghosh04 will be requested when the pull request is marked ready for review souvikghosh04 is a code owner

@neeraj-sharma2592 neeraj-sharma2592 Awaiting requested review from neeraj-sharma2592 neeraj-sharma2592 will be requested when the pull request is marked ready for review neeraj-sharma2592 is a code owner

@sourabh1007 sourabh1007 Awaiting requested review from sourabh1007 sourabh1007 will be requested when the pull request is marked ready for review sourabh1007 is a code owner

@vadeveka vadeveka Awaiting requested review from vadeveka vadeveka will be requested when the pull request is marked ready for review vadeveka is a code owner

@Alekhya-Polavarapu Alekhya-Polavarapu Awaiting requested review from Alekhya-Polavarapu Alekhya-Polavarapu will be requested when the pull request is marked ready for review Alekhya-Polavarapu is a code owner

@rusamant rusamant Awaiting requested review from rusamant rusamant will be requested when the pull request is marked ready for review rusamant is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@anushakolan anushakolan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[OBO] CLI Support for Enabling OBO Delegated Identity

2 participants

@anushakolan