starred/dbeaver
1
0
Fork 0
mirror of https://github.com/dbeaver/dbeaver.git synced 2026-04-25 05:56:14 +03:00
Code Issues Projects Releases Packages Wiki Activity
Page: Authentication Microsoft Entra ID
Pages
3rd party dependencies AI Assistance and Data Privacy AI Smart Assistance in DBeaver Community AWS Cloud Explorer AWS Credentials AWS DocumentDB AWS DynamoDB AWS Keyspaces AWS Permissions AWS SSM Configuration AWS SSO Accessibility Guide Admin Manage Connections Admin Manage Drivers Admin Manage Preferences Admin Preference Restrictions Admin Variables Apache Hive Application Window Overview Authentication DBeaver profile Authentication Database Native Authentication Databricks Authentication LDAP Mechanism Authentication Microsoft Entra ID Authentication MongoDB Authentication MySQL Two factor Authentication PostgreSQL Pgpass Authentication PostgreSQL SSPI Authentication Salesforce Authentication Snowflake Auto and Manual Commit Modes Automation Security Azure Cloud Explorer Azure Permissions Background Tasks Backup Restore Basic operations Bookmarks Brazilian Portuguese Standardization proposals Build from sources Calc Panel Cassandra Change current user password Clickhouse Client Side Scripting Cloud Explorer Cloud Storage Command Line Composite Tasks Configuration files in DBeaver Configure Connection Initialization Settings Configure Filters Connect to Database Connecting to Oracle Database using JDBC OCI driver Connecting to Oracle databases Connection Types Contribute your code Couchbase Create Connection Creating Indexes Creating columns Custom Diagrams Customer technical support information DB Full Text Search DB Metadata Search DBeaver release cycles Dashboards Data Editor preferences Data Editor Data Filters Data Import and Replace Data Refresh Data Search Data View and Format Data Viewing and Editing Data compare Data export Data import Data migration Data transfer email Data transfer external storage Data transfer Database Connections Database Navigator Database Object Editor Database authentication models Database driver AlloyDB for PostgreSQL Database driver Amazon Athena Database driver Amazon Redshift Database driver Amazon Timestream Database driver Aurora DSQL Database driver Azure CosmosDB for NoSQL Database driver BigQuery Database driver CSV Database driver CosmosDB Database driver Databricks Database driver Files MultiSource Database driver Firestore Database driver Google Cloud Spanner Database driver Greenplum Database driver IBM Db2 Database driver JSON Database driver MariaDB Database driver Microsoft SQL Server on Google Cloud Database driver Microsoft SQL Server Database driver MySQL on Google Cloud Database driver MySQL Database driver Neo4j Database driver Neptune Database driver Netezza Database driver Parquet Database driver PostgreSQL on Google Cloud Database driver PostgreSQL Database driver SQLite Database driver Salesforce Database driver Teradata Database driver Trino Database driver XLSX Database driver XML Database driver Yellowbrick Database drivers Debug options DebugPluginInstall Deprecated legacy ODBC driver Develop in Eclipse Develop in IDEA Differences between license types Disable AI assistance Disconnect from Database Driver Manager ER Diagrams Early Access Program license Eclipse extensions Edit Connection Edit mode Editors Enterprise Edition Export Command Extension Office FAQ File Search File based driver properties Filter Database Objects GCP Credentials GCP SSO GIS examples Getting started Google Bigtable Google Cloud Explorer Grouping Panel Home How to Import License How to Reassign License How to Update License How to add additional artifacts to the driver How to import Connections from External Tools How to manage DBeaver snap package How to set a variable if dbeaver ini is read only How to use Diagrams How to work with database Partitions Implementing Constraints Import SSL Certificates Importing CA certificates from your local Java into DBeaver Incorporating Triggers InfluxDB Installation Integrated Security Invalidate and Reconnect to Database JDBC Time Zones JDBC Tracing Kerberos Authentication Kubernetes configuration License Administration Liquibase Changelog Liquibase PRO Lite Edition Local Client Configuration Localization Lock Manager Log files Making a thread dump Managing Charts Managing Data Formats Managing Master Password Managing Truststore Settings Managing security restrictions for database connection Metadata Panel Migration from DBeaver CE to DBeaver PRO Mock Data Generation MongoDB Navigation Network configuration Network profiles New Table Creation ODBC JDBC Driver Optional extensions Oracle PGDebugger Panels Pending Transactions PostgreSQL Arrays PostgreSQL Extensions Posting issues Pre configured Variables Project Explorer Project security Project team work Projects View Projects Properties Editor Proxy configuration with system files Proxy configuration Query Execution Plan Query Manager Query Trace Panel Redis References Panel Reset UI settings Reset workspace Result Details Panel SQL Assist and Auto Complete SQL Code Editor SQL Editor SQL Execution SQL Formatting SQL Generation SQL Plus Script Execution SQL Script Task SQL Templates SQL Terminal SSH Configuration SSL Configuration Oracle SSL Configuration Sample Database Schema compare Script Management Search Tool Secret Providers Security in DBeaver PRO Security Separate Connections Session Manager Guide Shortcuts Simple Structure Compare Simple and Advanced View Snap installation Snowflake Spelling Statistics Collection Structure and Data Compare Tableau integration in DBeaver Task Management Task Scheduler Toolbar Customization Transaction Log Troubleshooting Windows Defender issues Troubleshooting system issues Troubleshooting task scheduler issues UI Language Ultimate Edition for AWS Ultimate Edition Unit Tests User Interface Themes Utilizing Foreign Keys Value Panel Variables panel Views Virtual Keys Virtual column expressions Visual Query Builder Windows Silent Install Working with Dictionary Data Working with Shell Commands in DBeaver Working with Spatial GIS data Working with XML and JSON Workspace Location _Toc
8 Authentication Microsoft Entra ID
dbeaver-devops edited this page 2026-03-24 08:38:39 +00:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Note

: This feature is available in Lite, Enterprise, and Ultimate editions only.

Table of contents

DBeaver comes with Microsoft Entra ID (formerly Azure AD) authentication support, allowing secure access to your databases.

The official Entra documentation.

Prerequisites

Make sure you have:

  • an active Azure account with the appropriate permissions
  • a Microsoft Entra ID application is registered and configured by your administrator.

For more details on permissions, see Azure permissions.

Microsoft Entra ID configuration

To enable authorization with the Microsoft platform, you need a registered application in Azure. If one doesn't exist, create and configure it as follows:

  1. Register an application
    Create a new enterprise application in Microsoft Entra by following the steps in the official Microsoft documentation.

  2. Configure application secrets DBeaver uses the OpenID Connect protocol for authorization with Microsoft Entra ID. To enable this, configure application secrets. Detailed instructions are available in the official Microsoft documentation.

    Important: Record the value of the client secret immediately after creating it. It can only be viewed once. If you miss this step, youll need to create a new secret.

Configure an authentication type

Default credentials

Use this when you do not want to store secrets in DBeaver.

  1. Open Edit connection.

  2. On Connection settings, set Credentials to Default credentials.

  3. (Optional) If database access is granted through an Entra ID group, enter the AD Group name.

  4. (Optional) Review Use legacy token permissions.

    • keep it unchecked in almost all cases
    • enable it only if your DBA or admin specifically instructs you

    This option forces the connection to use older token scopes and claim formats for backward compatibility with databases or drivers that dont fully support modern Microsoft Entra ID permissions.

  5. Click Test connection, then Save.

Tip: To see how DefaultAzureCredential picks a provider, see DefaultAzureCredential overview.

Environment variables

Set these before starting DBeaver if you want to guide how the SDK gets a token.

  • If you use the environment-variable credential

    • AZURE_CLIENT_ID — your apps client ID
    • AZURE_TENANT_ID — your Microsoft Entra directory (tenant) ID
    • then either:
      • AZURE_CLIENT_SECRET, or
      • AZURE_CLIENT_CERTIFICATE_PATH and AZURE_CLIENT_CERTIFICATE_PASSWORD (optional, for .pfx)

  • If you use managed identity

    • for a user-assigned identity: AZURE_CLIENT_ID
    • for a system-assigned identity: no variables are required
    • (available only in Azure environments like VM, App Service, or Function App)
macOS
launchctl setenv AZURE_CLIENT_ID <value>
launchctl setenv AZURE_TENANT_ID <value>
# optional
launchctl setenv AZURE_CLIENT_SECRET <value>
launchctl setenv AZURE_CLIENT_CERTIFICATE_PATH /path/to/cert.pfx
launchctl setenv AZURE_CLIENT_CERTIFICATE_PASSWORD <value>

Tip: Restart DBeaver (or log out and back in) after running these commands. Variables set with launchctl are visible only to new GUI apps.

Linux
export AZURE_CLIENT_ID=<value>
export AZURE_TENANT_ID=<value>
# optional
export AZURE_CLIENT_SECRET=<value>
export AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pfx
export AZURE_CLIENT_CERTIFICATE_PASSWORD=<value>

Tip: These variables work only in the current terminal session. Add them to ~/.bashrc or ~/.profile to make them persistent when is launched from the desktop.

Windows

Set variables as User variables in System Properties - Environment Variables, then restart DBeaver.

Or set them from PowerShell:

setx AZURE_CLIENT_ID "<value>"
setx AZURE_TENANT_ID "<value>"
# optional
setx AZURE_CLIENT_SECRET "<value>"
setx AZURE_CLIENT_CERTIFICATE_PATH "C:\path\to\cert.pfx"
setx AZURE_CLIENT_CERTIFICATE_PASSWORD "<value>"

Enterprise application

Use this for user sign-in without storing a secret in DBeaver.

  1. Open Edit connection.

  2. Set Credentials to Enterprise application.

  3. Enter the values below:

    Field in DBeaver What to enter Where to find in the Azure portal Reference
    Client ID Your applications Application (client) ID Microsoft Entra ID - App registrations - Your app - Overview Copy the application ID (client ID)
    Tenant ID Your Directory (tenant) ID Microsoft Entra ID - Overview - Tenant ID Find your tenant ID
    AD Group name (Optional) The exact Entra group name that was granted database access Microsoft Entra ID - Groups - Your group - Overview Create a group and add members

  4. (Optional) Review Use legacy token permissions.

    • keep it unchecked in almost all cases
    • enable it only if your DBA or admin specifically instructs you

    This option forces the connection to use older token scopes and claim formats for backward compatibility with databases or drivers that dont fully support modern Microsoft Entra ID permissions.

  5. Click Test connection, then Save.

For information on creating the application in Azure, see Register an app.

Client secret

Use this for service connections where an app authenticates with a secret.

  1. Open Edit connection.

  2. Set Credentials to Client secret.

  3. Enter the values below:

    Field in DBeaver What to enter Where to find in the Azure portal Reference
    Client ID Your apps Application (client) ID Microsoft Entra ID - App registrations - Your app - Overview Copy the client ID
    Tenant ID Your Directory (tenant) ID Microsoft Entra ID - Overview - Tenant ID Find your tenant ID
    Client secret The secret Value (not the Secret ID) Your app - Certificates & secrets - Client secrets Add a client secret
    AD Group name (Optional) The exact Entra group name that was granted database access Microsoft Entra ID - Groups - Your group - Overview Create a group and add members

  4. (Optional) Review Use legacy token permissions.

    • keep it unchecked in almost all cases
    • enable it only if your DBA or admin specifically instructs you

    This option forces the connection to use older token scopes and claim formats for backward compatibility with databases or drivers that dont fully support modern Microsoft Entra ID permissions.

  5. Click Test connection, then Save.

For information on creating the secret in Azure, see Add a client secret.

Client certificate

Use this when your org prefers certificates to secrets.

  1. Open Edit connection.

  2. Set Credentials to Client certificate.

  3. Enter the values below:

    Field in DBeaver What to enter Where to find in the Azure portal Reference
    Client ID Your apps Application (client) ID Microsoft Entra ID - App registrations - Your app - Overview Copy the client ID
    Tenant ID Your Directory (tenant) ID Microsoft Entra ID - Overview - Tenant ID Find your tenant ID
    Client certificate path Local path to the private-key file You generate the cert locally and upload the public cert to Your app - Certificates & secrets - Certificates Certificate credentials
    Client certificate password (Optional) Password for the .pfx, if set when exporting Set during export of the .pfx on your machine Certificate credentials
    AD Group name (Optional) Exact group name that has database access Microsoft Entra ID - Groups - Your group - Overview Create a group and add members

  4. (Optional) Review Use legacy token permissions.

    • keep it unchecked in almost all cases
    • enable it only if your DBA or admin specifically instructs you

    This option forces the connection to use older token scopes and claim formats for backward compatibility with databases or drivers that dont fully support modern Microsoft Entra ID permissions.

  5. Click Test connection, then Save.

For information on certificate credentials in Azure, see Certificate credentials.

Troubleshooting

Authentication fails

Group-based authentication fails

If you're using an Entra ID security group to connect to Azure Database for PostgreSQL and see an error like:

password authentication failed for user "<group-name>"

Check the following:

DBeaver Documentation

DBeaver - Universal Database Manager