title: "Azure connectivity"

description: Explains the Azure connection options available in Azure Data Studio.

author: erinstellato-ms

ms.author: erinstellato

ms.reviewer: maghan, randolphwest

ms.date: 03/22/2023

ms.service: azure-data-studio

ms.topic: "overview"

Azure Data Studio uses the Microsoft Authentication Library (MSAL) by default to acquire an access token from Azure Active Directory. The settings that apply to Azure authentication are discussed, along with commonly observed issues and their solutions.

This setting controls the authentication library used by Azure Data Studio when adding an Azure account. Microsoft Authentication Library (MSAL) offers authentication and authorization services using standard-compliant implementations of OAuth 2.0 and OpenID Connect (OIDC) 1.0. Read more about [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview).

"azure.authenticationLibrary": "MSAL"

:::image type="content" source="media/azure-connectivity/authentication-library.png" alt-text="Screenshot of Azure authentication library.":::

**ADAL (Active Directory Authentication Library)** is now deprecated, but is supported by Azure Data Studio as a fallback for any potential authentication issues with MSAL.

Azure Data Studio supports multi-factor authentication with Azure accounts using the following modes:

- Using Code Grant authentication (enabled by default)

- Using Device Code authentication

"accounts.azure.auth.codeGrant": true

:::image type="content" source="media/azure-connectivity/code-grant.png" alt-text="Screenshot of Azure authentication Code Grant option.":::

When **Code Grant method** is checked, users are prompted to authenticate with browser based authentication. This option is enabled by default.

"accounts.azure.auth.deviceCode": true

:::image type="content" source="media/azure-connectivity/device-code.png" alt-text="Screenshot of Azure authentication Device Code option.":::

When **Device Code method** is enabled, users are provided with a code and a URL to enter which can then be used to sign in.

When both options are checked, users are prompted to select one of the two authentication modes when adding an Azure account.

Azure Data Studio supports Azure Active Directory (Azure AD) authentication with National clouds. **Azure Public Cloud** is enabled by default, but users can enable other national clouds as needed:

"accounts.azure.cloud.enableChinaCloud": false,

"accounts.azure.cloud.enablePublicCloud": true,

"accounts.azure.cloud.enableUsGovCloud": false

:::image type="content" source="media/azure-connectivity/national-clouds.png" alt-text="Screenshot of Azure authentication National Clouds.":::

These settings apply filters on Azure resources and tenants.

- Resource Config filter: Applies inclusion filter to resources that should be displayed.

- Tenant Config filter: Applies exclusion filter to tenants that should be ignored.

"azure.resource.config.filter": [],

"azure.tenant.config.filter": [

"313b5f9e-9b92-414c-8d87-a317e42d0222"

]

:::image type="content" source="media/azure-connectivity/resource-config.png" alt-text="Screenshot of Azure authentication resource configuration options.":::

If using Azure Data Studio (ADS) behind a proxy, users must specify proxy settings for ADS to communicate with external endpoints. There are two ways to provide proxy settings for ADS to use:

- Setting proxy configuration in the Azure Data Studio (**Settings > Http: Proxy Settings**), or

- Setting environment variables for proxy configuration.

Azure Data Studio settings take precedence over environment variables.

The following settings are available in Azure Data Studio:

"http.proxy": "https://userName@fqdn:yourPassword@yourProxyURL.com:8080",

"http.proxyStrictSSL": true,

"http.proxyAuthorization": "",

"http.proxySupport" : "override"

:::image type="content" source="media/azure-connectivity/proxy-settings.png" alt-text="Screenshot of Azure authentication proxy settings.":::

- `'HTTP_PROXY': 'http://userName@fqdn:yourPassword@yourProxyURL.com:8080'`

- `'HTTPS_PROXY': 'https://userName@fqdn:yourPassword@yourProxyURL.com:8080'`

In a proxy environment, user applications may need to allow specific domains used by Azure Data Studio. Hostnames through which you may need or want to allow communication are:

**Azure Public**

- https://management.azure.com

- https://login.microsoftonline.com/

**Azure (US Government)**

- https://management.core.usgovcloudapi.net/

- https://login.microsoftonline.us/

**Azure (China)**

- https://management.core.chinacloudapi.cn/

- https://login.partner.microsoftonline.cn/

The URLs to allow can sometimes vary on a case-by-case basis. In order to verify you aren't blocking any URLs from going through, go to **Help > Toggle Developer Tools** and select the **Network** tab. Any URLs that are blocked are listed, and you may need to allow those URLs to successfully add your account.

Possible issues and solutions when adding an Azure account are discussed.

Users may see an SSL error when signing in to their account. This flow opens an external web page to `localhost`, typically prompting users to sign in via the standard Microsoft authentication prompts. The URL for this page looks similar to `http://localhost:50055/signin?nonce=...`

Some browsers may be set up to automatically redirect all `http` links to `https`, which breaks this process as the local server serving the web page doesn't support https. If the link in the address bar starts with `https`, then you get an SSL error and the page can't load. In that case, the workarounds listed here may address the issue.

**Change URL to http**

First, manually change the URL from `https://` to `http://`. The browser may change it back to https, in which case it's necessary to try another option.

**Disable HSTS (HTTP Strict Transport Security)**

For Edge/Chrome browsers, you can disable [HSTS](https://www.chromium.org/hsts/) for localhost.

1. Open Edge/Chrome, and in the address bar, type `edge://net-internals/#hsts` (or `chrome://net-internals/#hsts` for Chrome).

1. Scroll to the bottom of the page and in the `Delete domain security policies` section, enter `localhost` and press `Delete`.

Once that is complete, you should be able to sign in, and not have the browser redirect your `localhost` links automatically to `https`.

If the user application is running in an environment behind a proxy, user authentication may not complete, and these steps can be used to resolve the issue.

1. Recheck environment variables and **http.proxy** settings in ADS. If the proxy requires user authentication, providing a username/password in **http.proxy** URL can resolve authentication issues; otherwise, ADS can't read logged-in user credentials. Alternatively, running ADS as a different user can be attempted, as it may help resolve Authentication issues with Proxy. However, the latter only works for some scenarios.

1. The URLs to allow can vary on a case-by-case basis. To verify you aren't blocking any URLs from going through, go to **Help > Toggle Developer Tools** and select the **Network** tab. Here you see any URLs that are getting blocked that you may need to allow to add your account successfully.

1. Uncheck **Http: Proxy Strict SSL**. It's possible that proxy certificate isn't verifiable against the list of trusted CAs. Disabling Strict SSL can rule out the proxy certificate as an issue.

**To conclude:**

As a cross-platform application, ADS proxy resolution fetches the proxy from either setting within the application, or through environment variables. The aim is to avoid interaction with system settings, which can vary significantly on different operating systems.

Azure Data Studio captures Error events for Azure account activity by default. To enable more detailed traces, users can modify these settings:

This setting configures the logging level for information from Azure core that can be captured in Azure Data Studio. Change it to *Verbose* or *All* to capture detailed logs that can be useful to diagnose authentication failures. For more information, see [Debug Trace Logging](https://github.com/microsoft/azuredatastudio/wiki/Debug-Trace-Logging) to learn how to capture logging information.

"azure.loggingLevel": "Verbose"

:::image type="content" source="media/azure-connectivity/logging-level.png" alt-text="Screenshot of Azure authentication logging Level configuration.":::

Users can enable PII (Personally Identifiable Information) logging for local testing and debugging purposes. This setting enables more thorough logging of the authentication process, but may contain sensitive information such as access tokens or user IDs when authenticating with Azure. Because this logging captures sensitive information, it's recommended to:

- Not share these logs with anyone else, especially when adding logs to GitHub issues

- Disable the setting once the necessary information has been collected

- Delete the log files once the setting has been disabled

"azure.piiLogging": true

:::image type="content" source="media/azure-connectivity/pii-logging.png" alt-text="Screenshot of Azure authentication PII logging option.":::

This setting disables system keychain integration to prevent repeated keychain access prompts on macOS. User Credentials are alternatively stored in a flat file in the user's home directory.

"azure.noSystemKeychain": true

:::image type="content" source="media/azure-connectivity/keychain.png" alt-text="Screenshot of Azure authentication keychain configuration.":::

Azure Data Studio maintains a cache of access tokens to prevent the throttling of token requests to Azure Active Directory (Azure AD). It's possible that Azure Data Studio's token cache may be outdated, which requires cleaning up expired access tokens from the application cache.

Execute this command from **Command Palette (Ctrl/CMD + Shift + P)** to clear access tokens for linked Azure accounts:

Execute this command from **Command Palette (Ctrl/CMD + Shift + P)** to remove all linked Azure accounts from Azure Data Studio:

**Clear all saved accounts (clearSavedAccounts)**