Connect-DbaInstance - Add -AuthenticationType parameter for Entra ID support (#10271)

Author: andreasjordan

public/Connect-DbaInstance.ps1

@@ -144,6 +144,15 @@ function Connect-DbaInstance {
         Authenticates to Azure SQL Database using an access token generated by Get-AzAccessToken or New-DbaAzAccessToken.
         Use this for service principal authentication or when integrating with Azure automation that provides pre-generated tokens. Tokens expire after one hour and cannot be renewed.
 
+    .PARAMETER AuthenticationType
+        Specifies the authentication method for connecting to Azure SQL or Entra ID-protected SQL Server instances.
+        Use "ActiveDirectoryInteractive" for Entra ID (Azure AD) authentication with MFA — a browser dialog will prompt you to select your Entra ID account.
+        Use "ActiveDirectoryIntegrated" for Entra ID integrated authentication using your current Windows session.
+        Use "ActiveDirectoryPassword" for Entra ID authentication with a username and password via SqlCredential.
+        Use "ActiveDirectoryServicePrincipal" for service principal authentication (client ID and secret via SqlCredential).
+        Use "ActiveDirectoryManagedIdentity" for managed identity authentication in Azure-hosted environments.
+        Use "ActiveDirectoryDeviceCodeFlow" for device code flow authentication.
+
     .PARAMETER DedicatedAdminConnection
         Creates a dedicated administrator connection (DAC) for emergency access to SQL Server.
         Use this when SQL Server is unresponsive to regular connections, allowing you to diagnose and resolve critical issues. Remember to manually disconnect the connection when finished.
@@ -343,6 +352,25 @@ function Connect-DbaInstance {
         If a server fails due to certificate validation, automatically retries with TrustServerCertificate enabled.
         This provides a secure-by-default approach for mixed environments without requiring separate connection logic.
 
+    .EXAMPLE
+        PS C:\> $server = Connect-DbaInstance -SqlInstance sql01 -AuthenticationType ActiveDirectoryInteractive
+
+        Connects to a SQL Server instance (Azure SQL VM, Azure SQL Database, Azure SQL Managed Instance, or Fabric SQL Database)
+        using Entra ID (Azure AD) interactive authentication with MFA. A browser dialog will appear prompting you to select
+        your Entra ID account and complete any required MFA steps.
+
+    .EXAMPLE
+        PS C:\> $server = Connect-DbaInstance -SqlInstance myserver.database.windows.net -Database mydb -AuthenticationType ActiveDirectoryInteractive
+
+        Connects to an Azure SQL Database using Entra ID interactive authentication with MFA.
+        A browser dialog will appear to complete authentication.
+
+    .EXAMPLE
+        PS C:\> $server = Connect-DbaInstance -SqlInstance sql01 -AuthenticationType ActiveDirectoryIntegrated
+
+        Connects to a SQL Server instance using Entra ID integrated authentication.
+        Uses the currently signed-in Entra ID identity without prompting for credentials.
+
     #>
     [CmdletBinding()]
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSAvoidUsingConvertToSecureStringWithPlainText", "")]
@@ -383,6 +411,8 @@ function Connect-DbaInstance {
         [string]$AzureDomain = "database.windows.net",
         [string]$Tenant = (Get-DbatoolsConfigValue -FullName 'azure.tenantid'),
         [psobject]$AccessToken,
+        [ValidateSet('ActiveDirectoryIntegrated', 'ActiveDirectoryInteractive', 'ActiveDirectoryPassword', 'ActiveDirectoryServicePrincipal', 'ActiveDirectoryManagedIdentity', 'ActiveDirectoryDeviceCodeFlow')]
+        [string]$AuthenticationType,
         [switch]$DedicatedAdminConnection,
         [switch]$DisableException
     )
@@ -620,7 +650,7 @@ function Connect-DbaInstance {
 
             # Check for ignored parameters
             # We do not check for SqlCredential as this parameter is widely used even if a server SMO is passed in and we don't want to output a message for that
-            $ignoredParameters = 'BatchSeparator', 'ClientName', 'ConnectTimeout', 'EncryptConnection', 'LockTimeout', 'MaxPoolSize', 'MinPoolSize', 'NetworkProtocol', 'PacketSize', 'PooledConnectionLifetime', 'SqlExecutionModes', 'TrustServerCertificate', 'AllowTrustServerCertificate', 'WorkstationId', 'FailoverPartner', 'MultipleActiveResultSets', 'MultiSubnetFailover', 'AppendConnectionString', 'AccessToken'
+            $ignoredParameters = 'BatchSeparator', 'ClientName', 'ConnectTimeout', 'EncryptConnection', 'LockTimeout', 'MaxPoolSize', 'MinPoolSize', 'NetworkProtocol', 'PacketSize', 'PooledConnectionLifetime', 'SqlExecutionModes', 'TrustServerCertificate', 'AllowTrustServerCertificate', 'WorkstationId', 'FailoverPartner', 'MultipleActiveResultSets', 'MultiSubnetFailover', 'AppendConnectionString', 'AccessToken', 'AuthenticationType'
             if ($inputObjectType -eq 'Server') {
                 if (Test-Bound -ParameterName $ignoredParameters) {
                     Write-Message -Level Warning -Message "Additional parameters are passed in, but they will be ignored"
@@ -874,7 +904,16 @@ function Connect-DbaInstance {
                 #[Microsoft.SqlServer.Management.Common.SqlConnectionInfo+AuthenticationMethod]::ActiveDirectoryPassword
                 #[Microsoft.SqlServer.Management.Common.SqlConnectionInfo+AuthenticationMethod]::NotSpecified
                 #[Microsoft.SqlServer.Management.Common.SqlConnectionInfo+AuthenticationMethod]::SqlPassword
-                if ($authType -eq 'azure integrated') {
+                if ($AuthenticationType) {
+                    Write-Message -Level Debug -Message "Authentication will be set to '$AuthenticationType' (from AuthenticationType parameter)"
+                    $sqlConnectionInfo.Authentication = [Microsoft.SqlServer.Management.Common.SqlConnectionInfo+AuthenticationMethod]::$AuthenticationType
+                    # ActiveDirectoryInteractive and ActiveDirectoryIntegrated require UseIntegratedSecurity=False
+                    # to prevent the default Integrated Security=True from conflicting with Entra ID auth
+                    if ($AuthenticationType -in 'ActiveDirectoryInteractive', 'ActiveDirectoryIntegrated', 'ActiveDirectoryDeviceCodeFlow', 'ActiveDirectoryManagedIdentity') {
+                        Write-Message -Level Debug -Message "UseIntegratedSecurity will be set to '$false' for $AuthenticationType"
+                        $sqlConnectionInfo.UseIntegratedSecurity = $false
+                    }
+                } elseif ($authType -eq 'azure integrated') {
                     # Azure AD integrated security
                     # TODO: This is not tested / How can we test that?
                     Write-Message -Level Debug -Message "Authentication will be set to 'ActiveDirectoryIntegrated'"

tests/Connect-DbaInstance.Tests.ps1

@@ -42,6 +42,7 @@ Describe $CommandName -Tag UnitTests {
                 "AzureDomain",
                 "Tenant",
                 "AccessToken",
+                "AuthenticationType",
                 "DedicatedAdminConnection",
                 "DisableException"
             )