Merge pull request #36332 from MicrosoftDocs/main

Auto Publish – main to live - 2026-01-20 23:30 UTC

Author: learn-build-service-prod[bot]

.github/workflows/block-preview-branch-merge.yml

@@ -0,0 +1,114 @@
+name: Block preview branch merges
+
+permissions:
+  pull-requests: write
+  statuses: write
+  checks: write
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    # Monitor all target branches since preview branches cannot merge to ANY branch
+
+jobs:
+  block-preview:
+    name: Block preview branch merge
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Check head reference restrictions
+        shell: pwsh
+        env:
+          HEAD_REF: ${{ github.head_ref }}
+          BASE_REF: ${{ github.base_ref }}
+          PR_NUMBER: ${{ github.event.number }}
+          REPO_NAME: ${{ github.repository }}
+        run: |
+          Write-Host "Checking merge restrictions for PR #$env:PR_NUMBER"
+          Write-Host "Head reference: $env:HEAD_REF"
+          Write-Host "Base reference: $env:BASE_REF"
+          Write-Host "Repository: $env:REPO_NAME"
+          
+          # Only apply restrictions if head branch is a release-preview branch
+          if ($env:HEAD_REF -like "*release-preview*") {
+            Write-Host "Release-preview branch detected: $env:HEAD_REF"
+            
+            # Block merges to main
+            if ($env:BASE_REF -eq "main") {
+              Write-Host "❌ MERGE BLOCKED: Release-preview branches cannot merge to main"
+              Write-Host ""
+              Write-Host "This pull request is attempting to merge from a release-preview branch"
+              Write-Host "'$env:HEAD_REF' to 'main', which is not permitted."
+              Write-Host ""
+              Write-Host "IMPORTANT: Release-preview branches cannot merge directly to main."
+              Write-Host ""
+              Write-Host "To merge such branches:"
+              Write-Host "1. Create a new branch from main"
+              Write-Host "2. Squash the changes to one commit"
+              Write-Host "3. Create a new pull request from the new branch"
+              Write-Host ""
+              
+              # Set job summary for GitHub UI
+              echo "# 🚫 Merge Blocked - Release-Preview to Main" >> $env:GITHUB_STEP_SUMMARY
+              echo "" >> $env:GITHUB_STEP_SUMMARY
+              echo "Release-preview branches cannot merge directly to **main**." >> $env:GITHUB_STEP_SUMMARY
+              echo "" >> $env:GITHUB_STEP_SUMMARY
+              echo "## Restriction Details" >> $env:GITHUB_STEP_SUMMARY
+              echo "- **Head branch:** $env:HEAD_REF" >> $env:GITHUB_STEP_SUMMARY
+              echo "- **Target branch:** $env:BASE_REF" >> $env:GITHUB_STEP_SUMMARY
+              echo "- **Restriction:** Release-preview branches cannot merge to main" >> $env:GITHUB_STEP_SUMMARY
+              
+              exit 1
+            }
+            # For release-* targets (non-preview), always block
+            elseif ($env:BASE_REF -like "release-*" -and $env:BASE_REF -notlike "release-preview-*") {
+              Write-Host "❌ MERGE BLOCKED: Release-preview branches cannot merge to non-preview release branches"
+              Write-Host ""
+              Write-Host "This pull request is attempting to merge from '$env:HEAD_REF'"
+              Write-Host "to '$env:BASE_REF', which is not permitted."
+              Write-Host ""
+              Write-Host "IMPORTANT: Release-preview branches can only merge to other release-preview branches."
+              Write-Host ""
+              
+              # Set job summary for GitHub UI
+              echo "# 🚫 Merge Blocked - Release-Preview to Release" >> $env:GITHUB_STEP_SUMMARY
+              echo "" >> $env:GITHUB_STEP_SUMMARY
+              echo "Release-preview branches cannot merge to non-preview release branches." >> $env:GITHUB_STEP_SUMMARY
+              echo "" >> $env:GITHUB_STEP_SUMMARY
+              echo "## Restriction Details" >> $env:GITHUB_STEP_SUMMARY
+              echo "- **Head branch:** $env:HEAD_REF" >> $env:GITHUB_STEP_SUMMARY
+              echo "- **Target branch:** $env:BASE_REF" >> $env:GITHUB_STEP_SUMMARY
+              echo "- **Restriction:** Release-preview branches can only merge to other release-preview branches" >> $env:GITHUB_STEP_SUMMARY
+              
+              exit 1
+            }
+            # For other targets (including release-preview-*), check name matching
+            else {
+              if ($env:HEAD_REF -like "*$env:BASE_REF*") {
+                Write-Host "✅ Merge allowed: Head branch '$env:HEAD_REF' contains base branch name '$env:BASE_REF'"
+                echo "# ✅ Merge Check Passed" >> $env:GITHUB_STEP_SUMMARY
+                echo "Head branch **$env:HEAD_REF** is allowed to merge to **$env:BASE_REF**." >> $env:GITHUB_STEP_SUMMARY
+              } else {
+                Write-Host "❌ MERGE BLOCKED: Release-preview branch name doesn't contain target branch name"
+                Write-Host ""
+                Write-Host "This pull request is attempting to merge from '$env:HEAD_REF'"
+                Write-Host "to '$env:BASE_REF', but the head branch name doesn't contain the target name."
+                Write-Host ""
+                
+                # Set job summary for GitHub UI
+                echo "# 🚫 Merge Blocked - Name Mismatch" >> $env:GITHUB_STEP_SUMMARY
+                echo "" >> $env:GITHUB_STEP_SUMMARY
+                echo "Release-preview branch name must contain target branch name." >> $env:GITHUB_STEP_SUMMARY
+                echo "" >> $env:GITHUB_STEP_SUMMARY
+                echo "## Restriction Details" >> $env:GITHUB_STEP_SUMMARY
+                echo "- **Head branch:** $env:HEAD_REF" >> $env:GITHUB_STEP_SUMMARY
+                echo "- **Target branch:** $env:BASE_REF" >> $env:GITHUB_STEP_SUMMARY
+                
+                exit 1
+              }
+            }
+          } else {
+            Write-Host "✅ Merge allowed: Non-release-preview branch '$env:HEAD_REF' has no restrictions"
+            echo "# ✅ Merge Check Passed" >> $env:GITHUB_STEP_SUMMARY
+            echo "Head branch **$env:HEAD_REF** is allowed to merge to **$env:BASE_REF**." >> $env:GITHUB_STEP_SUMMARY
+          }

docs/connect/ado-net/sql/azure-active-directory-authentication.md

@@ -4,7 +4,7 @@ description: Describes how to use supported Microsoft Entra authentication modes
 author: David-Engel
 ms.author: davidengel
 ms.reviewer: davidengel
-ms.date: 06/09/2025
+ms.date: 01/16/2026
 ms.service: sql
 ms.subservice: connectivity
 ms.topic: integration
@@ -28,7 +28,7 @@ Microsoft Entra authentication uses identities in Microsoft Entra ID to access d
 
 When you set the `Authentication` connection property in the connection string, the client can choose a preferred Microsoft Entra authentication mode according to the value provided:
 
-- The earliest **Microsoft.Data.SqlClient** version supports `Active Directory Password` for .NET Framework, .NET Core, and .NET Standard. It also supports `Active Directory Integrated` authentication and `Active Directory Interactive` authentication for .NET Framework.
+- The earliest **Microsoft.Data.SqlClient** version supports `Active Directory Password` [DEPRECATED] for .NET Framework, .NET Core, and .NET Standard. It also supports `Active Directory Integrated` authentication and `Active Directory Interactive` authentication for .NET Framework.
 - Starting with **Microsoft.Data.SqlClient** 2.0.0, support for `Active Directory Integrated` authentication and `Active Directory Interactive` authentication is extended across .NET Framework, .NET Core, and .NET Standard.
 
   A new `Active Directory Service Principal` authentication mode is also added in SqlClient 2.0.0. It makes use of the client ID and secret of a service principal identity to accomplish authentication.
@@ -44,19 +44,21 @@ When the application is connecting to Azure SQL data sources by using Microsoft
 
 | Value | Description  | Microsoft.Data.SqlClient version |
 |:--|:--|:--:|
-| Active Directory Password | Authenticate with a Microsoft Entra identity's username and password | 1.0+ |
 | Active Directory Integrated | Authenticate with a Microsoft Entra identity by using Integrated Windows Authentication (IWA) | 2.0.0+<sup>1</sup> |
 | Active Directory Interactive | Authenticate with a Microsoft Entra identity by using interactive authentication | 2.0.0+<sup>1</sup> |
 | Active Directory Service Principal | Authenticate with a Microsoft Entra service principal, using its client ID and secret | 2.0.0+ |
 | Active Directory Device Code Flow | Authenticate with a Microsoft Entra identity by using Device Code Flow mode | 2.1.0+ |
 | Active Directory Managed Identity, <br>Active Directory MSI | Authenticate using a Microsoft Entra system-assigned or user-assigned managed identity | 2.1.0+ |
 | Active Directory Default | Authenticate with a Microsoft Entra identity by using password-less and non-interactive mechanisms including managed identities, Visual Studio Code, Visual Studio, Azure CLI, etc. | 3.0.0+ |
 | Active Directory Workload Identity | Authenticate with a Microsoft Entra identity by using a federated User Assigned Managed Identity to connect to SQL Database from Azure client environments that are enabled for Workload Identity. | 5.2.0+ |
+| Active Directory Password [DEPRECATED] | Authenticate with a Microsoft Entra identity's username and password.<br/><br/>Active Directory Password is deprecated. For more information, see [Using password authentication](#using-password-authentication). | 1.0+ |
 
 <sup>1</sup> Before **Microsoft.Data.SqlClient** 2.0.0, `Active Directory Integrated`, and `Active Directory Interactive` authentication modes are supported only on .NET Framework.
 
 ## Using password authentication
 
+[!INCLUDE [entra-password-auth-deprecation](../../../includes/entra-password-auth-deprecation.md)]
+
 `Active Directory Password` authentication mode supports authentication to Azure data sources with Microsoft Entra ID for native or federated Microsoft Entra users. When you're using this mode, user credentials must be provided in the connection string. The following example shows how to use `Active Directory Password` authentication.
 
 ```csharp
@@ -332,7 +334,7 @@ The following example displays how to use a custom callback when `Active Directo
 
 [!code-csharp [AADAuthenticationCustomDeviceFlowCallback#1](~/../sqlclient/doc/samples/AADAuthenticationCustomDeviceFlowCallback.cs#1)]
 
-With a customized `ActiveDirectoryAuthenticationProvider` class, a user-defined application client ID can be passed to SqlClient when a supported Microsoft Entra authentication mode is in use. Supported Microsoft Entra authentication modes include `Active Directory Password`, `Active Directory Integrated`, `Active Directory Interactive`, `Active Directory Service Principal`, and `Active Directory Device Code Flow`.
+With a customized `ActiveDirectoryAuthenticationProvider` class, a user-defined application client ID can be passed to SqlClient when a supported Microsoft Entra authentication mode is in use. Supported Microsoft Entra authentication modes include `Active Directory Integrated`, `Active Directory Interactive`, `Active Directory Service Principal`, `Active Directory Device Code Flow`, and `Active Directory Password` [DEPRECATED].
 
 The application client ID is also configurable via `SqlAuthenticationProviderConfigurationSection` or `SqlClientAuthenticationProviderConfigurationSection`. The configuration property `applicationClientId` applies to .NET Framework 4.6+ and .NET Core 2.1+.