* Deprecate ActiveDirectoryPassword in OLEDB

Updated the documentation to reflect the deprecation of ActiveDirectoryPassword authentication and recommended migration to ActiveDirectoryInteractive.

Author: David-Engel

docs/connect/oledb/applications/using-connection-string-keywords-with-oledb-driver-for-sql-server.md

@@ -75,7 +75,7 @@ The following table describes the keywords that can be used with `DBPROP_INIT_PR
 | `APP` | `SSPROP_INIT_APPNAME` | The string identifying the application. |
 | `ApplicationIntent` | `SSPROP_INIT_APPLICATIONINTENT` | Declares the application workload type when connecting to a server. Possible values are `ReadOnly` and `ReadWrite`.<br /><br />The default is `ReadWrite`. For more information about OLE DB Driver for SQL Server's support for [!INCLUDE [ssHADR](../../../includes/sshadr-md.md)], see [OLE DB Driver for SQL Server Support for High Availability, Disaster Recovery](../features/oledb-driver-for-sql-server-support-for-high-availability-disaster-recovery.md). |
 | `AttachDBFileName` | `SSPROP_INIT_FILENAME` | The name of the primary file (include the full path name) of an attachable database. To use `AttachDBFileName`, you must also specify the database name with the provider string Database keyword. If the database was previously attached, [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] doesn't reattach it (it uses the attached database as the default for the connection). |
-| `Authentication` <sup>1</sup> | `SSPROP_AUTH_MODE` | Specifies the SQL or Microsoft Entra authentication used. Valid values are:<br /><ul><li>`(not set)`: Authentication mode determined by other keywords.</li><li>`ActiveDirectoryPassword`: User ID and password authentication with a Microsoft Entra identity.</li><li>`ActiveDirectoryIntegrated`: Integrated authentication with Microsoft Entra ID.</li><br />**Note**: The `ActiveDirectoryIntegrated` keyword can also be used for Windows authentication to SQL Server. It replaces `Integrated Security` (or `Trusted_Connection`) authentication keywords. Applications using `Integrated Security` (or `Trusted_Connection`) keywords or their corresponding properties should set the value of the `Authentication` keyword (or its corresponding property) to `ActiveDirectoryIntegrated` to enable new encryption and certificate validation behavior.<br /><br /><li>`ActiveDirectoryInteractive`: Interactive authentication with a Microsoft Entra identity. This method supports Microsoft Entra multifactor authentication. </li><li>`ActiveDirectoryMSI`: [Managed Identity](/azure/active-directory/managed-identities-azure-resources/overview) authentication. For a user-assigned identity, the user ID should be set to the object ID of the user identity.</li><li>`ActiveDirectoryServicePrincipal`: Authentication with a Microsoft Entra service principal. The user ID should be set to the application (client) ID. The password should be set to the application (client) secret.</li><li>`SqlPassword`: Authentication using user ID and password.</li><br />**Note**: Applications using SQL Server authentication should set the value of the `Authentication` keyword (or its corresponding property) to `SqlPassword` to enable [new encryption and certificate validation behavior](../features/using-azure-active-directory.md#encryption-and-certificate-validation).</ul> |
+| `Authentication` <sup>1</sup> | `SSPROP_AUTH_MODE` | Specifies the SQL or Microsoft Entra authentication used. Valid values are:<br /><ul><li>`(not set)`: Authentication mode determined by other keywords.</li><li>`ActiveDirectoryPassword`:  **[DEPRECATED]** User ID and password authentication with a Microsoft Entra identity is deprecated. Migrate to multifactor authentication (ActiveDirectoryInteractive) for user principals. For more information, see [Planning for mandatory multifactor authentication for Azure](/entra/identity/authentication/concept-mandatory-multifactor-authentication).</li><li>`ActiveDirectoryIntegrated`: Integrated authentication with Microsoft Entra ID.</li><br />**Note**: The `ActiveDirectoryIntegrated` keyword can also be used for Windows authentication to SQL Server. It replaces `Integrated Security` (or `Trusted_Connection`) authentication keywords. Applications using `Integrated Security` (or `Trusted_Connection`) keywords or their corresponding properties should set the value of the `Authentication` keyword (or its corresponding property) to `ActiveDirectoryIntegrated` to enable new encryption and certificate validation behavior.<br /><br /><li>`ActiveDirectoryInteractive`: Interactive authentication with a Microsoft Entra identity. This method supports Microsoft Entra multifactor authentication. </li><li>`ActiveDirectoryMSI`: [Managed Identity](/azure/active-directory/managed-identities-azure-resources/overview) authentication. For a user-assigned identity, the user ID should be set to the object ID of the user identity.</li><li>`ActiveDirectoryServicePrincipal`: Authentication with a Microsoft Entra service principal. The user ID should be set to the application (client) ID. The password should be set to the application (client) secret.</li><li>`SqlPassword`: Authentication using user ID and password.</li><br />**Note**: Applications using SQL Server authentication should set the value of the `Authentication` keyword (or its corresponding property) to `SqlPassword` to enable [new encryption and certificate validation behavior](../features/using-azure-active-directory.md#encryption-and-certificate-validation).</ul> |
 | `Auto Translate` | `SSPROP_INIT_AUTOTRANSLATE` | Synonym for `AutoTranslate`. |
 | `AutoTranslate` | `SSPROP_INIT_AUTOTRANSLATE` | Configures OEM/ANSI character translation. Recognized values are `yes` and `no`. |
 | `ConnectRetryCount` | `SSPROP_INIT_CONNECT_RETRY_COUNT` | Controls the number of reconnection attempts if the connection is lost. Valid values range from `0` to `255`. The default value is `1`. A value of `0` would result in no attempt to reconnect. For more information, see [Idle connection resiliency in the OLE DB Driver](../features/idle-connection-resiliency.md). |
@@ -135,7 +135,7 @@ The following table describes the keywords that might be used with `IDataInitial
 | `Access Token` <sup>1</sup> | `SSPROP_AUTH_ACCESS_TOKEN` | The access token used to authenticate to Microsoft Entra ID.<br /><br />**Note**: It's an error to specify this keyword and also `UID`, `PWD`, `Trusted_Connection`, or `Authentication` connection string keywords or their corresponding properties/keywords. |
 | `Application Name` | `SSPROP_INIT_APPNAME` | The string identifying the application. |
 | `Application Intent` | `SSPROP_INIT_APPLICATIONINTENT` | Declares the application workload type when connecting to a server. Possible values are `ReadOnly` and `ReadWrite`.<br /><br />The default is `ReadWrite`. For more information about OLE DB Driver for SQL Server's support for [!INCLUDE [ssHADR](../../../includes/sshadr-md.md)], see [OLE DB Driver for SQL Server Support for High Availability, Disaster Recovery](../features/oledb-driver-for-sql-server-support-for-high-availability-disaster-recovery.md). |
-| `Authentication` <sup>1</sup> | `SSPROP_AUTH_MODE` | Specifies the SQL or Microsoft Entra authentication used. Valid values are:<br /><ul><li>`(not set)`: Authentication mode determined by other keywords.</li><li>`ActiveDirectoryPassword`: User ID and password authentication with a Microsoft Entra identity.</li><li>`ActiveDirectoryIntegrated`: Integrated authentication with Microsoft Entra ID.</li><br />**Note**: The `ActiveDirectoryIntegrated` keyword can also be used for Windows authentication to SQL Server. It replaces `Integrated Security` (or `Trusted_Connection`) authentication keywords. Applications using `Integrated Security` (or `Trusted_Connection`) keywords or their corresponding properties should set the value of the `Authentication` keyword (or its corresponding property) to `ActiveDirectoryIntegrated` to enable new encryption and certificate validation behavior.<br /><br /><li>`ActiveDirectoryInteractive`: Interactive authentication with a Microsoft Entra identity. This method supports Microsoft Entra multifactor authentication. </li><li>`ActiveDirectoryMSI`: [Managed Identity](/azure/active-directory/managed-identities-azure-resources/overview) authentication. For a user-assigned identity, the user ID should be set to the object ID of the user identity.</li><li>`ActiveDirectoryServicePrincipal`: Authentication with a Microsoft Entra service principal. The user ID should be set to the application (client) ID. The password should be set to the application (client) secret.</li><li>`SqlPassword`: Authentication using user ID and password.</li><br />**Note**: Applications using SQL Server authentication should set the value of the `Authentication` keyword (or its corresponding property) to `SqlPassword` to enable [new encryption and certificate validation behavior](../features/using-azure-active-directory.md#encryption-and-certificate-validation).</ul> |
+| `Authentication` <sup>1</sup> | `SSPROP_AUTH_MODE` | Specifies the SQL or Microsoft Entra authentication used. Valid values are:<br /><ul><li>`(not set)`: Authentication mode determined by other keywords.</li><li>`ActiveDirectoryPassword`:  **[DEPRECATED]** User ID and password authentication with a Microsoft Entra identity is deprecated. Migrate to multifactor authentication (ActiveDirectoryInteractive) for user principals. For more information, see [Planning for mandatory multifactor authentication for Azure](/entra/identity/authentication/concept-mandatory-multifactor-authentication).</li><li>`ActiveDirectoryIntegrated`: Integrated authentication with Microsoft Entra ID.</li><br />**Note**: The `ActiveDirectoryIntegrated` keyword can also be used for Windows authentication to SQL Server. It replaces `Integrated Security` (or `Trusted_Connection`) authentication keywords. Applications using `Integrated Security` (or `Trusted_Connection`) keywords or their corresponding properties should set the value of the `Authentication` keyword (or its corresponding property) to `ActiveDirectoryIntegrated` to enable new encryption and certificate validation behavior.<br /><br /><li>`ActiveDirectoryInteractive`: Interactive authentication with a Microsoft Entra identity. This method supports Microsoft Entra multifactor authentication. </li><li>`ActiveDirectoryMSI`: [Managed Identity](/azure/active-directory/managed-identities-azure-resources/overview) authentication. For a user-assigned identity, the user ID should be set to the object ID of the user identity.</li><li>`ActiveDirectoryServicePrincipal`: Authentication with a Microsoft Entra service principal. The user ID should be set to the application (client) ID. The password should be set to the application (client) secret.</li><li>`SqlPassword`: Authentication using user ID and password.</li><br />**Note**: Applications using SQL Server authentication should set the value of the `Authentication` keyword (or its corresponding property) to `SqlPassword` to enable [new encryption and certificate validation behavior](../features/using-azure-active-directory.md#encryption-and-certificate-validation).</ul> |
 | `Auto Translate` | `SSPROP_INIT_AUTOTRANSLATE` | Configures OEM/ANSI character translation. Recognized values are `true` and `false`. |
 | `Connect Timeout` | `DBPROP_INIT_TIMEOUT` | The amount of time (in seconds) to wait for data source initialization to complete. |
 | `Connect Retry Count` | `SSPROP_INIT_CONNECT_RETRY_COUNT` | Controls the number of reconnection attempts if the connection is lost. Valid values range from `0` to `255`. The default value is `1`. A value of `0` would result in no attempt to reconnect. For more information, see [Idle connection resiliency in the OLE DB Driver](../features/idle-connection-resiliency.md). |
@@ -194,7 +194,7 @@ The following table describes the keywords that might be used with an ADO connec
 | `Access Token` <sup>1</sup> | `SSPROP_AUTH_ACCESS_TOKEN` | The access token used to authenticate to Microsoft Entra ID.<br /><br />**Note**: It's an error to specify this keyword and also `UID`, `PWD`, `Trusted_Connection`, or `Authentication` connection string keywords or their corresponding properties/keywords. |
 | `Application Intent` | `SSPROP_INIT_APPLICATIONINTENT` | Declares the application workload type when connecting to a server. Possible values are `ReadOnly` and `ReadWrite`.<br /><br />The default is `ReadWrite`. For more information about OLE DB Driver for SQL Server's support for [!INCLUDE [ssHADR](../../../includes/sshadr-md.md)], see [OLE DB Driver for SQL Server Support for High Availability, Disaster Recovery](../features/oledb-driver-for-sql-server-support-for-high-availability-disaster-recovery.md). |
 | `Application Name` | `SSPROP_INIT_APPNAME` | The string identifying the application. |
-| `Authentication` <sup>1</sup> | `SSPROP_AUTH_MODE` | Specifies the SQL or Microsoft Entra authentication used. Valid values are:<br /><ul><li>`(not set)`: Authentication mode determined by other keywords.</li><li>`ActiveDirectoryPassword`: User ID and password authentication with a Microsoft Entra identity.</li><li>`ActiveDirectoryIntegrated`: Integrated authentication with Microsoft Entra ID.</li><br />**Note**: The `ActiveDirectoryIntegrated` keyword can also be used for Windows authentication to SQL Server. It replaces `Integrated Security` (or `Trusted_Connection`) authentication keywords. Applications using `Integrated Security` (or `Trusted_Connection`) keywords or their corresponding properties should set the value of the `Authentication` keyword (or its corresponding property) to `ActiveDirectoryIntegrated` to enable new encryption and certificate validation behavior.<br /><br /><li>`ActiveDirectoryInteractive`: Interactive authentication with a Microsoft Entra identity. This method supports Microsoft Entra multifactor authentication. </li><li>`ActiveDirectoryMSI`: [Managed Identity](/azure/active-directory/managed-identities-azure-resources/overview) authentication. For a user-assigned identity, the user ID should be set to the object ID of the user identity.</li><li>`ActiveDirectoryServicePrincipal`: Authentication with a Microsoft Entra service principal. The user ID should be set to the application (client) ID. The password should be set to the application (client) secret.</li><li>`SqlPassword`: Authentication using user ID and password.</li><br />**Note**: Applications using SQL Server authentication should set the value of the `Authentication` keyword (or its corresponding property) to `SqlPassword` to enable [new encryption and certificate validation behavior](../features/using-azure-active-directory.md#encryption-and-certificate-validation).</ul> |
+| `Authentication` <sup>1</sup> | `SSPROP_AUTH_MODE` | Specifies the SQL or Microsoft Entra authentication used. Valid values are:<br /><ul><li>`(not set)`: Authentication mode determined by other keywords.</li><li>`ActiveDirectoryPassword`:  **[DEPRECATED]** User ID and password authentication with a Microsoft Entra identity is deprecated. Migrate to multifactor authentication (ActiveDirectoryInteractive) for user principals. For more information, see [Planning for mandatory multifactor authentication for Azure](/entra/identity/authentication/concept-mandatory-multifactor-authentication).</li><li>`ActiveDirectoryIntegrated`: Integrated authentication with Microsoft Entra ID.</li><br />**Note**: The `ActiveDirectoryIntegrated` keyword can also be used for Windows authentication to SQL Server. It replaces `Integrated Security` (or `Trusted_Connection`) authentication keywords. Applications using `Integrated Security` (or `Trusted_Connection`) keywords or their corresponding properties should set the value of the `Authentication` keyword (or its corresponding property) to `ActiveDirectoryIntegrated` to enable new encryption and certificate validation behavior.<br /><br /><li>`ActiveDirectoryInteractive`: Interactive authentication with a Microsoft Entra identity. This method supports Microsoft Entra multifactor authentication. </li><li>`ActiveDirectoryMSI`: [Managed Identity](/azure/active-directory/managed-identities-azure-resources/overview) authentication. For a user-assigned identity, the user ID should be set to the object ID of the user identity.</li><li>`ActiveDirectoryServicePrincipal`: Authentication with a Microsoft Entra service principal. The user ID should be set to the application (client) ID. The password should be set to the application (client) secret.</li><li>`SqlPassword`: Authentication using user ID and password.</li><br />**Note**: Applications using SQL Server authentication should set the value of the `Authentication` keyword (or its corresponding property) to `SqlPassword` to enable [new encryption and certificate validation behavior](../features/using-azure-active-directory.md#encryption-and-certificate-validation).</ul> |
 | `Auto Translate` | `SSPROP_INIT_AUTOTRANSLATE` | Configures OEM/ANSI character translation. Recognized values are `true` and `false`. |
 | `Connect Timeout` | `DBPROP_INIT_TIMEOUT` | The amount of time (in seconds) to wait for data source initialization to complete. |
 | `Connect Retry Count` | `SSPROP_INIT_CONNECT_RETRY_COUNT` | Controls the number of reconnection attempts if the connection is lost. Valid values range from `0` to `255`. The default value is `1`. A value of `0` would result in no attempt to reconnect. For more information, see [Idle connection resiliency in the OLE DB Driver](../features/idle-connection-resiliency.md). |

docs/connect/oledb/features/using-azure-active-directory.md

@@ -107,6 +107,8 @@ This section shows examples of new and existing connection string keywords to be
 
 ### Microsoft Entra username and password authentication
 
+**[DEPRECATED]** ActiveDirectoryPassword is deprecated. Migrate to multifactor authentication (ActiveDirectoryInteractive) for user principals. For more information, see [Planning for mandatory multifactor authentication for Azure](/entra/identity/authentication/concept-mandatory-multifactor-authentication).
+
 - Using `IDataInitialize::GetDataSource`:
     > Provider=MSOLEDBSQL19;Data Source=[server];Initial Catalog=[database];**Authentication=ActiveDirectoryPassword**;User ID=[username];Password=[password];Use Encryption for Data=Mandatory
 - Using `DBPROP_INIT_PROVIDERSTRING`: