* Deprecate ActiveDirectoryPassword in JDBC

Updated the documentation to reflect the deprecation of ActiveDirectoryPassword authentication and recommended migration to ActiveDirectoryInteractive.

Author: David-Engel

docs/connect/jdbc/connecting-using-azure-active-directory-authentication.md

@@ -17,7 +17,6 @@ This article provides information on how to develop Java applications that use t
 
 You can use Microsoft Entra authentication, which is a mechanism to connect to Azure SQL Database, Azure SQL Manged Instance, and Azure Synapse Analytics using identities in Microsoft Entra ID. Use Microsoft Entra authentication to centrally manage identities of database users and as an alternative to SQL Server authentication. The JDBC driver allows you to specify your Microsoft Entra credentials in the JDBC connection string to connect to Azure SQL. For information on how to configure Microsoft Entra authentication visit [Connecting to Azure SQL By Using Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview).
 
-
 Connection properties to support Microsoft Entra authentication in the Microsoft JDBC Driver for SQL Server are:
 
 - **authentication**:  Use this property to indicate which SQL authentication method to use for the connection.
@@ -30,7 +29,8 @@ Connection properties to support Microsoft Entra authentication in the Microsoft
   - **ActiveDirectoryIntegrated**
     - Since driver version 6.0, `authentication=ActiveDirectoryIntegrated` can be used to connect to Azure SQL/Synapse Analytics via integrated authentication. To use this authentication mode, you must [federate](/azure/active-directory/hybrid/connect/whatis-fed) the on-premises Active Directory Federation Services (ADFS) with Microsoft Entra ID in the cloud. Once you set it up, you can connect by either adding the native library `mssql-jdbc_auth-<version>-<arch>.dll` to the application class path on Windows, or by setting up a Kerberos ticket for cross-platform authentication support. You're able to access Azure SQL/Azure Synapse Analytics without being prompted for credentials when you're logged in to a domain-joined machine. For more information, see [Connect using ActiveDirectoryIntegrated authentication mode](#connect-using-activedirectoryintegrated-authentication-mode).
 
-  - **ActiveDirectoryPassword**
+  - **ActiveDirectoryPassword [DEPRECATED]**
+    - ActiveDirectoryPassword is deprecated. Migrate to multifactor authentication (ActiveDirectoryInteractive) for user principals. For more information, see [Planning for mandatory multifactor authentication for Azure](/entra/identity/authentication/concept-mandatory-multifactor-authentication).
     - Since driver version 6.0, `authentication=ActiveDirectoryPassword` can be used to connect to Azure SQL/Synapse Analytics with Microsoft Entra username and password. For more information, see [Connect using ActiveDirectoryPassword authentication mode](#connect-using-activedirectorypassword-authentication-mode).
 
   - **ActiveDirectoryInteractive**
@@ -359,6 +359,8 @@ Access to a Windows domain-joined machine to query your Kerberos Domain Controll
 
 ## Connect using ActiveDirectoryPassword authentication mode
 
+**[DEPRECATED]** ActiveDirectoryPassword is deprecated. Migrate to multifactor authentication (ActiveDirectoryInteractive) for user principals. For more information, see [Planning for mandatory multifactor authentication for Azure](/entra/identity/authentication/concept-mandatory-multifactor-authentication).
+
 The following example shows how to use `authentication=ActiveDirectoryPassword` mode.
 
 To build and run the example:
@@ -415,7 +417,6 @@ If the connection is established, you should see the following message as output
 You have successfully logged on as: <your user name>
 ```
 
-
 ## Connect using ActiveDirectoryInteractive authentication mode
 
 The following example shows how to use `authentication=ActiveDirectoryInteractive` mode.
@@ -612,12 +613,10 @@ If a connection is established, you should see the following message as output:
 You have successfully logged on as: <your app/client ID>
 ```
 
-
 ## Connect using access token
 
 Applications/services can retrieve an access token from Microsoft Entra ID and use that to connect to Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics.
 
-
 > [!NOTE]
 > `accessToken` can only be set using the Properties parameter of the `getConnection()` method in the DriverManager class. It can't be used in the connection string. Starting with driver version 12.2, users can implement and provide an `accessToken` callback to the driver for token renewal in connection pooling scenarios. Connection pooling scenarios require the connection pool implementation to use the standard [JDBC connection pooling classes](using-connection-pooling.md).
 
@@ -633,16 +632,15 @@ To build and run the example:
     5. Enter `mytokentest` as a friendly name for the application.
     6. Leave the default selection for supported account types, which can use the application.
     7. Select **Register** at the bottom.
-    6. Don't need SIGN-ON URL. Provide anything: `https://mytokentest`.
-    7. Select `Create` at the bottom.
-    8. Upon selecting **Register**, the app is immediately created, and you're taken to its resource page.
-    9. In the **Essentials** box, find the **Application (client) ID** and copy it. You need this value later to configure your application.
-    10. Select **Certificates & secrets** from the navigation pane. On the **Client secrets (0)** tab, select **New client secret**. Enter a description for the secret and select an expiration (the default is fine). Select **Add** at the bottom. **Important** before leaving this page, copy the generated **Value** for your client secret. This value can't be viewed after leaving the page. This value is the client secret.
-    11. Return to the [App registrations](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) pane for Microsoft Entra ID and find the **Endpoints** tab. Copy the URL under `OAuth 2.0 token endpoint`. This URL is your STS URL.
+    8. Don't need SIGN-ON URL. Provide anything: `https://mytokentest`.
+    9. Select `Create` at the bottom.
+    10. Upon selecting **Register**, the app is immediately created, and you're taken to its resource page.
+    11. In the **Essentials** box, find the **Application (client) ID** and copy it. You need this value later to configure your application.
+    12. Select **Certificates & secrets** from the navigation pane. On the **Client secrets (0)** tab, select **New client secret**. Enter a description for the secret and select an expiration (the default is fine). Select **Add** at the bottom. **Important** before leaving this page, copy the generated **Value** for your client secret. This value can't be viewed after leaving the page. This value is the client secret.
+    13. Return to the [App registrations](https://ms.portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps) pane for Microsoft Entra ID and find the **Endpoints** tab. Copy the URL under `OAuth 2.0 token endpoint`. This URL is your STS URL.
 
 1. Connect to your database as a Microsoft Entra admin and use a T-SQL command to provision a contained database user for your application principal. For more information on how to create a Microsoft Entra admin and a contained database user, see the [Connecting by using Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview).
 
-
     ```sql
     CREATE USER [mytokentest] FROM EXTERNAL PROVIDER
     ```

docs/connect/jdbc/setting-the-connection-properties.md

@@ -46,7 +46,7 @@ The following table lists all the currently available connection string properti
 | accessTokenCallbackClass<br/><br/>String<br/><br/>null | (Version 12.4+) The name of the callback-implementing class to be used with access token callback. |
 | applicationIntent<br/><br/>String<br/><br/>ReadWrite | (Version 6.0+) Declares the application workload type to connect to a server. <br/><br/>Possible values are **ReadOnly** and **ReadWrite**. <br/><br/>For more information about disaster recovery, see [JDBC driver support for High Availability, disaster recovery](jdbc-driver-support-for-high-availability-disaster-recovery.md). |
 | applicationName<br/><br/>String<br/>[&lt;=128 char]<br/><br/>null | The application name, or "Microsoft JDBC Driver for SQL Server" if no name is provided.<br/><br/>Used to identify the specific application in various [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] profiling and logging tools. |
-| authentication<br/><br/>String<br/><br/>NotSpecified | (Version 6.0+) This optional property indicates which authentication method to use for connection. Possible values are **ActiveDirectoryIntegrated**, **ActiveDirectoryPassword**, **ActiveDirectoryManagedIdentity** (version 12.2+), **ActiveDirectoryMSI** (version 7.2+), **ActiveDirectoryInteractive** (version 9.2+), **ActiveDirectoryServicePrincipal** (version 9.2+), **SqlPassword**, and the default **NotSpecified**.<br/><br/> Use **ActiveDirectoryIntegrated** (version 6.0+) to connect to SQL using integrated Windows authentication.<br/><br/> Use **ActiveDirectoryPassword** (version 6.0+) to connect to SQL using a Microsoft Entra principal name and password.<br/><br/> Use **ActiveDirectoryManagedIdentity** (version 12.2+) or **ActiveDirectoryMSI** (version 7.2+) to connect to SQL from inside an Azure Resource. For example, an Azure Virtual Machine, App Service or Function App using managed identity authentication. <br><br>The two types of managed identities supported by the driver when using **ActiveDirectoryManagedIdentity** or **ActiveDirectoryMSI** authentication mode are: <br> 1. *System-Assigned Managed Identity*: Used to acquire **accessToken** by default. <br> 2. *User-Assigned Managed Identity*: Used to acquire **accessToken** if the Client ID of a managed identity is specified with the **msiClientId** connection property.<br/><br/>Use **ActiveDirectoryInteractive** to connect to a database using an interactive authentication flow. <br/><br/>Use **ActiveDirectoryServicePrincipal** (version 9.2+) to connect to a database using the client ID and secret of a service principal identity. Specify client ID in the **userName** property and secret in the **password** property (10.2+). <br/><br/>Use **ActiveDirectoryServicePrincipalCertificate** (version 12.4+) to connect to a database using the client ID and certificate of a service principal identity. Specify client ID in the **userName** property and path to the certificate in the **clientCertificate** property. For more options, see [Connect using ActiveDirectoryServicePrincipalCertificate authentication mode](connecting-using-azure-active-directory-authentication.md#connect-using-activedirectoryserviceprincipalcertificate-authentication-mode).<br/><br/> Use **SqlPassword** to connect to SQL using **userName**/**user** and **password** properties.<br/><br/> Use **NotSpecified** if none of these authentication methods are needed.<br/><br/> **Important:**  If authentication is set to ActiveDirectoryIntegrated, the following two libraries must be installed: **mssql-jdbc_auth-\<version>-\<arch>.dll** (available in the JDBC driver package) and Microsoft Authentication Library for SQL Server (**ADAL.DLL**). Microsoft Authentication Library can be installed from [Microsoft ODBC Driver for SQL Server](../odbc/download-odbc-driver-for-sql-server.md) or [Microsoft OLE DB Driver for SQL Server](../oledb/download-oledb-driver-for-sql-server.md). The JDBC driver only supports version **1.0.2028.318 and higher** for ADAL.DLL.<br/><br/> **Note:**  When the authentication property is set to any value other than **NotSpecified**, the driver by default uses Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), encryption.<br/><br/> For information on how to configure Microsoft Entra authentication, see [Use Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview). |
+| authentication<br/><br/>String<br/><br/>NotSpecified | (Version 6.0+) This optional property indicates which authentication method to use for connection. Possible values are **ActiveDirectoryIntegrated**, **ActiveDirectoryPassword [DEPRECATED]**, **ActiveDirectoryManagedIdentity** (version 12.2+), **ActiveDirectoryMSI** (version 7.2+), **ActiveDirectoryInteractive** (version 9.2+), **ActiveDirectoryServicePrincipal** (version 9.2+), **SqlPassword**, and the default **NotSpecified**.<br/><br/> Use **ActiveDirectoryIntegrated** (version 6.0+) to connect to SQL using integrated Windows authentication.<br/><br/> Use **ActiveDirectoryPassword** (version 6.0+) **[DEPRECATED]** to connect to SQL using a Microsoft Entra principal name and password. ActiveDirectoryPassword is deprecated. Migrate to multifactor authentication (ActiveDirectoryInteractive) for user principals. For more information, see [Planning for mandatory multifactor authentication for Azure](/entra/identity/authentication/concept-mandatory-multifactor-authentication).<br/><br/> Use **ActiveDirectoryManagedIdentity** (version 12.2+) or **ActiveDirectoryMSI** (version 7.2+) to connect to SQL from inside an Azure Resource. For example, an Azure Virtual Machine, App Service or Function App using managed identity authentication. <br><br>The two types of managed identities supported by the driver when using **ActiveDirectoryManagedIdentity** or **ActiveDirectoryMSI** authentication mode are: <br> 1. *System-Assigned Managed Identity*: Used to acquire **accessToken** by default. <br> 2. *User-Assigned Managed Identity*: Used to acquire **accessToken** if the Client ID of a managed identity is specified with the **msiClientId** connection property.<br/><br/>Use **ActiveDirectoryInteractive** to connect to a database using an interactive authentication flow. <br/><br/>Use **ActiveDirectoryServicePrincipal** (version 9.2+) to connect to a database using the client ID and secret of a service principal identity. Specify client ID in the **userName** property and secret in the **password** property (10.2+). <br/><br/>Use **ActiveDirectoryServicePrincipalCertificate** (version 12.4+) to connect to a database using the client ID and certificate of a service principal identity. Specify client ID in the **userName** property and path to the certificate in the **clientCertificate** property. For more options, see [Connect using ActiveDirectoryServicePrincipalCertificate authentication mode](connecting-using-azure-active-directory-authentication.md#connect-using-activedirectoryserviceprincipalcertificate-authentication-mode).<br/><br/> Use **SqlPassword** to connect to SQL using **userName**/**user** and **password** properties.<br/><br/> Use **NotSpecified** if none of these authentication methods are needed.<br/><br/> **Important:**  If authentication is set to ActiveDirectoryIntegrated, the following two libraries must be installed: **mssql-jdbc_auth-\<version>-\<arch>.dll** (available in the JDBC driver package) and Microsoft Authentication Library for SQL Server (**ADAL.DLL**). Microsoft Authentication Library can be installed from [Microsoft ODBC Driver for SQL Server](../odbc/download-odbc-driver-for-sql-server.md) or [Microsoft OLE DB Driver for SQL Server](../oledb/download-oledb-driver-for-sql-server.md). The JDBC driver only supports version **1.0.2028.318 and higher** for ADAL.DLL.<br/><br/> **Note:**  When the authentication property is set to any value other than **NotSpecified**, the driver by default uses Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), encryption.<br/><br/> For information on how to configure Microsoft Entra authentication, see [Use Microsoft Entra authentication](/azure/azure-sql/database/authentication-aad-overview). |
 | authenticationScheme<br/><br/>String<br/><br/>NativeAuthentication | Indicates which kind of integrated security you want your application to use. Possible values are **JavaKerberos**, **NTLM** (version 7.4+), and the default **NativeAuthentication**.<br/><br/> **NativeAuthentication** causes the driver to load `mssql-jdbc_auth-<version>-<arch>.dll` (for example, `mssql-jdbc_auth-8.2.2.x64.dll`) on Windows, which is used to obtain integrated authentication information. <br/><br/>  (The native authentication library loaded is named `sqljdbc_auth.dll` when using driver versions 6.0 through 7.4.) <br/><br/> When using **authenticationScheme=JavaKerberos**, you must specify the fully qualified domain name (FQDN) in the **serverName** or **serverSpn** property. Otherwise, an error occurs (Server not found in Kerberos database).<br/><br/> For more information about using **authenticationScheme=JavaKerberos**, see [Using Kerberos integrated authentication to connect to SQL Server](using-kerberos-integrated-authentication-to-connect-to-sql-server.md). <br/><br/> When using **authenticationScheme=NTLM**, you must specify the Windows domain by using the **domain** or **domainName** property, the Windows credentials in the **user** or **userName** property, and the **password** property. Otherwise, an error occurs (connection properties must be specified). |
 | cacheBulkCopyMetadata<br/><br/>boolean<br/>["true" &#124; "false"]<br/><br/>false | (Version 12.8+) When using **useBulkCopyForBatchInsert=true**, this property is used to tell the driver whether it should cache destination column metadata at the connection level. If set to `true`, make sure the destination doesn't change between bulk inserts, as the driver doesn't have a way of handling this change. |
 | calcBigDecimalPrecision<br/><br/>boolean<br/>["true" &#124; "false"]<br/><br/>false | (Version 12.6+) Flag to indicate whether the driver should calculate precision for BigDecimal inputs, as opposed to using the maximum allowed valued for precision (38). |
@@ -135,7 +135,7 @@ The following table lists all the currently available connection string properti
 > The [!INCLUDE[jdbcNoVersion](../../includes/jdbcnoversion_md.md)] takes the server default values for connection properties except for ANSI_DEFAULTS and IMPLICIT_TRANSACTIONS. The [!INCLUDE[jdbcNoVersion](../../includes/jdbcnoversion_md.md)] automatically sets ANSI_DEFAULTS to ON and IMPLICIT_TRANSACTIONS to OFF.
 
 > [!IMPORTANT]
-> If authentication is set to ActiveDirectoryPassword, the following library needs to be included in the classpath: [microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java). It can be found on [Maven Repository](https://mvnrepository.com/artifact/com.microsoft.azure/msal4j). The simplest way to download the library and its dependencies is by using Maven:
+> If authentication is set to ActiveDirectoryPassword **[DEPRECATED]**, the following library needs to be included in the classpath: [microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java). It can be found on [Maven Repository](https://mvnrepository.com/artifact/com.microsoft.azure/msal4j). The simplest way to download the library and its dependencies is by using Maven:
 
 >
 > 1. Install Maven on your system