Enable Azure AD Authentication on Autonomous Database

An Azure AD administrator and an Autonomous Database administrator perform steps to configure Azure AD authentication on Autonomous Database.

Enabling Microsoft Entra ID v2 Access Tokens

To enable the Microsoft Entra ID v2 access token, you must configure it to use the upn attribute from the Azure portal.

Oracle Database supports the Entra ID v2 token as well as the default v1 token. However, to use the Entra ID v2 token, you must perform some additional steps to ensure it works with the Oracle Database.
  1. Check the version of the Entra ID access token that you are using.
  2. Log in to the Microsoft Entra ID portal.
  3. Search for and select Entra ID.
  4. Under Manage, select App registrations.
  5. Choose the application for which you want to configure optional claims based on your scenario and desired outcome.
  6. Under Manage, select Token configuration.
  7. Click Add optional claim and select upn.

Checking the Entra ID Access Token Version

You can check the version of the Entra ID access token that your site uses by using the JSON Web Tokens web site.

By default, Entra ID v1 access token, but your site may have chosen to use v2. Oracle Database supports v1 tokens and Autonomous Database Serverless supports v2 tokens, as well. If you want to use the v2 access tokens, then you can enable their use for the Oracle database. To find the version of the Entra ID access token that you are using, you can either check with your Entra ID administrator, or confirm the version from the JSON Web Tokens website, as follows.
  1. Go to the JSON Web Tokens website.
  2. Copy and paste the token string into the Encoded field.
  3. Check the Decoded field, which displays information about the token string.
    Near or at the bottom of the field, you will see a claim entitled ver, which indicates either of the following versions:
    • "ver": "1.0"
    • "ver": "2.0"

Configuring Azure AD as an External Identity Provider for Autonomous Database

An Autonomous Database administrator can enable Azure AD as an external identity provider on an Autonomous Database instance.

To enable Azure AD as an external identity provider:

  1. Log in to the Autonomous Database instance as a user who has the EXECUTE privilege on the DBMS_CLOUD_ADMIN PL/SQL package. The ADMIN user has this privilege.
  2. Run the DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION procedure with the Azure AD required parameters.
          type   =>'AZURE_AD',
          params => JSON_OBJECT('tenant_id' VALUE 'tenant_id',
                                'application_id' VALUE 'application_id',
                                'application_id_uri' VALUE 'application_id_uri'),
          force => TRUE

    In this procedure the Azure AD parameters are:

    • type: Specifies the external authentication provider. For Azure AD, as shown, use 'AZURE_AD'.
    • params: Values for the required Azure AD parameters are available from the Azure portal on the app registration Overview pane for Azure Active Directory. The required params for Azure AD are:
      • tenant_id: Tenant ID of the Azure Account. Tenant Id specifies the Autonomous Database instance's Azure AD application registration.
      • application_id: Azure Application ID created in Azure AD to assign roles/schema mappings for external authentication in the Autonomous Database instance.
      • application_id_uri: Unique URI assigned to the Azure Application.

        This it the identifier for the Autonomous Database instance. The name must be domain qualified (this supports cross tenancy resource access).

        The maximum length for this parameter is 256 characters.

    • force: Set this parameter to TRUE if another EXTERNAL AUTHENTICATION method is configured for the Autonomous Database instance and you want to disable it.

    For example:

          type   =>'AZURE_AD',
          params => JSON_OBJECT('tenant_id' VALUE '29981886-6fb3-44e3-82',
                                'application_id' VALUE '11aa1a11-aaa',
                                'application_id_uri' VALUE 'https://example.com/111aa1aa'),
          force  => TRUE

    This sets the IDENTITY_PROVIDER_TYPE system parameter.

    For example, you can use the following to verify IDENTITY_PROVIDER_TYPE:

    SELECT NAME, VALUE FROM V$PARAMETER WHERE NAME='identity_provider_type';
    NAME                   VALUE   
    ---------------------- -------- 
    identity_provider_type AZURE_AD

    See ENABLE_EXTERNAL_AUTHENTICATION Procedure for more information.