Enable Microsoft Entra ID Authentication on Autonomous AI Database

A Microsoft Entra ID administrator and an Autonomous AI Database administrator perform steps to configure Entra ID authentication on Autonomous AI Database.

Register the Oracle AI Database Instance with a Microsoft Entra ID Tenancy

A user with Entra ID administrator privileges uses Microsoft Entra ID to register the Oracle AI Database instance with the Microsoft Entra ID tenancy.

  1. Log in to the Azure portal as an administrator who has Microsoft Entra ID privileges to register applications.

  2. In the Azure Active directory admin center page, from the left navigation bar, select Azure Active Directory.

  3. In the MS-App registrations page, select App registrations from the left navigation bar.

  4. Select New registration.

    The Register an application window appears.

  5. In the Register an application page, enter the following Oracle AI Database instance registration information:

    • In the Name field, enter a name for the Oracle AI Database instance connection (for example, Example Database).

    • Under Supported account types, select the account type that matches your use case.

      • Accounts in this organizational directory only (tenant_name only - Single tenant)

      • Accounts in any organizational directory (Any Entra ID directory - Multitenant)

      • Accounts in any organizational directory (Any Entra ID directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

      • Personal Microsoft accounts only

  6. Bypass the Redirect URI (Optional) settings. You do not need to create a redirect URI because Entra ID does not need one for the database server.

  7. Click Register.

    After you click Register, Entra ID displays the app registration's Overview pane, which will show the Application (client) ID under Essentials. This value is a unique identifier for the application in the Microsoft identity platform. Note the term Application refers to the Oracle AI Database instance.

  8. Register a scope for the database app registration.

    A scope is a permission to access the database. Each database will need a scope so that clients can establish a trust with the database by requesting permission to use the database scope. This allows the database client to get access tokens for the database.

    1. In the left navigation bar, select Expose an API.

    2. Under Set the App ID URI, in the Application ID URI field, enter the app ID URI for the database connection using the following format, and then click Save:

      your_tenancy_url/application_(client)_id

      In this specification:

      • your_tenancy_url must include https as the prefix and the fully qualified domain name of your Entra ID tenancy.

      • application_(client)_id is the ID that was generated when you registered the Oracle AI Database instance with Entra ID. It is displayed in the Overview pane of the app registration.

      For example:

      https://sales_west.example.com/1aa11111-1a1z-1a11-1a1a-11aa11a1aa1a

    3. Select Add a scope and then enter the following settings:

After you complete these steps, you are ready to add one or more Azure app roles, and then perform the mappings of Oracle schemas and roles.

Enable Microsoft Entra ID v2 Access Tokens

Oracle AI Database supports integration with the v1 and v2 Azure AD OAuth2 access token.

Oracle AI Database supports the Entra ID v2 token as well as the default v1 token. However, to use the Entra ID v2 token, you must perform some additional steps to ensure it works with the Oracle AI Database. You can use this token with applications that are registered in the Azure portal using the App registrations experience.

When you use the Azure AD v2 OAuth2 access token, the credential flow continues to work as it did before without any changes. However, the upn: claim must be added when you use v2 tokens with the interactive flow.

  1. Check the version of the Entra ID access token that you are using.

  2. Log in to the Microsoft Entra ID portal.

  3. Search for and select Entra ID.

  4. Under Manage, select App registrations.

  5. Choose the application for which you want to configure optional claims based on your scenario and desired outcome.

  6. Under Manage, select Token configuration.

  7. Click Add optional claim and select upn.

When you use v2 tokens, the aud: claim only reflects the APP ID value. You do not need to set the https:domain prefix to the APP ID URI when v2 tokens are being used. This simplifies the configuration for the database because the default APP ID URI can be used.

You can check the version of the Entra ID access token that your site uses by using the JSON Web Tokens web site.

Check Entra ID Access Token Version

You can check the version of the Entra ID access token that your site uses by using the JSON Web Tokens web site.

By default, Entra ID v1 access token, but your site may have chosen to use v2. Oracle AI Database supports v1 tokens and Autonomous AI Database Serverless supports v2 tokens, as well. If you want to use the v2 access tokens, then you can enable their use for the Oracle AI Database. To find the version of the Entra ID access token that you are using, you can either check with your Entra ID administrator, or confirm the version from the JSON Web Tokens website, as follows.

  1. Go to the JSON Web Tokens website.

    https://jwt.io/

  2. Copy and paste the token string into the Encoded field.

  3. Check the Decoded field, which displays information about the token string.

    Near or at the bottom of the field, you will see a claim entitled ver, which indicates either of the following versions:

    • "ver": "1.0"

    • "ver": "2.0"

Manage App Roles in Microsoft Entra ID

In Entra ID, you can create and manage app roles that will be assigned to Azure users and groups and also be mapped to Oracle AI Database global schemas and roles.

Create a Microsoft Entra ID App Role

Azure users, groups, and applications that need to connect to the database will be assigned to the database app roles.

See the Microsoft Azure article Create and assign a custom role in Azure Active Directory for detailed steps on how to create an app role. The following steps describe how to create the app role for use with an Oracle AI Database.

  1. Log in to Entra ID as an administrator who has privileges for creating app roles.

  2. Access the Oracle AI Database app registration that you created.

    1. Use the Directory + subscription filter to locate the Entra ID tenant that contains the Oracle AI Database app registration.

    2. Select Azure Active Directory.

    3. Under Manage, select App registrations, and then select the Oracle AI Database instance that you registered earlier.

  3. Under Manage, select App roles.

  4. In the App roles page, select Create app role.

  5. In the Create app role page, enter the following information:

    • Display name is the displayed name of the role (for example, HR App Schema). You can include spaces in this name.

    • Value is the actual name of the role (for example, HR_APP). Ensure that this setting matches exactly the string that is referenced in the database mapping to a schema or role. Do not include spaces in this name.

    • Description provides a description of the purpose of this role.

    • Do you want to enable this app role? enables you to activate the role.

  6. Click Apply.

    The app role appears in the App roles pane.

Assign Users and Groups to the Microsoft Entra ID App Role

Before Microsoft Azure users can have access to the Oracle AI Database, they must first be assigned to the app roles that will be mapped to Oracle AI Database schema users or roles.

See the Microsoft Azure article Add app roles to your application and receive them in the token for detailed steps assigning users and groups to an app role. The following steps explain how to do this for an Oracle AI Database.

  1. Log in to Entra ID as an administrator who has privileges for assigning Azure users and Entra ID groups to app roles.

  2. In enterprise applications, find the name of the Oracle AI Database app registration that you created. This is automatically created when you create an app registration.

    1. Use the Directory + subscription filter to locate the Azure Active Directory tenant that contains the Oracle connection.

    2. Select Azure Active Directory.

    3. Under Manage, select Enterprise applications, and then select the Oracle AI Database app registration name that you registered earlier.

  3. Under Getting Started, select Assign users and groups.

  4. Select Add user/group.

  5. In the Add assignment window, select Users and groups to display a list of users and security groups.

  6. From this list, select the users and groups that you want to assign to the app role, and then click Select.

  7. In the Add assignment window, select Select a role to display a list of the app roles that you have created.

  8. Select the app role and then select Select.

  9. Click Assign.

Assign an Application to an App Role

An application that must connect to the database using the client credential flow must to be assigned to an app role.

  1. Log in to Entra ID as an administrator who has privileges for assigning Azure users and Entra ID groups to app roles.

  2. Access the app registration for the application.

  3. Under Manage, select API permissions.

  4. In the Configured permissions area, select + Add a permission.

  5. In the Request API permission pane, select the My APIs tab.

  6. Select the Oracle AI Database app that you want to give permission for this application to access. Then select the Application permissions option.

  7. Select the database app roles to assign to the application and then click the Add Permission box at the bottom of the screen to assign the app roles and close the dialog box. Ensure that the app roles that you just assigned appear under Configured permissions.

  8. Select Grant admin consent for tenancy to grant consent for the tenancy users, then select Yes in the confirmation dialog box.

See also: Configure the admin consent workflow

Configure Microsoft Entra ID as an External Identity Provider for Autonomous AI Database

An Autonomous AI Database administrator can enable Entra ID as an external identity provider on an Autonomous AI Database instance.

To enable Entra ID as an external identity provider:

  1. Log in to the Autonomous AI Database instance as a user who has the EXECUTE privilege on the DBMS_CLOUD_ADMIN PL/SQL package. The ADMIN user has this privilege.

  2. Run the DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION procedure with the Entra ID required parameters.

    BEGIN
  DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
      type   =>'AZURE_AD',
      params => JSON_OBJECT('tenant_id' VALUE 'tenant_id',
                            'application_id' VALUE 'application_id',
                            'application_id_uri' VALUE 'application_id_uri'),
      force => TRUE
  );
END;

    In this procedure the Entra ID parameters are:

    • type: Specifies the external authentication provider. For Entra ID, as shown, use 'AZURE_AD'.

    • params: Values for the required Entra ID parameters are available from the Azure portal on the app registration Overview pane for Azure Active Directory. The required params for Entra ID are:

      • tenant_id: Tenant ID of the Azure Account. Tenant Id specifies the Autonomous AI Database instance's Entra ID application registration.

      • application_id: Azure Application ID created in Entra ID to assign roles/schema mappings for external authentication in the Autonomous AI Database instance.

      • application_id_uri: Unique URI assigned to the Azure Application.

        This it the identifier for the Autonomous AI Database instance. The name must be domain qualified (this supports cross tenancy resource access).

        The maximum length for this parameter is 256 characters.

    • force: Set this parameter to TRUE if another EXTERNAL AUTHENTICATION method is configured for the Autonomous AI Database instance and you want to disable it.

    For example:

    BEGIN
  DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
      type   =>'AZURE_AD',
      params => JSON_OBJECT('tenant_id' VALUE '29981886-6fb3-44e3-82',
                            'application_id' VALUE '11aa1a11-aaa',
                            'application_id_uri' VALUE 'https://example.com/111aa1aa'),
      force  => TRUE
  );
END;

    This sets the IDENTITY_PROVIDER_TYPE system parameter.

    For example, you can use the following to verify IDENTITY_PROVIDER_TYPE:

    SELECT NAME, VALUE FROM V$PARAMETER WHERE NAME='identity_provider_type';

NAME                   VALUE

---------------------- --------
identity_provider_type AZURE_AD

    See ENABLE_EXTERNAL_AUTHENTICATION Procedure for more information.

Related Content