You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are currently validating a configuration where an in-house AI agent acts as an MCP client and DAB on Azure Container Apps acts as an MCP server, accessing Azure SQL Database via Entra ID authentication. The goal is to apply Row-Level Security (RLS) based on individual user identity. We would appreciate your confirmation on the following points.
■ Confirmation of Understanding
[Q1] App Registration Is it correct that two app registrations are required — one for the in-house AI agent (MCP client) and one for DAB (MCP server)?
[Q2] Authentication Configuration for MCP Server In the Command-Line example provided in ②, is it correct that the following values should be set using the DAB app's Application ID and Tenant ID?
dab configure
--runtime.host.authentication.jwt.audience "api://"
dab configure
--runtime.host.authentication.jwt.issuer "https://login.microsoftonline.com//v2.0"
[Q3] RLS Implementation Is it correct that RLS is applied by passing the oid claim from the JWT to SQL via SESSION_CONTEXT, and matching it against the corresponding column in the table?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
We are currently validating a configuration where an in-house AI agent acts as an MCP client and DAB on Azure Container Apps acts as an MCP server, accessing Azure SQL Database via Entra ID authentication. The goal is to apply Row-Level Security (RLS) based on individual user identity. We would appreciate your confirmation on the following points.
■ Reference Documents
① https://learn.microsoft.com/en-us/azure/data-api-builder/concept/security/authenticate-entra?tabs=bash
② https://learn.microsoft.com/ja-jp/azure/data-api-builder/mcp/how-to-configure-authentication?tabs=bash
③ https://learn.microsoft.com/en-us/azure/data-api-builder/concept/security/row-level-security
■ Confirmation of Understanding
[Q1] App Registration Is it correct that two app registrations are required — one for the in-house AI agent (MCP client) and one for DAB (MCP server)?
[Q2] Authentication Configuration for MCP Server In the Command-Line example provided in ②, is it correct that the following values should be set using the DAB app's Application ID and Tenant ID?
dab configure
--runtime.host.authentication.jwt.audience "api://"
dab configure
--runtime.host.authentication.jwt.issuer "https://login.microsoftonline.com//v2.0"
[Q3] RLS Implementation Is it correct that RLS is applied by passing the oid claim from the JWT to SQL via SESSION_CONTEXT, and matching it against the corresponding column in the table?
Beta Was this translation helpful? Give feedback.
All reactions