Tests | Cleanup AAD Password auth from tests + code cleanup

.github/instructions/testing.instructions.md

@@ -58,9 +58,8 @@ Copy `config.default.jsonc` to `config.jsonc` and configure:
 
 | Property | Description |
 |----------|-------------|
-| `TCPConnectionString` | Primary TCP connection |
-| `NPConnectionString` | Named Pipes connection |
-| `AADPasswordConnectionString` | Entra ID password auth |
+| `TCPConnectionString` | Primary TCP connection to SQL Server or Azure SQL — used for all tests. Set to an Azure SQL endpoint for Entra ID auth tests. |
+| `NPConnectionString` | Named Pipes connection to on-premises SQL Server |
 | `AzureKeyVaultURL` | AKV for encryption tests |
 | `EnclaveEnabled` | Enable enclave tests |
 | `FileStreamDirectory` | FileStream test path |
@@ -349,11 +348,14 @@ public async Task ExecuteCommand_ReturnsExpectedRows(bool async)
 ### DataTestUtility
 Common test helper class:
 ```csharp
-DataTestUtility.TCPConnectionString  // Get TCP connection
-DataTestUtility.AreConnStringsSetup  // Check if config exists
-DataTestUtility.IsAADPasswordConnStrSetup  // Check Entra ID config
+DataTestUtility.TCPConnectionString    // Get TCP connection string (on-prem or Azure SQL)
+DataTestUtility.AreConnStringsSetup    // Check if TCP/NP connection strings are configured
+DataTestUtility.IsAzureConnStringSetup // Check if TCPConnectionString points to Azure SQL
+DataTestUtility.IsAzureSqlConnectionString(connStr) // Detect whether any connection string targets Azure SQL
 ```
 
+For Azure SQL / Entra ID auth tests, use `TCPConnectionString.RemoveAuthAndCredsProperties()` as the base and gate the test with `IsAzureConnStringSetup`.
+
 ### AssertExtensions
 Extended assertions for SqlClient:
 ```csharp

TESTGUIDE.md

@@ -247,15 +247,13 @@ dotnet build -t:TestSqlClientManual -p:TestSet=2
 
 | Property                         | Description                                                                                 | Example or notes                                                                       |
 |----------------------------------|---------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|
-| `TCPConnectionString`            | Connection string for a TCP-enabled SQL Server or Azure SQL database.                       | `Data Source=tcp:localhost;Database=Northwind;Integrated Security=true;Encrypt=false;` |
+| `TCPConnectionString`            | Connection string for a TCP-enabled SQL Server or Azure SQL database. Set this to an Azure SQL endpoint to enable Entra ID authentication tests. | `Data Source=tcp:localhost;Database=Northwind;Integrated Security=true;Encrypt=false;` or `Data Source=<servername>.database.windows.net;Database=<dbname>;` |
 | `NPConnectionString`             | Connection string for a Named Pipes-enabled SQL Server instance.                            | `Data Source=np:localhost;Database=Northwind;Integrated Security=true;Encrypt=false;`  |
 | `TCPConnectionStringHGSVBS`      | Optional connection string for SQL Server with VBS enclave and HGS attestation.             | Include `Attestation Protocol=HGS` and `Enclave Attestation Url`.                      |
 | `TCPConnectionStringNoneVBS`     | Optional connection string for SQL Server with VBS enclave and no attestation.              | Include `Attestation Protocol=None`.                                                   |
 | `TCPConnectionStringAASSGX`      | Optional connection string for SQL Server with SGX enclave and Microsoft Azure Attestation. | Include `Attestation Protocol=AAS` and `Enclave Attestation Url`.                      |
 | `EnclaveEnabled`                 | Enables tests that require an enclave-configured server.                                    | `true` or `false`.                                                                     |
 | `TracingEnabled`                 | Enables tracing-related tests.                                                              | `true` or `false`.                                                                     |
-| `AADAuthorityURL`                | Optional OAuth authority for `AADPasswordConnectionString`.                                 | `https://login.windows.net/<tenant>`                                                   |
-| `AADPasswordConnectionString`    | Optional connection string for Microsoft Entra ID password authentication tests.            | Uses `Authentication=Active Directory Password`.                                       |
 | `AADServicePrincipalId`          | Optional application ID for service-principal authentication tests.                         | Former docs may refer to this as a secure principal ID.                                |
 | `AADServicePrincipalSecret`      | Optional application secret for service-principal authentication tests.                     | Keep this only in local, ignored config files or secure pipeline variables.            |
 | `AzureKeyVaultURL`               | Optional Azure Key Vault URL for Always Encrypted tests.                                    | `https://<keyvaultname>.vault.azure.net/`                                              |

eng/pipelines/common/templates/jobs/ci-run-tests-job.yml

@@ -243,8 +243,6 @@ jobs:
           TCPConnectionString: ${{ parameters.configProperties.TCPConnectionString }}
         ${{ if parameters.configProperties.NPConnectionString }}:
           NPConnectionString: ${{ parameters.configProperties.NPConnectionString }}
-        ${{ if parameters.configProperties.AADAuthorityURL }}:
-          AADAuthorityURL: ${{ parameters.configProperties.AADAuthorityURL }}
         ${{ if parameters.configProperties.TCPConnectionStringHGSVBS }}:
           TCPConnectionStringHGSVBS: ${{ parameters.configProperties.TCPConnectionStringHGSVBS }}
         ${{ if parameters.configProperties.TCPConnectionStringNoneVBS }}:
@@ -255,8 +253,8 @@ jobs:
           EnclaveEnabled: ${{ eq(parameters.configProperties.EnclaveEnabled, 'true') }}
         ${{ if parameters.configProperties.TracingEnabled }}:
           TracingEnabled: ${{ eq(parameters.configProperties.TracingEnabled, 'true') }}
-        ${{ if parameters.configProperties.AADPasswordConnectionString }}:
-          AADPasswordConnectionString: ${{ parameters.configProperties.AADPasswordConnectionString }}
+        ${{ if parameters.configProperties.AzureSqlConnectionString }}:
+          AzureSqlConnectionString: ${{ parameters.configProperties.AzureSqlConnectionString }}
         ${{ if parameters.configProperties.AADServicePrincipalId }}:
           AADServicePrincipalId: ${{ parameters.configProperties.AADServicePrincipalId }}
         ${{ if parameters.configProperties.AADServicePrincipalSecret }}:

eng/pipelines/common/templates/steps/update-config-file-step.yml

@@ -41,14 +41,6 @@ parameters:
     type: boolean
     default: false
 
-  - name: AADAuthorityURL
-    type: string
-    default: ''
-
-  - name: AADPasswordConnectionString
-    type: string
-    default: ''
-
   - name: AADServicePrincipalId
     type: string
     default: ''
@@ -152,10 +144,6 @@ steps:
 
           $p.NPConnectionString="${{parameters.NPConnectionString }}"
 
-          $p.AADAuthorityURL="${{parameters.AADAuthorityURL }}"
-
-          $p.AADPasswordConnectionString="${{parameters.AADPasswordConnectionString }}"
-
           $p.AADServicePrincipalId="${{parameters.AADServicePrincipalId }}"
 
           $p.AADServicePrincipalSecret="${{parameters.AADServicePrincipalSecret }}"

eng/pipelines/dotnet-sqlclient-ci-core.yml

@@ -504,14 +504,12 @@ stages:
           configProperties:
             TCPConnectionString: $(AZURE_DB_TCP_CONN_STRING)
             NPConnectionString: $(AZURE_DB_NP_CONN_STRING)
-            AADAuthorityURL: $(AADAuthorityURL)
             # Pipeline runs against forks of the repo don't have access to Library secrets, so we
             # omit them entirely from the configProperties, which causes the dependent tests to be
             # skipped.
             ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}:
-              AADPasswordConnectionString: $(AAD_PASSWORD_CONN_STR)
               AADServicePrincipalSecret: $(AADServicePrincipalSecret)
-            AADServicePrincipalId: $(AADServicePrincipalId)
+              AADServicePrincipalId: $(AADServicePrincipalId)
             AzureKeyVaultUrl: $(AzureKeyVaultUrl)
             AzureKeyVaultTenantId: $(AzureKeyVaultTenantId)
             SupportsIntegratedSecurity: false
@@ -535,11 +533,9 @@ stages:
           configProperties:
             TCPConnectionString: $(AZURE_DB_TCP_CONN_STRING_eastus)
             NPConnectionString: $(AZURE_DB_NP_CONN_STRING_eastus)
-            AADAuthorityURL: $(AADAuthorityURL)
             ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}:
-              AADPasswordConnectionString: $(AAD_PASSWORD_CONN_STR_eastus)
               AADServicePrincipalSecret: $(AADServicePrincipalSecret)
-            AADServicePrincipalId: $(AADServicePrincipalId)
+              AADServicePrincipalId: $(AADServicePrincipalId)
             AzureKeyVaultUrl: $(AzureKeyVaultUrl)
             AzureKeyVaultTenantId: $(AzureKeyVaultTenantId)
             SupportsIntegratedSecurity: false
@@ -586,11 +582,9 @@ stages:
           configProperties:
             TCPConnectionString: $(AZURE_DB_TCP_CONN_STRING)
             NPConnectionString: $(AZURE_DB_NP_CONN_STRING)
-            AADAuthorityURL: $(AADAuthorityURL)
             ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}:
-              AADPasswordConnectionString: $(AAD_PASSWORD_CONN_STR)
               AADServicePrincipalSecret: $(AADServicePrincipalSecret)
-            AADServicePrincipalId: $(AADServicePrincipalId)
+              AADServicePrincipalId: $(AADServicePrincipalId)
             AzureKeyVaultUrl: $(AzureKeyVaultUrl)
             AzureKeyVaultTenantId: $(AzureKeyVaultTenantId)
             SupportsIntegratedSecurity: false
@@ -641,7 +635,6 @@ stages:
               TCPConnectionStringNoneVBS: $(SQL_TCP_CONN_STRING_NoneVBS)
               TCPConnectionStringAASSGX: $(SQL_TCP_CONN_STRING_AASSGX)
               EnclaveEnabled: true
-              AADAuthorityURL: $(AADAuthorityURL)
               AADServicePrincipalId: $(AADServicePrincipalId)
               AADServicePrincipalSecret: $(AADServicePrincipalSecret)
               AzureKeyVaultUrl: $(AzureKeyVaultUrl)

eng/pipelines/jobs/test-azure-package-ci-job.yml

@@ -264,8 +264,6 @@ jobs:
           # The config.jsonc file has many options, but only some of them are
           # used by the Azure package tests.  We only specify the ones that are
           # necessary here.
-
-          AADServicePrincipalId: $(AADServicePrincipalId)
           AzureKeyVaultTenantId: $(AzureKeyVaultTenantId)
           # macOS doesn't support managed identities.
           ManagedIdentitySupported: ${{ not(eq(parameters.vmImage, 'macos-latest')) }}
@@ -277,7 +275,7 @@ jobs:
           # prevents external contributors from creating PRs and running
           # pipelines that could expose these secrets.
           ${{ if eq(variables['System.PullRequest.IsFork'], 'False') }}:
-            AADPasswordConnectionString: $(AAD_PASSWORD_CONN_STR)
+            AADServicePrincipalId: $(AADServicePrincipalId)
             AADServicePrincipalSecret: $(AADServicePrincipalSecret)
 
       # Perform any local SQL Server setup.