Authentication via Microsoft Entra ID

Configuration Requirements

Configuring OAuth requires steps in both the Azure Portal and Snowflake:

Azure side: Follow the official Azure OAuth configuration guide.
Snowflake side: Follow the Snowflake security integration configuration guide.

Important Note on Email

The user's email address in Microsoft Entra ID (Azure AD) must match the email in Snowflake and must be unique among all Snowflake users.

Sample SQL queries for security integration in Snowflake

SQL

DROP SECURITY INTEGRATION external_OAuth_azure_1_test;

CREATE SECURITY INTEGRATION external_OAuth_azure_1_test
    TYPE = external_OAuth
    ENABLED = true
    EXTERNAL_OAuth_TYPE = azure
    EXTERNAL_OAuth_ISSUER = 'https://XXX'
    EXTERNAL_OAuth_JWS_KEYS_URL = 'https://XXX'
    EXTERNAL_OAuth_AUDIENCE_LIST = ('https://XXX')
    EXTERNAL_OAuth_TOKEN_USER_MAPPING_CLAIM = 'upn'
    EXTERNAL_OAuth_SNOWFLAKE_USER_MAPPING_ATTRIBUTE = 'EMAIL_ADDRESS';

Sample SQL queries to create a user in Snowflake

SQL

CREATE USER SNOWSQL_OAuth_USER
    LOGIN_NAME = 'user@somename.onmicrosoft.com'
    EMAIL = 'user@somename.onmicrosoft.com'
    DISPLAY_NAME = 'SnowSQL OAuth User'
    COMMENT = 'A system user for SnowSQL client to be used for OAuth-based connectivity';

CREATE ROLE ANALYST;
GRANT ROLE ANALYST TO USER SNOWSQL_OAuth_USER;

Creating a data source with Microsoft Entra ID authentication

The following connection properties are required for authentication via Microsoft Entra ID:

Property	Description
`accessToken`	The current OAuth access token used for authentication. Can be left empty so that the token is fetched automatically
`accessTokenEndpoint`	The Azure OAuth token endpoint URL for retrieving new access tokens
`authenticator`	Authentication method. For OAuth, this must be set to `oauth`
`clientId`	The Azure AD application client ID used for OAuth authentication
`clientSecret`	The Azure AD application client secret associated with the client ID
`refreshToken`	The OAuth refresh token used to obtain new access tokens without user re-login. Can be left empty so that the token is fetched automatically
`role`	The Snowflake role assigned for this session (for example, `analyst`).
`scope`	The OAuth scope defining access permissions (for example, “https://XXXX/session:scope:analyst offline_access“).

Example

A data source with authentication via Microsoft Entra ID:

SQL

CALL "SYSADMIN.createOrReplaceDatasource"(
    "name" => 'snowflake_entra_oauth',
    "translator" => 'snowflake',
    "modelProperties" => 'importer.defaultSchema=<SCHEMA>,importer.schemaPattern=<SCHEMA>,importer.useFullSchemaName=FALSE,importer.tableTypes="TABLE,VIEW"',
    "translatorProperties" => 'supportsNativeQueries=true',    
    "connectionTemplateName" => 'snowflake',
    "connectionProperties" => 'host=<host>,db=<db>,warehouse=<warehouse>,authenticator=OAuth,role=analyst,accessToken="",accessTokenEndpoint="https://login.microsoftonline.com/XXXX/OAuth2/v2.0/token",refreshToken="",clientId="XXXX",clientSecret="XXXX",scope="https://XXXX/session:scope:analyst offline_access",user-name="<user@somename.onmicrosoft.com>",password="<XXXX>"'
);;

Authentication via Microsoft Entra ID since v25.2