Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The data-source section defines the database access details. It also defines database options.
Data source settings
| Property | Description |
|---|---|
| data-source | Object containing database connectivity settings |
| data-source.database-type | Database used in the backend: mssql, postgresql, mysql, cosmosdb_nosql, cosmosdb_postgresql |
| data-source.connection-string | Connection string for the selected database type |
| data-source.options | Database-specific properties (for example, options for SQL Server, Cosmos DB, etc.) |
| data-source.options.database | Name of the Azure Cosmos DB for NoSQL database (required when database-type = cosmosdb_nosql) |
| data-source.options.container | Name of the Azure Cosmos DB for NoSQL container (required when database-type = cosmosdb_nosql) |
| data-source.options.schema | Path to the GraphQL schema file (required when database-type = cosmosdb_nosql) |
| data-source.options.set-session-context | Enables sending JSON Web Token (JWT) claims as session context (SQL Server only) |
| data-source.health | Object configuring health checks for the data source |
| data-source.health.enabled | Enables the health check endpoint |
| data-source.health.name | Identifier used in the health report |
| data-source.health.threshold-ms | Maximum duration in milliseconds for health check query |
| data-source.user-delegated-auth | Object configuring On-Behalf-Of (OBO) user-delegated authentication (mssql only) |
| data-source.user-delegated-auth.enabled | Enables OBO authentication |
| data-source.user-delegated-auth.provider | OBO identity provider (currently EntraId only) |
| data-source.user-delegated-auth.database-audience | Target audience for the downstream SQL token |
Format overview
{
"data-source": {
"database-type": <string>,
"connection-string": <string>,
"options": {
// mssql only
"set-session-context": <true> (default) | <false>,
// cosmosdb_nosql only
"database": <string>,
"container": <string>,
"schema": <string>
},
"health": {
"enabled": <true> (default) | <false>,
"name": <string>,
"threshold-ms": <integer; default: 1000>
},
"user-delegated-auth": {
"enabled": <true> | <false> (default),
"provider": <string>,
"database-audience": <string>
}
},
"data-source-files": ["<string>"]
}
Data source
| Parent | Property | Type | Required | Default |
|---|---|---|---|---|
$root |
data-source |
object | ✔️ Yes | - |
Nested properties
| Parent | Property | Type | Required | Default |
|---|---|---|---|---|
data-source |
database-type |
enum | ✔️ Yes | None |
data-source |
connection-string |
string | ✔️ Yes | None |
data-source |
options |
object | ❌ No | None |
Property values
database-type |
Description | Min Version |
|---|---|---|
mssql |
SQL in Fabric | - |
mssql |
Azure SQL Database | - |
mssql |
Azure SQL MI | - |
mssql |
SQL Server | 2016 |
dwsql |
Azure Synapse Analytics | - |
dwsql |
Fabric Warehouse | - |
dwsql |
Fabric SQL Analytics endpoint | - |
postgresql |
PostgreSQL | ver. 11 |
mysql |
MySQL | ver. 8 |
cosmosdb_nosql |
Azure Cosmos DB for NoSQL | - |
cosmosdb_postgresql |
Azure Cosmos DB for PostgreSQL | - |
Format
{
"data-source": {
"database-type": <string>,
"connection-string": <string>,
"options": {
"<key-name>": <string>
}
}
}
Example: Azure SQL & SQL Server
"data-source": {
"database-type": "mssql",
"connection-string": "Server=tcp:myserver.database.windows.net,1433;Initial Catalog=MyDatabase;User ID=MyUser;Password=MyPassword;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;",
"options": {
"set-session-context": true
}
}
Note
We use SqlClient for Azure SQL and SQL Server, which supports these connection strings variants.
Consuming SESSION_CONTEXT
For Azure SQL and SQL Server, Data API builder can include Claims info in SQL's SESSION_CONTEXT.
CREATE PROC GetUser @userId INT AS
BEGIN
-- Use claims
IF SESSION_CONTEXT(N'user_role') = 'admin'
BEGIN
RAISERROR('Unauthorized access', 16, 1);
END
SELECT Id, Name, Age, IsAdmin
FROM Users
WHERE Id = @userId;
END;
Example: Azure Cosmos DB
"data-source": {
"database-type": "cosmosdb_nosql",
"connection-string": "@env('SQL_CONNECTION_STRING')",
"options": {
"database": "Your_CosmosDB_Database_Name",
"container": "Your_CosmosDB_Container_Name",
"schema": "Path_to_Your_GraphQL_Schema_File"
}
}
Note
The "options" specified (database, container, and schema) are specific to Azure Cosmos DB.
Environment variables
Use environment variables to keep plain text secrets out of your configuration file.
Tip
Data API builder supports both the @env() function and .env files.
"data-source": {
"database-type": "mssql",
"connection-string": "@env('SQL_CONNECTION_STRING')"
}
Connection resiliency
Data API builder uses Exponential Backoff to retry database requests after transient errors.
| Attempts | First | Second | Third | Fourth | Fifth |
|---|---|---|---|---|---|
| Seconds | 2s | 4s | 8s | 16s | 32s |
Managed Service Identities (MSI)
Managed Service Identities (MSI) are supported with DefaultAzureCredential defined in Azure.Identity library. Learn more about Managed identities in Microsoft Entra for Azure SQL.
User-Assigned Managed Identities (UAMI)
For User Assigned Managed Identity, append the Authentication and User ID properties to your connection string while substituting in your User Assigned Managed Identity's client ID: Authentication=Active Directory Managed Identity; User Id=<UMI_CLIENT_ID>;.
System-Assigned Managed Identity (SAMI)
For System Assigned Managed Identity, append the Authentication property and exclude the UserId and Password arguments from your connection string: Authentication=Active Directory Managed Identity;.
Health (Data source)
| Parent | Property | Type | Required | Default |
|---|---|---|---|---|
data-source |
health |
object | No | – |
Data API builder supports multiple configuration files, each with its own data source. This configuration block allows each data source to have its own health configuration.
Nested properties
| Parent | Property | Type | Required | Default |
|---|---|---|---|---|
data-source.health |
enabled |
boolean | No | true |
data-source.health |
name |
string | No | database-type |
data-source.health |
threshold-ms |
integer | No | 1000 |
Check name
Because multiple configuration files can point to data sources of the same type, those data sources can't be distinguished in the health report. Use name to assign a unique, identifiable label used only in the health report.
Check behavior
The simplest possible query—specific to the database type—is executed against the given data source to validate that the connection can be opened. Use the threshold-ms property to configure the maximum acceptable duration (in milliseconds) for that query to complete.
Format
{
"data-source": {
"health": {
"enabled": <true> (default) | <false>,
"name": <string>,
"threshold-ms": <integer; default: 1000>
}
}
}
User-delegated auth
| Parent | Property | Type | Required | Default |
|---|---|---|---|---|
data-source |
user-delegated-auth |
object | No | – |
On-Behalf-Of (OBO) user-delegated authentication for SQL Server and Azure SQL. When enabled, DAB exchanges the incoming user token for a downstream SQL token so the database authenticates as the actual calling user. This feature is supported only for mssql data sources and requires Entra ID authentication upstream.
Note
The Data API builder 2.0 functionality described in this section is currently in preview and might change before general availability. For more information, see What's new in version 2.0.
Nested properties
| Parent | Property | Type | Required | Default |
|---|---|---|---|---|
data-source.user-delegated-auth |
enabled |
boolean | No | false |
data-source.user-delegated-auth |
provider |
enum (EntraId) |
No | EntraId |
data-source.user-delegated-auth |
database-audience |
string | Yes (when enabled) | None |
enabled—turns OBO on or off.provider—the identity provider for the token exchange. Currently onlyEntraIdis supported.database-audience—the target audience for the downstream SQL token (for example,https://database.windows.net).
Required environment variables
When OBO is enabled, DAB reads the following environment variables for the token exchange:
| Variable | Description |
|---|---|
DAB_OBO_CLIENTID |
Application (client) ID of the Entra ID app registration |
DAB_OBO_CLIENTSECRET |
Client secret for the app registration |
DAB_OBO_TENANTID |
Entra ID tenant ID |
Per-user connection pooling
When OBO is enabled, DAB maintains separate SQL connection pools per user so that one user's access token is never reused for another user's request.
Note
Per-user connection pooling applies only when OBO authentication is active. Standard deployments are unaffected.
Format
{
"data-source": {
"database-type": "mssql",
"connection-string": "@env('SQL_CONNECTION_STRING')",
"user-delegated-auth": {
"enabled": <true> | <false> (default),
"provider": <string>,
"database-audience": <string>
}
}
}
Example
{
"data-source": {
"database-type": "mssql",
"connection-string": "@env('SQL_CONNECTION_STRING')",
"user-delegated-auth": {
"enabled": true,
"provider": "EntraId",
"database-audience": "https://database.windows.net"
}
}
}
Important
OBO is supported only for mssql. The database-audience property is required when OBO is enabled. Running this configuration against a non-MSSQL data source fails validation.