Data Mission Sync uses secure authentication for both Dataverse (source) and Azure SQL (target) connections. This page summarizes the available authentication methods and best practices.
Dataverse Authentication
Dataverse connections require Microsoft Entra App Registration authentication. This is the only supported method for connecting to Dataverse.
| Credential | Description |
| Client ID (Application ID) | The unique identifier for your App Registration |
| Client Secret | The secret value created in Certificates & secrets |
| Tenant ID (Directory ID) | Your Azure AD tenant identifier |
| Environment URL | Your Dataverse environment URL (e.g., https://yourorg.crm.dynamics.com) |
Azure SQL Authentication
Azure SQL connections require Microsoft Entra App Registration authentication. Data Mission Sync uses the same App Registration for both Dataverse and Azure SQL, providing a unified identity for all connections.
Benefits of App Registration Authentication
| Benefit | Description |
| Single identity | One App Registration for both Dataverse and Azure SQL — simpler to manage |
| Centralized management | Manage access through Azure AD with no SQL passwords to track |
| Token-based security | Short-lived tokens rather than long-lived passwords |
| Unified audit logging | Access logged in both Azure AD and SQL audit logs |
| No SQL logins required | External users created from Entra, no server-level logins needed |
Required Configuration Summary
To use App Registration authentication with Azure SQL, you must complete these steps (detailed in Azure SQL Database Setup):
1. Set a Microsoft Entra admin on your SQL Server
2. Create a database user for your App Registration using CREATE USER ... FROM EXTERNAL PROVIDER
3. Grant the user db_owner permissions on your target database
Credential Security
All credentials you provide to Data Mission Sync are stored securely:
• Credentials are stored in Azure Key Vault, encrypted at rest
• Data Mission Sync databases store only references to credentials, not the credentials themselves
• Mission Impact Partners personnel cannot view your plaintext credentials
• Credentials are transmitted over TLS 1.2+ encrypted connections