Azure Synapse Analytics Connection Details

Introduction

Connector Version

This documentation is based on version 25.0.9368 of the connector.

Get Started

Azure Synapse Version Support

The connector enables connectivity to Azure Synapse through the TDS protocol.

Data is transferred to Azure Synapse via the upload of CSV data to Azure Blob, which is then copied to Azure Synapse.

Establish a Connection

Connect to Azure Synapse

In addition to providing authentication (see below), set the following properties to connect to a Azure Synapse database:

• Server: The server running Azure Synapse. To find this:
  1. Log into the Azure portal.
  2. Navigate to Azure Synapse Analytics
  3. Navigate to Select your database > Overview > Server name.
• Database: The name of the database, as seen in the Azure portal on the Azure Synapse Analytics page.

Authenticate to Azure Synapse

Azure Synapse supports authentication using Entra ID (Microsoft Entra ID), Microsoft Entra service principal, Managed Service Identity (MSI), Password (default), and Azure Password.

Authenticate to Azure Synapse as described in the following sections.

Entra ID (Microsoft Entra ID)

Microsoft Entra ID is a multi-tenant, cloud-based identity and access management platform. It supports OAuth-based authentication flows that enable the driver to access Azure Synapse endpoints securely.

Authentication to Entra ID via a web application always requires that you first create and register a custom OAuth application. This enables your application to define its own redirect URI, manage credential scope, and comply with organization-specific security policies.

For full instructions on how to create and register a custom OAuth application, see Creating an Entra ID (Microsoft Entra ID) Application.

After setting AuthScheme to Microsoft Entra ID, the steps to authenticate vary, depending on the environment. For details on how to connect from desktop applications, web-based workflows, or headless systems, see the following sections..

Desktop Applications

You can authenticate from a desktop application using a custom OAuth application registered in Microsoft Entra ID (formerly Microsoft Entra ID), as described in Creating an Entra ID (Microsoft Entra ID) Application.

During registration, record the following values:

• OAuthClientId: The client ID that was generated when you registered your custom OAuth application.
• OAuthClientSecret: The client secret that was that was generated when you registered your custom OAuth application.
• CallbackURL: A redirect URI you defined during application registration.

When you are ready to connect, set the following connection properties:

• AuthScheme: Microsoft Entra ID
• InitiateOAuth:
  • GETANDREFRESH – Use for the initial login. Launches the login page and saves tokens.
  • REFRESH – Use this setting when you have already obtained valid access and refresh tokens. Reuses stored tokens without prompting the user again.
• OAuthClientId: The client ID that was generated when you registered your custom OAuth application.
• OAuthClientSecret: The client secret that was generated when you registered your custom OAuth application.
• CallbackURL: A redirect URI you defined during application registration.

After authentication, tokens are saved to OAuthSettingsLocation. These values persist across sessions and are used to automatically refresh the access token when it expires, so you don't need to log in again on future connections.

Microsoft Entra service principal

Service principals are security objects within a Microsoft Entra ID (Microsoft Entra ID) application that define what that application can do within a specific tenant. Service principals are created in the Entra admin center, also accessible through the Azure portal. As part of the creation process we also specify whether the service principal will access Entra resources via a client secret or a certificate.

Instead of being tied to a particular user, service principal permissions are based on the roles assigned to them. These roles determine which resources the application can access and which operations it can perform.

When authenticating using a service principal, you must register an application with an Entra tenant, as described in Creating a Service Principal App in Entra ID (Microsoft Entra ID).

This subsection describes properties you must set before you can connect. These vary, depending on whether you will authenticate via a client secret or a certificate.

Authentication with Client Secret

• AuthScheme: AzureServicePrincipal.
• AzureTenant: The Microsoft Entra ID tenant to which you will connect.
• OAuthClientId: The client ID in your application settings.
• OAuthClientSecret: The client secret in your application settings.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.

Authentication with Certificate

• AuthScheme: AzureServicePrincipalCert.
• AzureTenant: The Microsoft Entra ID tenant to which you will connect.
• OAuthClientId: The client ID in your application settings.
• OAuthJWTCert: The JWT Certificate store.
• OAuthJWTCertType: The JWT Certificate store type.
• InitiateOAuth: GETANDREFRESH. You can use InitiateOAuth to avoid repeating the OAuth exchange and manually setting the OAuthAccessToken.

Managed Service Identity (MSI)

If you are running Azure Synapse on an Azure VM and want to automatically obtain Managed Service Identity (MSI) credentials to connect, set AuthScheme to AzureMSI.

User-Managed Identities

To obtain a token for a managed identity, use the OAuthClientId property to specify the managed identity's client_id.

If your VM has multiple user-assigned managed identities, you must also specify OAuthClientId.

Password

To authenticate directly to Azure Synapse, set these properties:

• AuthScheme: Password
• User: The authenticating Azure Synapse user.
• Password: The authenticating Azure Synapse user's password.

Azure Password

To authenticate directly to Microsoft Entra ID using your Azure credentials, specify the following connection properties:

• AuthScheme: AzurePassword.
• User: The account for the authenticating Azure user.
• Password: The authenticating Azure user's password.
• AzureTenant: The Directory (tenant) ID of the custom Microsoft Entra ID application used to authenticate to Azure Synapse on Azure. To find this, go to the custom application's Overview page.

Create an Entra ID (Microsoft Entra ID) Application

Create an Entra ID (Microsoft Entra ID) Application

Azure Synapse supports OAuth-based authentication using Microsoft Entra ID. If you will connect via a web application and want to authenticate via Entra ID, you must first register a custom OAuth application in the Entra Admin Center, as described below.

Register the Application

To register an OAuth application in Microsoft Entra ID, follow these steps:

1. Go to https://portal.azure.com.

2. In the left-hand navigation pane, select Microsoft Entra ID > App registrations.

3. Click New registration.

4. Enter a name for the application.

5. Specify the types of accounts this application should support:

   • For private-use applications, select Accounts in this organization directory only.
   • For distributed applications, select one of the multi-tenant options.

1. Set the redirect URI to http://localhost:33333 (default), or use another URI appropriate for your deployment.

   When using a custom redirect URI set a CallbackURL connection property; in those cases, set it to match this URI exactly.

2. Click Register. The application management screen opens. Record these values for later use:

   • Application (client) ID is used for OAuthClientId
   • Directory (tenant) ID is used for AzureTenant

3. Go to Certificates & Secrets. Click New Client Secret, set the desired expiration, and save the generated value. This value will only be shown once — record it to use with OAuthClientSecret.

4. To confirm, click Add permissions.

Create a Service Principal App in Entra ID (Microsoft Entra ID)

Create a Service Principal App in Entra ID (Microsoft Entra ID)

Azure Synapse supports Service Principal-based authentication, which is role-based. This means that the Service Principal's permissions are determined by the roles assigned to it. The roles specify what resources the Service Principal can access and which operations it can perform.

If you want to use a Service Principal to authenticate to Azure Synapse, you must create a custom application in Microsoft Entra ID.

To enable Service Principal authentication:

• Confirm that you have permission to register applications and assign roles in your tenant.
• Register a new application and configure credentials and permissions in the Entra Admin Center.

Register the Application

1. Go to https://portal.azure.com.
2. In the left-hand navigation pane, select Microsoft Entra ID > App registrations.
3. Click New registration.
4. Enter a name for the application.
5. Select the desired tenant setup. Since this custom application is for Service Principal use, choose Any Microsoft Entra ID tenant – Multitenant.
6. Click Register. The application management screen opens. Note the value in Application (client) ID as the OAuthClientId and the Directory (tenant) ID as the AzureTenant
7. Navigate to Certificates & Secrets and define the application authentication type. Two types of authentication are available: certificate (recommended) or client secret
   • For certificate authentication: In Certificates & Secrets, select Upload certificate, then upload the certificate from your local machine. For more information on creating a self-signed certificate, see Create a self-signed certificate
   • For creating a new client secret: In Certificates & Secrets, select New Client Secret for the application and specify its duration. After the client secret is saved, Azure Synapse displays the key value. This value is displayed only once, so be sure to record it for future use. Use this value for the OAuthClientSecret
8. Navigate to Authentication and select the Access tokens option.
9. Save your changes.

Consent for Client Credentials

OAuth supports the use of client credentials to authenticate. In a client credentials authentication flow, credentials are created for the authenticating application itself. The auth flow acts just like the usual auth flow, except that there is no prompt for an associated user to provide credentials. All tasks accepted by the application are executed outside of the context of a default user.

1. Log in to https://portal.azure.com
2. Create a custom OAuth application, as described above.
3. Navigate to App Registrations.
4. Find the application you just created, and open API Permissions.
5. Select the Microsoft Graph permissions. There are two distinct sets of permissions: Delegated and Application.
6. For use with Service Principal, specify Application permissions.
7. Select the permissions you require for your integration.

Important Notes

Configuration Files and Their Paths

• All references to adding configuration files and their paths refer to files and locations on the Jitterbit agent where the connector is installed. These paths are to be adjusted as appropriate depending on the agent and the operating system. If multiple agents are used in an agent group, identical files will be required on each agent.

Advanced Features

This section details a selection of advanced features of the Azure Synapse connector.

SSL Configuration

Use SSL Configuration to adjust how connector handles TLS/SSL certificate negotiations. You can choose from various certificate formats. For further information, see the SSLServerCert property under "Connection String Options".

Proxy

To configure the connector using private agent proxy settings, select the Use Proxy Settings checkbox on the connection configuration screen.

Log

For an overview of configuration settings that can be used to refine logging, see Logging. Only two connection properties are required for basic logging, but there are numerous features that support more refined logging, which enables you to use the LogModules connection property to specify subsets of information to be logged.

SSL Configuration

Customize the SSL Configuration

To enable TLS, set Encrypt to True.

With this configuration, the connector attempts to negotiate TLS with the server. The server certificate is validated against the default system trusted certificate store. You can override how the certificate gets validated using the SSLServerCert connection property.

To specify another certificate, see the SSLServerCert connection property.

Client SSL Certificates

The Azure Synapse connector also supports setting client certificates. Set the following to connect using a client certificate.

• SSLClientCert: The name of the certificate store for the client certificate.
• SSLClientCertType: The type of key store containing the TLS/SSL client certificate.
• SSLClientCertPassword: The password for the TLS/SSL client certificate.
• SSLClientCertSubject: The subject of the TLS/SSL client certificate.

Stored Procedures

Stored procedures are function-like interfaces that extend the functionality of the connector beyond simple SELECT/INSERT/UPDATE/DELETE operations with Azure Synapse.

Stored procedures accept a list of parameters, perform their intended function, and then return any relevant response data from Azure Synapse, along with an indication of whether the procedure succeeded or failed.

Jitterbit Connector for Azure Synapse Stored Procedures

GetOAuthAccessToken

Fetches the OAuth Access Token, which is used to authenticate and authorize API calls made to Azure Synapse.

Input

Result Set Columns

GetOAuthAuthorizationUrl

Retrieves the OAuth Authorization URL, allowing the client to direct the user's browser to the authorization server and initiate the OAuth process.

Input

Result Set Columns

RefreshOAuthAccessToken

Refreshes an expired OAuth Access Token to maintain continuous authenticated access to Azure Synapse resources without requiring reauthorization from the user.

Input

Result Set Columns

Advanced Configurations Properties

The advanced configurations properties are the various options that can be used to establish a connection. This section provides a complete list of the options you can configure. Click the links for further details.

Authentication

Bulk

Azure Authentication

OAuth

JWT OAuth

SSL

Schema

Miscellaneous

Authentication

This section provides a complete list of authentication properties you can configure.

AuthScheme

Specifies which authentication scheme the driver uses when it establishes the connection.

Possible Values

Password, Microsoft Entra ID, AzureServicePrincipal, AzureServicePrincipalCert, AzureMSI, AzurePassword

Data Type

string

Default Value

Password

Remarks

Azure Synapse supports the following AuthScheme options:

• Password (default): Authenticate using your username and your SQL Server Password.
• Microsoft Entra ID: Perform Microsoft Entra ID (user-based) OAuth authentication.
• AzureServicePrincipal: Authenticate as a Microsoft Entra service principal (role-based, application-based) using a Client Secret.
• AzureServicePrincipalCert: Authenticate as a Microsoft Entra service principal (role-based, application-based) using a Certificate.
• AzureMSI: Automatically obtain Microsoft Entra ID Managed Service Identity (MSI) credentials when running on an Azure VM.
• AzurePassword: Authenticate directly to Microsoft Entra ID using your Azure user name and password, and the Directory ID of the Azure Tenant.

Server

Specifies the fully-qualified host name or IP address of the provider SQL endpoint. You must supply a value for the connection to succeed.

Data Type

string

Default Value

""

Remarks

Provide the exact host name shown in connector Studio or the Azure portal. If the workspace uses a private link, application gateway, or proxy, enter that front-end address instead.

This property is useful when you manage multiple workspaces across environments (for example: dev, test, prod). Setting this property explicitly keeps connection strings self-documenting and prevents accidental cross-environment queries.

User

Specifies the user ID of the authenticating Azure Synapse user account.

Data Type

string

Default Value

""

Remarks

The authenticating server requires both User and Password to validate the user's identity.

Password

Specifies the password of the authenticating user account.

Data Type

string

Default Value

""

Remarks

The authenticating server requires both User and Password to validate the user's identity.

Port

Specifies the TCP port that the provider uses when it connects to the provider SQL endpoint.

Data Type

string

Default Value

1433

Remarks

The port of the Server hosting the Synapse Database.

If your connector workspace listens on the standard port, leave this property at its default. Set a different port only when a firewall rule, load balancer, or proxy exposes the service on a non-standard port number.

This property is useful when your network team remaps 1433 to another port for security or when multiple SQL services share the same public IP.

Database

Specifies the name of the Azure Synapse SQL database that the provider connects to at login.

Data Type

string

Default Value

""

Remarks

This property specifies the name of the Azure Synapse database running on the specified Server.

If your workspace contains more than one database or pool, set this property to the exact database name shown in Synapse Studio. Doing so guarantees that every command starts in the correct context and avoids wrong-database errors.

Leaving the field blank is acceptable in single-database workspaces since you can also switch later with a USE <dbName> statement, but declaring the database up front is safer and makes connection strings self-documenting.

Encrypt

Specifies whether the provider negotiates TLS/SSL encryption with the Azure Synapse endpoint and, if so, how strictly it enforces certificate validation.

Possible Values

True, False, Strict

Data Type

string

Default Value

False

Remarks

When this property is set to True, the connector requests an encrypted channel and validates the server’s certificate against the operating-system trust store. If the server presents a certificate that is not signed by a public certificate authority, you can supply its thumbprint by setting SSLServerCert.

When this property is set to Strict, the connector both requires encryption and enforces stronger checks: it rejects self-signed or weak certificates and prevents protocol downgrades. This mode aligns with Microsoft’s guidance for "strict encryption," making SQL Server traffic easier to secure and inspect with modern network appliances.

When this property is set to False, the connector skips TLS negotiation and sends traffic in clear text which is useful only for isolated networks or troubleshooting.

This property is helpful when you must balance security requirements against compatibility. True or Strict satisfy enterprise encryption policies, while False can diagnose handshake issues before you re-enable encryption.

Bulk

This section provides a complete list of the Bulk properties you can configure.

BatchMode

Specifies the mechanism the provider uses when it performs BulkInsert operations.

Possible Values

BCP, COPY, STANDARD

Data Type

string

Default Value

COPY

Remarks

Choose the mode that best fits your environment, permissions, and performance goals:

• COPY: Stages data in an external storage account, then executes COPY INTO to load the table. Fastest throughput, but requires valid StorageAccountLocation and AzureSASToken values. Supports INSERT statements only.
• BCP: Streams data directly to Azure Synapse over the Bulk Copy Protocol. This is useful when you can’t use external storage yet still need high-speed, INSERT-only loading.
• STANDARD Executes regular INSERT, UPDATE, and DELETE statements in batches, with no staging or BCP. Use when you need mixed DML or lack permissions for COPY/BCP.

This property is helpful when you need to trade off speed, network constraints, and security policies: picking the right mode can cut minutes—or even hours—from large loads while letting you work within the permissions and infrastructure you actually control.

StorageAccountLocation

Specifies the Azure Blob Storage container that the provider uses to stage data files when the BatchMode property is set to COPY.

Data Type

string

Default Value

""

Remarks

If this property is left blank and BatchMode is set to COPY, the connector cannot stage files and the load fails. When you supply a value, the driver uploads CSV/Parquet files to the specified container and then executes a COPY INTO statement that reads directly from those files.

Provide the full HTTPS URL. For example: https://myaccount.blob.core.windows.net/myblobcontainer. In this example, "myaccount" is your Azure Blob account name and "myblobcontainer" is the container you want to use.

This property is useful when you want the highest-throughput loads available in COPY mode or when you need to separate staging storage from the connector workspace’s default data lake for security or cost-allocation reasons.

AzureSASToken

Specifies the URL-encoded Shared Access Signature (SAS) token that the provider uses when staging files in Azure Blob Storage.

Data Type

string

Default Value

""

Remarks

Leave this field blank if you authenticate to storage with a different method such as a storage access key or Microsoft Entra ID credentials.

To create a suitable token in the Azure portal:

1. Open the target blob container and choose Shared access signature under Settings.
2. Select at least Create, Write, and Delete in Permissions, then set an appropriate start and expiry time.
3. Click Generate SAS token and URL and copy the value from Blob SAS token.

The token must stay valid and carry the selected permissions until every bulk-load job completes. Otherwise uploads will fail with permission or expiry errors.

Azure Authentication

This section provides a complete list of Azure authentication properties you can configure.

AzureTenant

Identifies the Azure Synapse tenant being used to access data. Accepts either the tenant's domain name (for example, contoso.onmicrosoft.com) or its directory (tenant) ID.

Data Type

string

Default Value

""

Remarks

A tenant is a digital container for your organization's users and resources, managed through Microsoft Entra ID (formerly Microsoft Entra ID). Each tenant is associated with a unique directory ID, and often with a custom domain (for example, microsoft.com or contoso.onmicrosoft.com).

You can locate the directory (tenant) ID in the Microsoft Entra admin center by navigating to Microsoft Entra ID > Properties and copying the value labeled "Directory (tenant) ID".

This property is required in the following cases:

• When AuthScheme is set to AzureServicePrincipal or AzureServicePrincipalCert
• When AuthScheme is Microsoft Entra ID and the user account belongs to multiple tenants

You can provide the tenant value in one of two formats:

• A domain name (for example, contoso.onmicrosoft.com)
• A directory (tenant) ID in GUID format (for example, c9d7b8e4-1234-4f90-bc1a-2a28e0f9e9e0)

Specifying the tenant explicitly ensures that the authentication request is routed to the correct directory, which is especially important when a user belongs to multiple tenants or when using service principal–based authentication.

If this value is omitted when required, authentication may fail or connect to the wrong tenant. This can result in errors such as unauthorized or resource not found.

AzureEnvironment

Specifies the Azure network environment to which you will connect. Must be the same network to which your Azure account was added.

Possible Values

GLOBAL, CHINA, USGOVT, USGOVTDOD

Data Type

string

Default Value

GLOBAL

Remarks

Required if your Azure account is part of a different network than the Global network, such as China, USGOVT, or USGOVTDOD.

OAuth

This section provides a complete list of OAuth properties you can configure.

InitiateOAuth

Specifies the process for obtaining or refreshing the OAuth access token, which maintains user access while an authenticated, authorized user is working.

Possible Values

OFF, REFRESH, GETANDREFRESH

Data Type

string

Default Value

OFF

Remarks

OAuth is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. The OAuth flow defines the method to be used for logging in users, exchanging their credentials for an OAuth access token to be used for authentication, and providing limited access to applications.

Azure Synapse supports the following options for initiating OAuth access:

1. OFF: No automatic OAuth flow initiation. The OAuth flow is handled entirely by the user, who will take action to obtain their OAuthAccessToken. Note that with this setting the user must refresh the token manually and reconnect with an updated OAuthAccessToken property when the current token expires.
2. GETANDREFRESH: The OAuth flow is handled entirely by the connector. If a token already exists, it is refreshed when necessary. If no token currently exists, it will be obtained by prompting the user to login.
3. REFRESH: The user handles obtaining the OAuth Access Token and sets up the sequence for refreshing the OAuth Access Token. (The user is never prompted to log in to authenticate. After the user logs in, the connector handles the refresh of the OAuth Access Token.

OAuthClientId

Specifies the client ID (also known as the consumer key) assigned to your custom OAuth application. This ID is required to identify the application to the OAuth authorization server during authentication.

Data Type

string

Default Value

""

Remarks

This property is required when using a custom OAuth application, such as in web-based authentication flows, service-based authentication, or certificate-based flows that require application registration. It is also required if an embedded OAuth application is not available for the driver. When an embedded OAuth application is available, this value may already be provided by the connector and not require manual entry.

This value is generally used alongside other OAuth-related properties such as OAuthClientSecret and OAuthSettingsLocation when configuring an authenticated connection.

OAuthClientId is one of the key connection parameters that need to be set before users can authenticate via OAuth. You can typically find this value in your identity provider’s application registration settings. Look for a field labeled Client ID, Application ID, or Consumer Key.

While the client ID is not considered a confidential value like a client secret, it is still part of your application's identity and should be handled carefully. Avoid exposing it in public repositories or shared configuration files.

OAuthClientSecret

Specifies the client secret assigned to your custom OAuth application. This confidential value is used to authenticate the application to the OAuth authorization server.

Data Type

string

Default Value

""

Remarks

This property is required when using a custom OAuth application in any flow that requires secure client authentication, such as web-based OAuth, service-based connections, or certificate-based authorization flows. It is not required when using an embedded OAuth application.

The client secret is used during the token exchange step of the OAuth flow, when the driver requests an access token from the authorization server. If this value is missing or incorrect, authentication will fail, and the server may return an invalid_client or unauthorized_client error.

OAuthClientSecret is one of the key connection parameters that need to be set before users can authenticate via OAuth. You can obtain this value from your identity provider when registering the OAuth application. It may be referred to as the client secret, application secret, or consumer secret.

This value should be stored securely and never exposed in public repositories, scripts, or unsecured environments. Client secrets may also expire after a set period. Be sure to monitor expiration dates and rotate secrets as needed to maintain uninterrupted access.

OAuthAccessToken

Specifies the OAuth access token used to authenticate requests to the data source. This token is issued by the authorization server after a successful OAuth exchange.

Data Type

string

Default Value

""

Remarks

The OAuthAccessToken is a temporary credential that authorizes access to protected resources. It is typically returned by the identity provider after the user or client application completes an OAuth authentication flow. This property is most commonly used in automated workflows or custom OAuth implementations where you want to manage token handling outside of the driver.

The OAuth access token has a server-dependent timeout, limiting user access. This is set using the OAuthExpiresIn property. However, it can be reissued between requests to keep access alive as long as the user keeps working.

If InitiateOAuth is set to REFRESH, we recommend that you also set both OAuthExpiresIn and OAuthTokenTimestamp. The connector uses these properties to determine when the token expires so it can refresh most efficiently. If OAuthExpiresIn and OAuthTokenTimestamp are not specified, the connector refreshes the token immediately.

Access tokens should be treated as sensitive credentials and stored securely. Avoid exposing them in logs, scripts, or configuration files that are not access-controlled.

OAuthSettingsLocation

Specifies the location of the settings file where OAuth values are saved. Storing OAuth settings in a central location avoids the need for users to enter OAuth connection properties manually each time they log in. It also enables credentials to be shared across connections or processes.

Data Type

string

Default Value

%APPDATA%\AzureSynapse Data Provider\OAuthSettings.txt

Remarks

You can store OAuth values in a central file for shared access to those values, in either of the following ways:

• Set InitiateOAuth to either GETANDREFRESH or REFRESH and specify a filepath to the OAuth settings file.
• Use memory storage to load the credentials into static memory.

The following sections provide more detail on each of these methods.

Specifying the OAuthSettingsLocation Filepath

The default OAuth setting location is %APPDATA%\AzureSynapse Data Provider\OAuthSettings.txt, with %APPDATA% set to the user's configuration directory.

Default values vary, depending on the user's operating system.

• Windows (ODBC and Power BI): registry://%DSN%
• Windows: %APPDATA%AzureSynapse Data Provider\OAuthSettings.txt
• Mac: %APPDATA%//AzureSynapse Data Provider/OAuthSettings.txt
• Linux: %APPDATA%//AzureSynapse Data Provider/OAuthSettings.txt

Loading Credentials Via Memory Storage

Memory locations are specified by using a value starting with memory://, followed by a unique identifier for that set of credentials (for example, memory://user1). The identifier can be anything you choose, but it should be unique to the user.

Unlike file-based storage, where credentials persist across connections, memory storage loads the credentials into static memory and the credentials are shared between connections using the same identifier for the life of the process. To persist credentials outside the current process, you must manually store the credentials prior to closing the connection. This enables you to set them in the connection when the process is started again.

To retrieve OAuth property values, query the sys_connection_props system table. If there are multiple connections using the same credentials, the properties are read from the previously closed connection.

Supported Storage Types

• **memory://**: Stores OAuth tokens in-memory (unique identifier, shared within same process, etc.)
• **registry://**: Only supported in the Windows ODBC and Power BI editions. Stores OAuth tokens in the registry under the DSN settings. Must end in a DSN name like registry://` Jitterbit Connector for Azure Synapse Data Source`, orregistry://%DSN%``.
• %DSN%: The name of the DSN you are connecting with.
• Default (no prefix): Stores OAuth tokens within files. The value can be either an absolute path, or a path starting with %APPDATA% or %PROGRAMFILES%.

CallbackURL

Identifies the URL users return to after authenticating to Azure Synapse via OAuth. (Custom OAuth applications only.).

Data Type

string

Default Value

""

Remarks

If you created a custom OAuth application, the OAuth authorization server redirects the user to this URL during the authentication process. This value must match the callback URL you specified when you Configured the custom OAuth application.

Scope

Specifies the scope of the authenticating user's access to the application. Generally specified at the time the custom OAuth application is created (if necessary), so that the authenticating user can obtain the the level of access appropriate to their credentials.

Data Type

string

Default Value

""

Remarks

Scopes are set to define what kind of access the authenticating user will have; for example, read, read and write, restricted access to sensitive information. System administrators can use scopes to selectively enable access by functionality or security clearance.

When InitiateOAuth is set to GETANDREFRESH, you must use this property if you want to change which scopes are requested. When InitiateOAuth is set to either REFRESH or OFF, you can use either this property or the Scope input to change which scopes are requested.

OAuthVerifier

Specifies a verifier code returned from the OAuthAuthorizationURL . Used when authenticating to OAuth on a headless server, where a browser can't be launched. Requires both OAuthSettingsLocation and OAuthVerifier to be set.

Data Type

string

Default Value

""

OAuthRefreshToken

Specifies the OAuth refresh token used to request a new access token after the original has expired.

Data Type

string

Default Value

""

Remarks

The refresh token is used to obtain a new access token when the current one expires. It enables seamless authentication for long-running or automated workflows without requiring the user to log in again. This property is especially important in headless, CI/CD, or server-based environments where interactive authentication is not possible.

The refresh token is typically obtained during the initial OAuth exchange by calling the GetOAuthAccessToken stored procedure. After that, it can be set using this property to enable automatic token refresh, or passed to the RefreshOAuthAccessToken stored procedure if you prefer to manage the refresh manually.

When InitiateOAuth is set to REFRESH, the driver uses this token to retrieve a new access token automatically. After the first refresh, the driver saves updated tokens in the location defined by OAuthSettingsLocation, and uses those values for subsequent connections.

The OAuthRefreshToken should be handled securely and stored in a trusted location. Like access tokens, refresh tokens can expire or be revoked depending on the identity provider’s policies.

OAuthExpiresIn

Specifies the duration in seconds, of an OAuth Access Token's lifetime. The token can be reissued to keep access alive as long as the user keeps working.

Data Type

string

Default Value

""

Remarks

The OAuth Access Token is assigned to an authenticated user, granting that user access to the network for a specified period of time. The access token is used in place of the user's login ID and password, which stay on the server.

An access token created by the server is only valid for a limited time. OAuthExpiresIn is the number of seconds the token is valid from when it was created. For example, a token generated at 2024-01-29 20:00:00 UTC that expires at 2024-01-29 21:00:00 UTC (an hour later) would have an OAuthExpiresIn value of 3600, no matter what the current time is.

To determine how long the user has before the Access Token will expire, use OAuthTokenTimestamp.

OAuthTokenTimestamp

Displays a Unix epoch timestamp in milliseconds that shows how long ago the current Access Token was created.

Data Type

string

Default Value

""

Remarks

The OAuth Access Token is assigned to an authenticated user, granting that user access to the network for a specified period of time. The access token is used in place of the user's login ID and password, which stay on the server.

An access token created by the server is only valid for a limited time. OAuthTokenTimestamp is the Unix timestamp when the server created the token. For example, OAuthTokenTimestamp=1706558400 indicates the OAuthAccessToken was generated by the server at 2024-01-29 20:00:00 UTC.

JWT OAuth

This section provides a complete list of JWT OAuth properties you can configure.

OAuthJWTCert

Supplies the name of the client certificate's JWT Certificate store.

Data Type

string

Default Value

""

Remarks

The OAuthJWTCertType field specifies the type of the certificate store specified in OAuthJWTCert. If the store is password-protected, use OAuthJWTCertPassword to supply the password..

OAuthJWTCert is used in conjunction with the OAuthJWTCertSubject field in order to specify client certificates.

If OAuthJWTCert has a value, and OAuthJWTCertSubject is set, the Jitterbit Connector for Azure Synapse initiates a search for a certificate. For further information, see OAuthJWTCertSubject.

Designations of certificate stores are platform-dependent.

Notes

• The most common User and Machine certificate stores in Windows include:

  • MY: A certificate store holding personal certificates with their

    associated private keys.

  • CA: Certifying authority certificates.

  • ROOT: Root certificates.

  • SPC: Software publisher certificates.

  • In Java, the certificate store normally is a file containing certificates and optional private keys.
  • When the certificate store type is PFXFile, this property must be set to the name of the file.
  • When the type is PFXBlob, the property must be set to the binary contents of a PFX file (i.e. PKCS12 certificate store).

OAuthJWTCertType

Identifies the type of key store containing the JWT Certificate.

Possible Values

USER, MACHINE, PFXFILE, PFXBLOB, JKSFILE, JKSBLOB, PEMKEY_FILE, PEMKEY_BLOB, PUBLIC_KEY_FILE, PUBLIC_KEY_BLOB, SSHPUBLIC_KEY_FILE, SSHPUBLIC_KEY_BLOB, P7BFILE, PPKFILE, XMLFILE, XMLBLOB, BCFKSFILE, BCFKSBLOB

Data Type

string

Default Value

USER

Remarks

OAuthJWTCertPassword

Provides the password for the OAuth JWT certificate used to access a password-protected certificate store. If the certificate store does not require a password, leave this property blank.

Data Type

string

Default Value

""

Remarks

This property specifies the password needed to open a password-protected certificate store. To determine if a password is necessary, refer to the documentation or configuration for your specific certificate store.

OAuthJWTCertSubject

Identifies the subject of the OAuth JWT certificate used to locate a matching certificate in the store. Supports partial matches and the wildcard '*' to select the first certificate.

Data Type

string

Default Value

*

Remarks

The value of this property is used to locate a matching certificate in the store. The search process works as follows:

• If an exact match for the subject is found, the corresponding certificate is selected.
• If no exact match is found, the store is searched for certificates whose subjects contain the property value.
• If no match is found, no certificate is selected.

You can set the value to '*' to automatically select the first certificate in the store. The certificate subject is a comma-separated list of distinguished name fields and values. For example: CN=www.server.com, OU=test, C=US, E=example@jbexample.com. Common fields include:

If a field value contains a comma, enclose it in quotes. For example: "O=ACME, Inc.".

SSL

This section provides a complete list of SSL properties you can configure.

SSLClientCert

Specifies the TLS/SSL client certificate store for SSL Client Authentication (2-way SSL). This property works in conjunction with other SSL-related properties to establish a secure connection.

Data Type

string

Default Value

""

Remarks

This property specifies the client certificate store for SSL Client Authentication. Use this property alongside SSLClientCertType, which defines the type of the certificate store, and SSLClientCertPassword, which specifies the password for password-protected stores. When SSLClientCert is set and SSLClientCertSubject is configured, the driver searches for a certificate matching the specified subject.

Certificate store designations vary by platform. On Windows, certificate stores are identified by names such as MY (personal certificates), while in Java, the certificate store is typically a file containing certificates and optional private keys.

The following are designations of the most common User and Machine certificate stores in Windows:

For PFXFile types, set this property to the filename. For PFXBlob types, set this property to the binary contents of the file in PKCS12 format.

SSLClientCertType

Specifies the type of key store containing the TLS/SSL client certificate for SSL Client Authentication. Choose from a variety of key store formats depending on your platform and certificate source.

Possible Values

USER, MACHINE, PFXFILE, PFXBLOB, JKSFILE, JKSBLOB, PEMKEY_FILE, PEMKEY_BLOB, PUBLIC_KEY_FILE, PUBLIC_KEY_BLOB, SSHPUBLIC_KEY_FILE, SSHPUBLIC_KEY_BLOB, P7BFILE, PPKFILE, XMLFILE, XMLBLOB, BCFKSFILE, BCFKSBLOB

Data Type

string

Default Value

USER

Remarks

This property determines the format and location of the key store used to provide the client certificate. Supported values include platform-specific and universal key store formats. The available values and their usage are:

SSLClientCertPassword

Specifes the password required to access the TLS/SSL client certificate store. Use this property if the selected certificate store type requires a password for access.

Data Type

string

Default Value

""

Remarks

This property provides the password needed to open a password-protected certificate store. This property is necessary when using certificate stores that require a password for decryption, as is often recommended for PFX or JKS type stores.

If the certificate store type does not require a password, for example USER or MACHINE on Windows, this property can be left blank. Ensure that the password matches the one associated with the specified certificate store to avoid authentication errors.

SSLClientCertSubject

Specifes the subject of the TLS/SSL client certificate to locate it in the certificate store. Use a comma-separated list of distinguished name fields, such as CN=www.server.com, C=US. The wildcard * selects the first certificate in the store.

Data Type

string

Default Value

*

Remarks

This property determines which client certificate to load based on its subject. The connector searches for a certificate that exactly matches the specified subject. If no exact match is found, the connector looks for certificates containing the value of the subject. If no match is found, no certificate is selected.

The subject should follow the standard format of a comma-separated list of distinguished name fields and values. For example, CN=www.server.com, OU=Test, C=US. Common fields include the following:

SSLServerCert

Specifies the certificate to be accepted from the server when connecting using TLS/SSL.

Data Type

string

Default Value

""

Remarks

If using a TLS/SSL connection, this property can be used to specify the TLS/SSL certificate to be accepted from the server. Any other certificate that is not trusted by the machine is rejected.

This property can take the following forms:

If not specified, any certificate trusted by the machine is accepted.

Certificates are validated as trusted by the machine based on the System's trust store. The trust store used is the 'javax.net.ssl.trustStore' value specified for the system. If no value is specified for this property, Java's default trust store is used (for example, JAVA_HOME\lib\security\cacerts).

Use '*' to signify to accept all certificates. Note that this is not recommended due to security concerns.

Schema

This section provides a complete list of schema properties you can configure.

Location

Specifies the location of a directory containing schema files that define tables, views, and stored procedures. Depending on your service's requirements, this may be expressed as either an absolute path or a relative path.

Data Type

string

Default Value

%APPDATA%\AzureSynapse Data Provider\Schema

Remarks

The Location property is only needed if you want to either customize definitions (for example, change a column name, ignore a column, etc.) or extend the data model with new tables, views, or stored procedures.

If left unspecified, the default location is %APPDATA%\AzureSynapse Data Provider\Schema, where %APPDATA% is set to the user's configuration directory:

BrowsableSchemas

Optional setting that restricts the schemas reported to a subset of all available schemas. For example, BrowsableSchemas=SchemaA,SchemaB,SchemaC.

Data Type

string

Default Value

""

Remarks

Listing all available database schemas can take extra time, thus degrading performance. Providing a list of schemas in the connection string saves time and improves performance.

Tables

Optional setting that restricts the tables reported to a subset of all available tables. For example, Tables=TableA,TableB,TableC.

Data Type

string

Default Value

""

Remarks

Listing all available tables from some databases can take extra time, thus degrading performance. Providing a list of tables in the connection string saves time and improves performance.

If there are lots of tables available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those tables. To do this, specify the tables you want in a comma-separated list. Each table should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Tables=TableA,[TableB/WithSlash],WithCatalog.WithSchema.`TableC With Space`.

Views

Optional setting that restricts the views reported to a subset of the available tables. For example, Views=ViewA,ViewB,ViewC.

Data Type

string

Default Value

""

Remarks

Listing all available views from some databases can take extra time, thus degrading performance. Providing a list of views in the connection string saves time and improves performance.

If there are lots of views available and you already know which ones you want to work with, you can use this property to restrict your viewing to only those views. To do this, specify the views you want in a comma-separated list. Each view should be a valid SQL identifier with any special characters escaped using square brackets, double-quotes or backticks. For example, Views=ViewA,[ViewB/WithSlash],WithCatalog.WithSchema.`ViewC With Space`.

Miscellaneous

This section provides a complete list of miscellaneous properties you can configure.

CustomizeDateFormat

Specifies the text pattern the provider uses when it parses or writes DATE values.

Data Type

string

Default Value

""

Remarks

Most applications don't use this setting because DATE parameters are sent to Azure Synapse as native values, not strings. You need it only when the connector has to read or write dates as text. For example, CSV-based bulk loads, flat-file exports, or log files that downstream tools will ingest.

Common patterns include:

• yyyy-MM-dd
• MM/dd/yyyy
• dd-MMM-yyyy
• yyyyMMdd

Set a pattern that matches the files you must consume or produce. Otherwise the connector may fail to parse incoming dates or generate strings your target system rejects. This property is helpful when the data you share or receive is locked into a regional or legacy date layout and you want to avoid a separate conversion step.

ApplicationIntent

Specifies whether the connection requests a read-write or read-only session when connecting through an Availability Group listener.

Data Type

string

Default Value

ReadWrite

Remarks

Set ApplicationIntent to ReadOnly to enable read-only routing.

When the listener receives this value, it forwards the connection to a readable secondary replica, provided one is configured and online.

If you omit the property or leave it at the default value ReadWrite, the listener directs the connection to the primary replica and allows full read-write operations.

EnableTransaction

Specifies whether the provider wraps data-modification statements in SQL transactions.

Data Type

bool

Default Value

true

Remarks

When this property is set to true, the connector passes any BEGIN TRANSACTION, COMMIT, or ROLLBACK commands through to the database, giving you full atomic commit and rollback support. This setting is valid only on dedicated SQL pools, because they accept transactional commands.

When this property is set to false, every transaction call is treated as a no-op and each statement auto-commits. Serverless SQL pools require this setting, since they do not support transactions at all. Disabling transactions is also useful when a client tool always wraps statements in transactions, but your target pool cannot process them.

IncludeSystemSchemas

Specifies whether the provider returns objects that reside in system schemas including guest, sys, INFORMATION_SCHEMA, and any schema whose name begins with db_.

Data Type

bool

Default Value

true

Remarks

When this property is set to true, system-schema tables and views appear in metadata queries and can be selected or queried just like user tables.

When this property is set to false, the connector filters those objects out of metadata results. Applications that enumerate schemas or tables see only user-defined objects.

This property is helpful when you want to declutter design-time metadata lists. For example, in business intelligence tools that pull every schema or when you need to expose system objects for advanced diagnostics.

IncludeTableTypes

Specifies whether the provider retrieves the object type (table or view) for each entry it returns during metadata queries.

Data Type

bool

Default Value

true

Remarks

When this property is set to true, the connector issues an additional query so that metadata lists include a reliable "table" or "view" indicator for every object. This is useful for design tools, ORMs, or business intelligence platforms that need to distinguish tables from views automatically.

When this property is set to false, the connector skips the extra lookup, which can reduce metadata-fetch time on large schemas, but the object type field will be blank (or default) in metadata results.

This property is useful when you need to distinguish tables from views automatically. Enabling it prevents misclassification and saves manual filtering later.

MaxRows

Specifies the maximum rows returned for queries without aggregation or GROUP BY.

Data Type

int

Default Value

-1

Remarks

This property sets an upper limit on the number of rows the connector returns for queries that do not include aggregation or GROUP BY clauses. This limit ensures that queries do not return excessively large result sets by default.

When a query includes a LIMIT clause, the value specified in the query takes precedence over the MaxRows setting. If MaxRows is set to "-1", no row limit is enforced unless a LIMIT clause is explicitly included in the query.

This property is useful for optimizing performance and preventing excessive resource consumption when executing queries that could otherwise return very large datasets.

Other

Specifies additional hidden properties for specific use cases. These are not required for typical provider functionality. Use a semicolon-separated list to define multiple properties.

Data Type

string

Default Value

""

Remarks

This property allows advanced users to configure hidden properties for specialized scenarios. These settings are not required for normal use cases but can address unique requirements or provide additional functionality. Multiple properties can be defined in a semicolon-separated list.

Specify multiple properties in a semicolon-separated list.

Integration and Formatting

QueryPassthrough

This option passes the query to the Azure Synapse server as is.

Data Type

bool

Default Value

false

Remarks

When this is set, queries are passed through directly to Azure Synapse.

Timeout

Specifies the maximum time, in seconds, that the provider waits for a server response before throwing a timeout error. The default is 60 seconds. Set to 0 to disable the timeout.

Data Type

int

Default Value

60

Remarks

This property controls the maximum time, in seconds, that the connector waits for an operation to complete before canceling it. If the timeout period expires before the operation finishes, the connector cancels the operation and throws an exception.

The timeout applies to each individual communication with the server rather than the entire query or operation. For example, a query could continue running beyond the timeout value if each paging call completes within the timeout limit.

Setting this property to 0 disables the timeout, allowing operations to run indefinitely until they succeed or fail due to other conditions such as server-side timeouts, network interruptions, or resource limits on the server. Use this property cautiously to avoid long-running operations that could degrade performance or result in unresponsive behavior.