Add notes about AccessTokens and pooling considerations

David-Engel · web-flow · commit f5e0c812f6b2 · 2025-05-01T11:57:48.000-07:00
diff --git a/docs/connect/ado-net/sql/azure-active-directory-authentication.md b/docs/connect/ado-net/sql/azure-active-directory-authentication.md
@@ -4,7 +4,7 @@ description: Describes how to use supported Microsoft Entra authentication modes
 author: David-Engel
 ms.author: davidengel
 ms.reviewer: davidengel
-ms.date: 09/13/2024
+ms.date: 05/01/2025
 ms.service: sql
 ms.subservice: connectivity
 ms.topic: conceptual
@@ -363,6 +363,12 @@ The following example shows how to set an application client ID through a config
 
 Available in version 5.2 onwards, there's a new [AccessTokenCallback](/dotnet/api/microsoft.data.sqlclient.sqlconnection.accesstokencallback) property on [SqlConnection](/dotnet/api/microsoft.data.sqlclient.sqlconnection). Use the `AccessTokenCallback` property to define a custom function that returns an access token given the incoming parameters. Using the callback is better than using the [AccessToken](/dotnet/api/microsoft.data.sqlclient.sqlconnection.accesstoken) property because it allows the access token to be refreshed within a connection pool. When using the `AccessToken` property, the token can't be updated after opening the connection. There's also no associated expiration date provided through the property. Once the token expires, new connection requests fail with a server authentication error and pools using it must be manually cleared.
 
+> [!IMPORTANT]
+> An `AccessTokenCallback` must return access tokens of the same security context for the same input parameters. If this is not done, pooled connections may be returned with the wrong security context for a connection.
+
+> [!NOTE]
+> `AccessTokenCallback` is part of the key used to identify connection pools. Avoid creating a new function callback for every creation of a SqlConnection since that will result in a new pool every time. Reference the same instance of a function for connections you want to be considered for pooling. The connection pool key includes parameters passed to the callback and will partition connection pools appropriately.
+
 The following code snippet is an example of using the `AccessTokenCallback` property in **Microsoft.Data.SqlClient v5.2 onwards**.
 
 [!code-csharp [AADAuthenticationAccessTokenCallback#1](~/../sqlclient/doc/samples/SqlConnection_AccessTokenCallback.cs#1)]
@@ -371,6 +377,9 @@ The following code snippet is an example of using the `AccessTokenCallback` prop
 
 Given more flexibility, the client application can also use its own provider for Microsoft Entra authentication instead of using the `ActiveDirectoryAuthenticationProvider` class. The custom authentication provider needs to be a subclass of `SqlAuthenticationProvider` with overridden methods. It then must register the custom provider, overriding one or more of the existing `Active Directory*` authentication methods.
 
+> [!IMPORTANT]
+> An authentication provider must return access tokens of the same security context for the same input parameters. If this is not done, pooled connections may be returned with the wrong security context for a connection.
+
 The following example shows how to use a new authentication provider for `Active Directory Device Code Flow` authentication.
 
 [!code-csharp [CustomDeviceCodeFlowAzureAuthenticationProvider#1](~/../sqlclient/doc/samples/CustomDeviceCodeFlowAzureAuthenticationProvider.cs#1)]
