Preview Release v7.0.0-preview4

[mdaigle]

Hello Community!

We are pleased to announce that the 7.0.0 Preview 4 release is now available, and it (finally!) addresses this long-standing issue. Please give it a try, and open new Issues with any problems/roadblocks/etc you encounter. We're counting on your enthusiasm to help us work out any kinks before the 7.0.0 GA release planned in a couple of weeks.

Breaking Change

Apps that do not use the built-in Entra ID (a.k.a Azure Active Directory) authentication support should not require any project or code changes.

Apps using the built-in Entra ID authentication support will need to add the following package dependency to their project:

<PackageReference Include="Microsoft.Data.SqlClient.Extensions.Azure" Version="1.0.0-preview1.26064.3" />

That's it! If you encounter any issues related to the new package dependencies, or the Entra ID auth flows, please open new Issues so we can investigate.

New Package Structure

We have created 3 new packages to support the separation of the Entra ID authentication support from the main SqlClient package:

• Microsoft.Data.SqlClient.Extensions.Logging:
  • Our ETW EventSource implementation used by all other packages in the SqlClient family.
• Microsoft.Data.SqlClient.Extensions.Abstractions:
  • Abstract types shared by 2 or more packages, such as enums, abstract base classes, and interfaces.
  • Currently only contains types needed for the Entra ID separation.
• Microsoft.Data.SqlClient.Extensions.Azure:
  • Home for implementations that require Azure dependencies.
  • Currently contains the Entra ID authentication support.
  • Will be expanded to house other Azure-based implementations that still live within the core SqlClient package.

The SqlClient that Azure Key Vault Provider packages remain largely unchanged at this point, but future work may continue to separate out certain parts of the implementation to give apps more control over their dependency trees.

Release Details

Changed

Azure Dependencies Removed from Core Package

What Changed:

• The core Microsoft.Data.SqlClient package no longer depends on Azure.Core, Azure.Identity, or their transitive dependencies (e.g., Microsoft.Identity.Client, Microsoft.Web.WebView2). Azure Active Directory / Entra authentication functionality (ActiveDirectoryAuthenticationProvider and related types) has been extracted into a new Microsoft.Data.SqlClient.Extensions.Azure package that can be installed separately when needed. (#1108, #3680, #3902, #3904, #3908, #3917, #3982, #3978, #3986)
• To support this separation, two additional packages were introduced: Microsoft.Data.SqlClient.Extensions.Abstractions (shared types between the core driver and extensions) and Microsoft.Data.SqlClient.Extensions.Logging (shared ETW tracing infrastructure). (#3626, #3628, #3967)

Who Benefits:

• All users benefit from a significantly lighter core package. Previously, the Azure dependency chain pulled in numerous assemblies (including Azure.Core, Azure.Identity, Microsoft.Identity.Client, and Microsoft.Web.WebView2) even for applications that only needed basic SQL Server connectivity. This was the most upvoted open issue in the repository (#1108).
• Users who do not use Azure AD authentication no longer carry Azure-related assemblies in their build output, reducing deployment size and eliminating confusion about unexpected dependencies.
• Users who do use Azure AD authentication can now manage Azure dependency versions independently from the core driver.

Impact:

• Applications using Azure AD authentication (e.g., ActiveDirectoryPassword, ActiveDirectoryInteractive, ActiveDirectoryDefault, etc.) must now install the Microsoft.Data.SqlClient.Extensions.Azure NuGet package separately. No code changes are required beyond adding the package reference.

Added

Expose SSPI Context Provider as Public API

What Changed:

• Added the SspiContextProvider abstract class and a public SspiContextProvider property on SqlConnection, allowing applications to supply a custom SSPI context provider for integrated authentication. This enables custom Kerberos ticket negotiation and NTLM username/password authentication scenarios that the driver does not natively support. (#2253, #2494)

Who Benefits:

• Users authenticating across untrusted domains, non-domain-joined machines, or cross-platform environments where configuring integrated authentication on the client is difficult or impossible.
• Users running in containers who need manual Kerberos negotiation without deploying sidecars or external ticket-refresh mechanisms.
• Users who need NTLM username/password authentication to SQL Server, which the driver does not provide natively.

Impact:

• Applications can set a custom SspiContextProvider on SqlConnection before opening the connection. The provider handles the authentication token exchange during integrated authentication. This is an additive API — existing authentication behavior is unchanged when no custom provider is set. See SspiContextProvider_CustomProvider.cs for a sample implementation.
• Note: The SspiContextProvider is a part of the connection pool key. Care should be taken when using this property to ensure the implementation returns a stable identity per resource.

Expose Default Transient Error List

What Changed:

• Exposed the default transient error codes list via the new SqlConfigurableRetryFactory.BaselineTransientErrors static property (returns a ReadOnlyCollection<int>), making it easier to extend the set of transient errors without copy-pasting from the repository source. (#3903)

Who Benefits:

• Developers implementing custom retry logic who want to extend the built-in transient error list rather than replacing it.

Impact:

• Applications can now access the default transient error codes and append their own application-specific error codes for retry handling.

Introduce App Context Switch for MultiSubnetFailover Default

What Changed:

• Added a new app context switch Switch.Microsoft.Data.SqlClient.EnableMultiSubnetFailoverByDefault to set MultiSubnetFailover=true by default in connection strings. (#3841)

Who Benefits:

• Applications that need MultiSubnetFailover enabled globally without modifying individual connection strings.

Impact:

• Applications can enable MultiSubnetFailover globally using one of the following methods:

// In application code
AppContext.SetSwitch("Switch.Microsoft.Data.SqlClient.EnableMultiSubnetFailoverByDefault", true);

<!-- In App.Config -->
<runtime>
  <AppContextSwitchOverrides value="Switch.Microsoft.Data.SqlClient.EnableMultiSubnetFailoverByDefault=true" />
</runtime>

Enhanced Routing Support

What Changed:

• Added support for enhanced routing, a TDS feature that allows the server to redirect connections to a specific server and database. (#3641, #3969, #3970, #3973)

Who Benefits:

• Users connecting to Azure SQL Hyperscale environments that use named read replicas and gateway-based load balancing.

Impact:

• Enhanced routing is negotiated automatically during login when the server supports it. No application code changes are required. This feature is separate from ApplicationIntent=ReadOnly and does not require read-only intent to be set.

Fixed

• Fixed ExecuteScalar to propagate errors when the server sends data followed by an error token. (#3912)

• Fixed NullReferenceException in SqlDataAdapter when processing batch scenarios where certain SQL RPC calls may not include system parameters. (#3857)

• Fixed reading of multiple app context switches from a single AppContextSwitchOverrides configuration field. (#3960)

• Fixed a connection performance regression where SPN generation was triggered for non-integrated authentication modes (e.g., SQL authentication) on the native SNI path. (#3929)

• Fixed an edge case in TdsParserStateObject.TryReadPlpBytes where zero-length reads returned null instead of an empty array. (#3872)

Other changes

• Updated UserAgent feature to use a pipe-delimited format, replacing the previous JSON format. (#3826)

• Minor improvements to Managed SNI tracing to capture continuation events and errors. (#3859)

• Reverted public visibility of internal interop enums (IoControlCodeAccess and IoControlTransferType) that were accidentally made public during the project merge. (#3900)

• Performance improvements. (#3791, #3772)

Contributors

We thank the following public contributors. Their efforts toward this project are very much appreciated.

• edwardneal
• ErikEJ
• MatthiasHuygelen
• tetolv
• twsouthwick
• Wraith2

[SimonCropp]

why is the nuget referencing old dependencies

• Microsoft.Bcl.Cryptography 9.0.9 instead of 10.0.3
• Microsoft.Extensions.Caching.Memory 9.0.9 instead of 10.0.3
• Microsoft.IdentityModel.JsonWebTokens 8.14.0 instead of 8.16.0
• Microsoft.IdentityModel.Protocols.OpenIdConnect 8.14.0 instead of 8.16.0
• System.Configuration.ConfigurationManager 9.0.9 instead of 10.0.3
• System.Security.Cryptography.Pkcs 9.0.9 instead of 10.0.3

given this is a major, surely it should take the opportunity to target the current stable of all dependencies

[Frulfump]

.NET 9(and 8) also goes out of support in November of this year (2026) it that's relevant.

[cremor]

Maybe fixed by #4045?

Microsoft.IdentityModel.JsonWebTokens and Microsoft.IdentityModel.Protocols.OpenIdConnect shouldn't be referenced at all any more. See #3917 (comment) and #3579.
But it looks like this will only be fixed in v8 😞 See #4017