From e261e032e95c41ab5bdcccd5c15194f454e6b657 Mon Sep 17 00:00:00 2001 From: David Levy Date: Mon, 26 Jan 2026 10:59:42 -0600 Subject: [PATCH 01/10] docs: update README for documentation freshness - Fix discussion link typo (#293 -> #292) - Update 'Switches not available' section to reflect current state - Most switches now implemented (-e, -f, -g, -k, -t, -z, -Z, -r, -X) - Only -j and -p[1] remain unimplemented - Add missing authentication methods to :Connect documentation - ActiveDirectoryInteractive, ActiveDirectoryAzCli, ActiveDirectoryDeviceCode - Fix ActiveDirectoryIntegrated description (no longer falls back) - Document additional authentication methods: - ActiveDirectoryWorkloadIdentity - ActiveDirectoryClientAssertion - ActiveDirectoryAzurePipelines - ActiveDirectoryEnvironment - ActiveDirectoryAzureDeveloperCli - ActiveDirectoryServicePrincipalAccessToken - SqlPassword --- README.md | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 576439da..07111ecf 100644 --- a/README.md +++ b/README.md @@ -162,16 +162,19 @@ The following switches have different behavior in this version of `sqlcmd` compa ### Switches not available in the new sqlcmd (go-sqlcmd) yet -There are a few switches yet to be implemented in the new `sqlcmd` (go-sqlcmd) compared -to the original ODBC based `sqlcmd`, discussion [#293](https://github.com/microsoft/go-sqlcmd/discussions/292) -lists these switches. Please provide feedback in the discussion on which -switches are most important to you to have implemented next in the new sqlcmd. +Most switches from the original ODBC-based `sqlcmd` have been implemented. The following switches are not yet available: +| Switch | Description | +|--------|-------------| +| `-j` | Print raw error messages | +| `-p[1]` | Print statistics (optional colon format) | + +For historical context and to provide feedback, see [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292). ### Miscellaneous enhancements - Console output coloring (see below) -- `:Connect` now has an optional `-G` parameter to select one of the authentication methods for Azure SQL Database - `SqlAuthentication`, `ActiveDirectoryDefault`, `ActiveDirectoryIntegrated`, `ActiveDirectoryServicePrincipal`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryPassword`. If `-G` is not provided, either Integrated security or SQL Authentication will be used, dependent on the presence of a `-U` username parameter. +- `:Connect` now has an optional `-G` parameter to select one of the authentication methods for Azure SQL Database - `SqlAuthentication`, `ActiveDirectoryDefault`, `ActiveDirectoryIntegrated`, `ActiveDirectoryServicePrincipal`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryAzCli`, `ActiveDirectoryDeviceCode`. If `-G` is not provided, either Integrated security or SQL Authentication will be used, dependent on the presence of a `-U` username parameter. - The new `--driver-logging-level` command line parameter allows you to see traces from the `go-mssqldb` client driver. Use `64` to see all traces. - Sqlcmd can now print results using a vertical format. Use the new `--vertical` command line option to set it. It's also controlled by the `SQLCMDFORMAT` scripting variable. @@ -219,7 +222,7 @@ To use AAD auth, you can use one of two command line switches: `ActiveDirectoryIntegrated` -This method is currently not implemented and will fall back to `ActiveDirectoryDefault`. +This method uses integrated Windows authentication. On Windows, it uses the current user's credentials. On Linux and macOS, it uses Kerberos authentication (requires a properly configured Kerberos environment). `ActiveDirectoryPassword` @@ -239,6 +242,26 @@ Use this method when running sqlcmd on an Azure VM that has either a system-assi This method authenticates the provided username as a service principal id and the password as the client secret for the service principal. Provide a username in the form `@`. Set `SQLCMDPASSWORD` variable to the client secret. If using a certificate instead of a client secret, set `AZURE_CLIENT_CERTIFICATE_PATH` environment variable to the path of the certificate file. +`ActiveDirectoryAzCli` + +This method uses the Azure CLI to obtain an access token. You must be logged in to Azure CLI (`az login`) before using this method. + +`ActiveDirectoryDeviceCode` + +This method uses the device code flow for authentication. It displays a code that you enter at https://microsoft.com/devicelogin to authenticate. + +#### Additional authentication methods + +The following authentication methods are also supported via `--authentication-method`: + +- `ActiveDirectoryWorkloadIdentity` - For workload identity federation scenarios +- `ActiveDirectoryClientAssertion` - For client assertion authentication +- `ActiveDirectoryAzurePipelines` - For Azure Pipelines service connections +- `ActiveDirectoryEnvironment` - Uses environment variables for authentication +- `ActiveDirectoryAzureDeveloperCli` - Uses Azure Developer CLI credentials +- `ActiveDirectoryServicePrincipalAccessToken` - Uses a pre-obtained access token +- `SqlPassword` - SQL Server authentication (same as using `-U` and `-P` without `-G`) + #### Environment variables for AAD auth Some settings for AAD auth do not have command line inputs, and some environment variables are consumed directly by the `azidentity` package used by `sqlcmd`. From d9d1c98e4f3b34a8be9ed290d63bf78669d30f7c Mon Sep 17 00:00:00 2001 From: David Levy Date: Thu, 16 Apr 2026 14:17:26 -0500 Subject: [PATCH 02/10] docs: fix inaccurate ActiveDirectoryIntegrated description and improve auth docs - Revert ActiveDirectoryIntegrated to accurate fallback description (driver still falls back to DefaultAzureCredential per source comment) - Add -f (codepage) to unimplemented switches table - Replace generic auth method descriptions with driver-verified details including actual env var names and connection parameters --- README.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 07111ecf..4bb963be 100644 --- a/README.md +++ b/README.md @@ -166,6 +166,7 @@ Most switches from the original ODBC-based `sqlcmd` have been implemented. The f | Switch | Description | |--------|-------------| +| `-f` | Input/output code page | | `-j` | Print raw error messages | | `-p[1]` | Print statistics (optional colon format) | @@ -222,7 +223,7 @@ To use AAD auth, you can use one of two command line switches: `ActiveDirectoryIntegrated` -This method uses integrated Windows authentication. On Windows, it uses the current user's credentials. On Linux and macOS, it uses Kerberos authentication (requires a properly configured Kerberos environment). +This method is not fully implemented in the go-mssqldb driver and currently falls back to `ActiveDirectoryDefault`. `ActiveDirectoryPassword` @@ -254,13 +255,13 @@ This method uses the device code flow for authentication. It displays a code tha The following authentication methods are also supported via `--authentication-method`: -- `ActiveDirectoryWorkloadIdentity` - For workload identity federation scenarios -- `ActiveDirectoryClientAssertion` - For client assertion authentication -- `ActiveDirectoryAzurePipelines` - For Azure Pipelines service connections -- `ActiveDirectoryEnvironment` - Uses environment variables for authentication -- `ActiveDirectoryAzureDeveloperCli` - Uses Azure Developer CLI credentials -- `ActiveDirectoryServicePrincipalAccessToken` - Uses a pre-obtained access token -- `SqlPassword` - SQL Server authentication (same as using `-U` and `-P` without `-G`) +- `ActiveDirectoryWorkloadIdentity` - Uses federated token authentication for Kubernetes or GitHub Actions workloads; optionally provide `client_id@tenant_id` as username and `tokenfilepath` parameter (defaults to `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_FEDERATED_TOKEN_FILE` env vars) +- `ActiveDirectoryClientAssertion` - Authenticates with a signed JWT assertion instead of a client secret +- `ActiveDirectoryAzurePipelines` - Authenticates using an Azure Pipelines service connection; requires `client_id@tenant_id` as username, plus `serviceconnectionid` and `systemtoken` connection parameters (or `AZURESUBSCRIPTION_CLIENT_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID`, `SYSTEM_ACCESSTOKEN` env vars) +- `ActiveDirectoryEnvironment` - Selects a credential type automatically based on which `AZURE_*` environment variables are set (client secret, certificate, or username/password) +- `ActiveDirectoryAzureDeveloperCli` - Uses credentials from `azd auth login` (Azure Developer CLI) +- `ActiveDirectoryServicePrincipalAccessToken` - Uses a pre-obtained bearer token; set `SQLCMDPASSWORD` to the access token value +- `SqlPassword` - SQL Server authentication (equivalent to `-U` and `-P` without `-G`) #### Environment variables for AAD auth From 48092353067bd2ad3c292be226c6683882a944f7 Mon Sep 17 00:00:00 2001 From: David Levy Date: Wed, 22 Apr 2026 16:41:14 -0500 Subject: [PATCH 03/10] docs: clarify -p[1], tokenfilepath, and ClientAssertion descriptions - Expand -p[1] from 'optional colon format' to explain what it does - Explain tokenfilepath is a path to the federated token file - Add ClientAssertion usage: client_id@tenant_id as user, JWT as password --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4bb963be..7c6de272 100644 --- a/README.md +++ b/README.md @@ -168,7 +168,7 @@ Most switches from the original ODBC-based `sqlcmd` have been implemented. The f |--------|-------------| | `-f` | Input/output code page | | `-j` | Print raw error messages | -| `-p[1]` | Print statistics (optional colon format) | +| `-p[1]` | Print performance statistics after each result set. `-p1` uses colon-separated format for machine parsing | For historical context and to provide feedback, see [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292). @@ -255,8 +255,8 @@ This method uses the device code flow for authentication. It displays a code tha The following authentication methods are also supported via `--authentication-method`: -- `ActiveDirectoryWorkloadIdentity` - Uses federated token authentication for Kubernetes or GitHub Actions workloads; optionally provide `client_id@tenant_id` as username and `tokenfilepath` parameter (defaults to `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_FEDERATED_TOKEN_FILE` env vars) -- `ActiveDirectoryClientAssertion` - Authenticates with a signed JWT assertion instead of a client secret +- `ActiveDirectoryWorkloadIdentity` - Uses federated token authentication for Kubernetes or GitHub Actions workloads; optionally provide `client_id@tenant_id` as username and set the `tokenfilepath` connection parameter to the path of the federated token file (defaults to `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_FEDERATED_TOKEN_FILE` env vars) +- `ActiveDirectoryClientAssertion` - Authenticates with a signed JWT assertion instead of a client secret; provide `client_id@tenant_id` as username and the signed JWT as the password (`-P` or `SQLCMDPASSWORD`) - `ActiveDirectoryAzurePipelines` - Authenticates using an Azure Pipelines service connection; requires `client_id@tenant_id` as username, plus `serviceconnectionid` and `systemtoken` connection parameters (or `AZURESUBSCRIPTION_CLIENT_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID`, `SYSTEM_ACCESSTOKEN` env vars) - `ActiveDirectoryEnvironment` - Selects a credential type automatically based on which `AZURE_*` environment variables are set (client secret, certificate, or username/password) - `ActiveDirectoryAzureDeveloperCli` - Uses credentials from `azd auth login` (Azure Developer CLI) From e3c27b7e275da84f828fcc2aacdd166cb083ef3e Mon Sep 17 00:00:00 2001 From: David Levy Date: Tue, 19 May 2026 15:27:38 -0500 Subject: [PATCH 04/10] docs: address PR #639 review feedback - Replace SqlAuthentication with SqlPassword in :Connect -G list (SqlAuthentication is not a recognized value; -G routes unknown strings to the AAD path) - Note that ServicePrincipalAccessToken does not currently propagate SQLCMDPASSWORD into the connection string - Remove mention of tokenfilepath/serviceconnectionid/systemtoken as connection parameters; sqlcmd has no way to pass them, only env vars --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7c6de272..a2a1d541 100644 --- a/README.md +++ b/README.md @@ -175,7 +175,7 @@ For historical context and to provide feedback, see [discussion #292](https://gi ### Miscellaneous enhancements - Console output coloring (see below) -- `:Connect` now has an optional `-G` parameter to select one of the authentication methods for Azure SQL Database - `SqlAuthentication`, `ActiveDirectoryDefault`, `ActiveDirectoryIntegrated`, `ActiveDirectoryServicePrincipal`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryAzCli`, `ActiveDirectoryDeviceCode`. If `-G` is not provided, either Integrated security or SQL Authentication will be used, dependent on the presence of a `-U` username parameter. +- `:Connect` now has an optional `-G` parameter to select one of the authentication methods for Azure SQL Database - `SqlPassword`, `ActiveDirectoryDefault`, `ActiveDirectoryIntegrated`, `ActiveDirectoryServicePrincipal`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryAzCli`, `ActiveDirectoryDeviceCode`. If `-G` is not provided, either Integrated security or SQL Authentication will be used, dependent on the presence of a `-U` username parameter. - The new `--driver-logging-level` command line parameter allows you to see traces from the `go-mssqldb` client driver. Use `64` to see all traces. - Sqlcmd can now print results using a vertical format. Use the new `--vertical` command line option to set it. It's also controlled by the `SQLCMDFORMAT` scripting variable. @@ -255,13 +255,13 @@ This method uses the device code flow for authentication. It displays a code tha The following authentication methods are also supported via `--authentication-method`: -- `ActiveDirectoryWorkloadIdentity` - Uses federated token authentication for Kubernetes or GitHub Actions workloads; optionally provide `client_id@tenant_id` as username and set the `tokenfilepath` connection parameter to the path of the federated token file (defaults to `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, `AZURE_FEDERATED_TOKEN_FILE` env vars) -- `ActiveDirectoryClientAssertion` - Authenticates with a signed JWT assertion instead of a client secret; provide `client_id@tenant_id` as username and the signed JWT as the password (`-P` or `SQLCMDPASSWORD`) -- `ActiveDirectoryAzurePipelines` - Authenticates using an Azure Pipelines service connection; requires `client_id@tenant_id` as username, plus `serviceconnectionid` and `systemtoken` connection parameters (or `AZURESUBSCRIPTION_CLIENT_ID`, `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID`, `SYSTEM_ACCESSTOKEN` env vars) -- `ActiveDirectoryEnvironment` - Selects a credential type automatically based on which `AZURE_*` environment variables are set (client secret, certificate, or username/password) -- `ActiveDirectoryAzureDeveloperCli` - Uses credentials from `azd auth login` (Azure Developer CLI) -- `ActiveDirectoryServicePrincipalAccessToken` - Uses a pre-obtained bearer token; set `SQLCMDPASSWORD` to the access token value -- `SqlPassword` - SQL Server authentication (equivalent to `-U` and `-P` without `-G`) +- `ActiveDirectoryWorkloadIdentity` - Uses federated token authentication for Kubernetes or GitHub Actions workloads. Optionally provide `client_id@tenant_id` as username. The token file path and tenant/client IDs are read from the `AZURE_FEDERATED_TOKEN_FILE`, `AZURE_TENANT_ID`, and `AZURE_CLIENT_ID` environment variables; sqlcmd does not expose a way to pass these as connection parameters. +- `ActiveDirectoryClientAssertion` - Authenticates with a signed JWT assertion instead of a client secret; provide `client_id@tenant_id` as username and the signed JWT as the password (`-P` or `SQLCMDPASSWORD`). +- `ActiveDirectoryAzurePipelines` - Authenticates using an Azure Pipelines service connection. Requires `client_id@tenant_id` as username. The service connection ID and system access token are read from the `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` and `SYSTEM_ACCESSTOKEN` environment variables (with `AZURESUBSCRIPTION_CLIENT_ID` as a fallback for the client ID); sqlcmd does not expose a way to pass these as connection parameters. +- `ActiveDirectoryEnvironment` - Selects a credential type automatically based on which `AZURE_*` environment variables are set (client secret, certificate, or username/password). +- `ActiveDirectoryAzureDeveloperCli` - Uses credentials from `azd auth login` (Azure Developer CLI). +- `ActiveDirectoryServicePrincipalAccessToken` - Intended to use a pre-obtained bearer token, but sqlcmd does not currently propagate `SQLCMDPASSWORD` (or `-P`) into the connection string for this method, so the token is not passed to the driver. Do not rely on this method until that gap is closed. +- `SqlPassword` - SQL Server authentication (equivalent to `-U` and `-P` without `-G`). #### Environment variables for AAD auth From 83aba89a91d150ae11954f30903ab1dd9a9a29e1 Mon Sep 17 00:00:00 2001 From: David Levy Date: Tue, 19 May 2026 15:42:04 -0500 Subject: [PATCH 05/10] docs: address PR #639 follow-up review - Fix double space in :Connect -G description (line 178) - Soften ActiveDirectoryServicePrincipalAccessToken wording and link tracking issue #758 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a2a1d541..04062f1c 100644 --- a/README.md +++ b/README.md @@ -175,7 +175,7 @@ For historical context and to provide feedback, see [discussion #292](https://gi ### Miscellaneous enhancements - Console output coloring (see below) -- `:Connect` now has an optional `-G` parameter to select one of the authentication methods for Azure SQL Database - `SqlPassword`, `ActiveDirectoryDefault`, `ActiveDirectoryIntegrated`, `ActiveDirectoryServicePrincipal`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryAzCli`, `ActiveDirectoryDeviceCode`. If `-G` is not provided, either Integrated security or SQL Authentication will be used, dependent on the presence of a `-U` username parameter. +- `:Connect` now has an optional `-G` parameter to select one of the authentication methods for Azure SQL Database: `SqlPassword`, `ActiveDirectoryDefault`, `ActiveDirectoryIntegrated`, `ActiveDirectoryServicePrincipal`, `ActiveDirectoryManagedIdentity`, `ActiveDirectoryPassword`, `ActiveDirectoryInteractive`, `ActiveDirectoryAzCli`, `ActiveDirectoryDeviceCode`. If `-G` is not provided, either Integrated security or SQL Authentication will be used, dependent on the presence of a `-U` username parameter. - The new `--driver-logging-level` command line parameter allows you to see traces from the `go-mssqldb` client driver. Use `64` to see all traces. - Sqlcmd can now print results using a vertical format. Use the new `--vertical` command line option to set it. It's also controlled by the `SQLCMDFORMAT` scripting variable. @@ -260,7 +260,7 @@ The following authentication methods are also supported via `--authentication-me - `ActiveDirectoryAzurePipelines` - Authenticates using an Azure Pipelines service connection. Requires `client_id@tenant_id` as username. The service connection ID and system access token are read from the `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` and `SYSTEM_ACCESSTOKEN` environment variables (with `AZURESUBSCRIPTION_CLIENT_ID` as a fallback for the client ID); sqlcmd does not expose a way to pass these as connection parameters. - `ActiveDirectoryEnvironment` - Selects a credential type automatically based on which `AZURE_*` environment variables are set (client secret, certificate, or username/password). - `ActiveDirectoryAzureDeveloperCli` - Uses credentials from `azd auth login` (Azure Developer CLI). -- `ActiveDirectoryServicePrincipalAccessToken` - Intended to use a pre-obtained bearer token, but sqlcmd does not currently propagate `SQLCMDPASSWORD` (or `-P`) into the connection string for this method, so the token is not passed to the driver. Do not rely on this method until that gap is closed. +- `ActiveDirectoryServicePrincipalAccessToken` - Intended to use a pre-obtained bearer token. sqlcmd does not currently propagate `SQLCMDPASSWORD` (or `-P`) into the connection string for this method, so the token is not reaching the driver; tracked in [#758](https://github.com/microsoft/go-sqlcmd/issues/758). - `SqlPassword` - SQL Server authentication (equivalent to `-U` and `-P` without `-G`). #### Environment variables for AAD auth From 3c8328e5b150264de36f40152727a3faace34b3e Mon Sep 17 00:00:00 2001 From: David Levy Date: Tue, 19 May 2026 15:46:59 -0500 Subject: [PATCH 06/10] docs: link PR #756 (the actual fix) instead of duplicate issue #758 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 04062f1c..66d80684 100644 --- a/README.md +++ b/README.md @@ -260,7 +260,7 @@ The following authentication methods are also supported via `--authentication-me - `ActiveDirectoryAzurePipelines` - Authenticates using an Azure Pipelines service connection. Requires `client_id@tenant_id` as username. The service connection ID and system access token are read from the `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` and `SYSTEM_ACCESSTOKEN` environment variables (with `AZURESUBSCRIPTION_CLIENT_ID` as a fallback for the client ID); sqlcmd does not expose a way to pass these as connection parameters. - `ActiveDirectoryEnvironment` - Selects a credential type automatically based on which `AZURE_*` environment variables are set (client secret, certificate, or username/password). - `ActiveDirectoryAzureDeveloperCli` - Uses credentials from `azd auth login` (Azure Developer CLI). -- `ActiveDirectoryServicePrincipalAccessToken` - Intended to use a pre-obtained bearer token. sqlcmd does not currently propagate `SQLCMDPASSWORD` (or `-P`) into the connection string for this method, so the token is not reaching the driver; tracked in [#758](https://github.com/microsoft/go-sqlcmd/issues/758). +- `ActiveDirectoryServicePrincipalAccessToken` - Intended to use a pre-obtained bearer token. sqlcmd does not currently propagate `SQLCMDPASSWORD` (or `-P`) into the connection string for this method, so the token is not reaching the driver; fix proposed in [#756](https://github.com/microsoft/go-sqlcmd/pull/756). - `SqlPassword` - SQL Server authentication (equivalent to `-U` and `-P` without `-G`). #### Environment variables for AAD auth From d924e78c7669e28afc2d5b1253a7c52010c1d77b Mon Sep 17 00:00:00 2001 From: David Levy Date: Tue, 19 May 2026 15:48:20 -0500 Subject: [PATCH 07/10] docs: document ActiveDirectoryServicePrincipalAccessToken normally Assumes #756 lands before this PR is merged. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 66d80684..d186e6b4 100644 --- a/README.md +++ b/README.md @@ -260,7 +260,7 @@ The following authentication methods are also supported via `--authentication-me - `ActiveDirectoryAzurePipelines` - Authenticates using an Azure Pipelines service connection. Requires `client_id@tenant_id` as username. The service connection ID and system access token are read from the `AZURESUBSCRIPTION_SERVICE_CONNECTION_ID` and `SYSTEM_ACCESSTOKEN` environment variables (with `AZURESUBSCRIPTION_CLIENT_ID` as a fallback for the client ID); sqlcmd does not expose a way to pass these as connection parameters. - `ActiveDirectoryEnvironment` - Selects a credential type automatically based on which `AZURE_*` environment variables are set (client secret, certificate, or username/password). - `ActiveDirectoryAzureDeveloperCli` - Uses credentials from `azd auth login` (Azure Developer CLI). -- `ActiveDirectoryServicePrincipalAccessToken` - Intended to use a pre-obtained bearer token. sqlcmd does not currently propagate `SQLCMDPASSWORD` (or `-P`) into the connection string for this method, so the token is not reaching the driver; fix proposed in [#756](https://github.com/microsoft/go-sqlcmd/pull/756). +- `ActiveDirectoryServicePrincipalAccessToken` - Authenticates with a pre-obtained AAD bearer token. Pass the token as the password (`-P` or `SQLCMDPASSWORD`); the username is ignored. - `SqlPassword` - SQL Server authentication (equivalent to `-U` and `-P` without `-G`). #### Environment variables for AAD auth From f5aa25ec41c02917bdc2a236e8b2317ed87c866f Mon Sep 17 00:00:00 2001 From: David Levy Date: Tue, 19 May 2026 15:56:11 -0500 Subject: [PATCH 08/10] docs: link tracking PRs/issues for unimplemented switches - -f tracked by #628 (and #111) - -j and -p[1] still only in discussion #292 --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index d186e6b4..e62f339f 100644 --- a/README.md +++ b/README.md @@ -164,11 +164,11 @@ The following switches have different behavior in this version of `sqlcmd` compa Most switches from the original ODBC-based `sqlcmd` have been implemented. The following switches are not yet available: -| Switch | Description | -|--------|-------------| -| `-f` | Input/output code page | -| `-j` | Print raw error messages | -| `-p[1]` | Print performance statistics after each result set. `-p1` uses colon-separated format for machine parsing | +| Switch | Description | Tracking | +|--------|-------------|----------| +| `-f` | Input/output code page | proposed in [#628](https://github.com/microsoft/go-sqlcmd/pull/628) (also see [#111](https://github.com/microsoft/go-sqlcmd/issues/111)) | +| `-j` | Print raw error messages | [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292) | +| `-p[1]` | Print performance statistics after each result set. `-p1` uses colon-separated format for machine parsing | [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292) | For historical context and to provide feedback, see [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292). From 1656c0d9f7b78e1db0c8c91698feb4280503fe51 Mon Sep 17 00:00:00 2001 From: David Levy Date: Tue, 19 May 2026 15:57:36 -0500 Subject: [PATCH 09/10] docs: add tracking PRs for -j and -p[1] - -p[1] tracked by open PR #631 - -j: only a closed/unmerged attempt (#624); kept discussion #292 as primary ref --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e62f339f..59907506 100644 --- a/README.md +++ b/README.md @@ -167,8 +167,8 @@ Most switches from the original ODBC-based `sqlcmd` have been implemented. The f | Switch | Description | Tracking | |--------|-------------|----------| | `-f` | Input/output code page | proposed in [#628](https://github.com/microsoft/go-sqlcmd/pull/628) (also see [#111](https://github.com/microsoft/go-sqlcmd/issues/111)) | -| `-j` | Print raw error messages | [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292) | -| `-p[1]` | Print performance statistics after each result set. `-p1` uses colon-separated format for machine parsing | [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292) | +| `-j` | Print raw error messages | [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292) (earlier attempt: [#624](https://github.com/microsoft/go-sqlcmd/pull/624), closed) | +| `-p[1]` | Print performance statistics after each result set. `-p1` uses colon-separated format for machine parsing | proposed in [#631](https://github.com/microsoft/go-sqlcmd/pull/631) | For historical context and to provide feedback, see [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292). From 0169bec2a226a162044a0fc46660502a6b064dfb Mon Sep 17 00:00:00 2001 From: David Levy Date: Tue, 19 May 2026 16:03:18 -0500 Subject: [PATCH 10/10] docs: drop stale #624 reference from -j row --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 59907506..c05f6df3 100644 --- a/README.md +++ b/README.md @@ -167,7 +167,7 @@ Most switches from the original ODBC-based `sqlcmd` have been implemented. The f | Switch | Description | Tracking | |--------|-------------|----------| | `-f` | Input/output code page | proposed in [#628](https://github.com/microsoft/go-sqlcmd/pull/628) (also see [#111](https://github.com/microsoft/go-sqlcmd/issues/111)) | -| `-j` | Print raw error messages | [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292) (earlier attempt: [#624](https://github.com/microsoft/go-sqlcmd/pull/624), closed) | +| `-j` | Print raw error messages | [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292) | | `-p[1]` | Print performance statistics after each result set. `-p1` uses colon-separated format for machine parsing | proposed in [#631](https://github.com/microsoft/go-sqlcmd/pull/631) | For historical context and to provide feedback, see [discussion #292](https://github.com/microsoft/go-sqlcmd/discussions/292).