[OBO] Add CLI support for user-delegated authentication configuration

[Copilot]

Why make this change?

Implements CLI configuration for OBO (On-Behalf-Of) delegated identity as specified in #2898. The OBO core implementation was merged into main via PR #3151. This PR adds CLI commands to enable operators to configure per-user Entra ID authentication to Azure SQL and SQL Server via CLI instead of manual config file editing.

What is this change?

CLI Commands Added

• dab configure --data-source.user-delegated-auth.enabled true - Enable/disable OBO authentication for Azure SQL and SQL Server
• dab configure --data-source.user-delegated-auth.database-audience "https://database.windows.net" - Configure database resource identifier for token acquisition

Implementation Details

• Updated ConfigureOptions.cs with two new CLI option parameters (dataSourceUserDelegatedAuthEnabled, dataSourceUserDelegatedAuthDatabaseAudience)
• Updated ConfigGenerator.TryUpdateConfiguredDataSourceOptions() to create/update UserDelegatedAuthOptions configuration
• Added validation to ensure user-delegated-auth is only used with MSSQL database type
• Provider field automatically defaults to "EntraId" when user-delegated-auth is configured
• Preserves existing user-delegated-auth configuration when updating individual fields
• Help text clarifies support for both Azure SQL and on-premises SQL Server

Configuration Output

The CLI generates configuration that integrates with the UserDelegatedAuthOptions from the merged OBO implementation:

{
  "data-source": {
    "database-type": "mssql",
    "connection-string": "...",
    "user-delegated-auth": {
      "enabled": true,
      "provider": "EntraId",
      "database-audience": "https://database.windows.net"
    }
  }
}

Files Changed (5 CLI-specific files)

• src/Cli/Commands/ConfigureOptions.cs - CLI option definitions with SQL Server on-premises support
• src/Cli/ConfigGenerator.cs - Configuration update logic
• src/Cli.Tests/ConfigureOptionsTests.cs - Consolidated CLI configuration tests
• src/Cli.Tests/UserDelegatedAuthRuntimeParsingTests.cs - 2 runtime parsing tests
• src/Cli.Tests/TestHelper.cs - Added CONFIG_WITH_USER_DELEGATED_AUTH test constant

How was this tested?

• Unit Tests - 9 tests total:
  • 3 parameterized CLI configuration tests (enabled only, audience only, both together)
  • 1 update test with JSON structure validation (verifies proper nesting under data-source with correct property names)
  • 3 validation error tests (PostgreSQL, MySQL, CosmosDB rejection)
  • 2 runtime parsing tests (verify CLI-generated config loads correctly)
  • Tests verify default values for properties not explicitly set (Enabled defaults to false, DatabaseAudience defaults to null)
• Integration Tests - Verified MSSQL-only validation with PostgreSQL/MySQL/CosmosDB rejection scenarios

Sample Request(s)

Initialize and configure OBO in one workflow:

# Initialize MSSQL config
dab init --database-type mssql --connection-string "Server=myserver.database.windows.net;Database=mydb"

# Enable user-delegated auth with both options
dab configure --data-source.user-delegated-auth.enabled true \
              --data-source.user-delegated-auth.database-audience "https://database.windows.net"

Update audience for existing configuration:

dab configure --data-source.user-delegated-auth.database-audience "https://database.usgovcloudapi.net"

Update only the enabled flag:

dab configure --data-source.user-delegated-auth.enabled false

Validation - fails for non-MSSQL:

dab init --database-type postgresql --connection-string "..."
dab configure --data-source.user-delegated-auth.enabled true
# Error: user-delegated-auth is only supported for database-type 'mssql'.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[OBO] CLI Support for Enabling OBO Delegated Identity</issue_title>
<issue_description>Implement CLI support for enabling OBO exactly as defined in the design.

• These CLI Commands should be supported
  dab configure --data-source.user-delegated-auth.enabled true
dab configure --data-source.user-delegated-auth.database-audience "<audience>"

• Ensure CLI writes correct config structure

• Ensure runtime consumes CLI‑produced config

Testing:

1. CLI sets user-delegated-auth.enabled = true
2. CLI sets correct database-audience
3. runtime reads CLI output correctly
4. invalid CLI input fails deterministically</issue_description>

<agent_instructions>https://microsoft-my.sharepoint.com/:w:/p/anushakolan/IQDsb4patJ52Q65Cp0QHQ-b_Aazplc1go_6k2HccCOYLQNU?e=Bpuv1Z&wdOrigin=TEAMS-MAGLEV.null_ns.rwc&wdExp=TEAMS-TREATMENT&wdhostclicktime=1770765689642&web=1

Follow this design document for more context and questions, understand the requirement of the task, this is the main task, #2898, create the PR accordingly.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [OBO] CLI Support for Enabling OBO Delegated Identity #3127

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[anushakolan]

@copilot this is the actual PR implementing OBO, #3151. Align the naming and implementation of the PR 3128 with the core implementation PR.

[Copilot]

@copilot this is the actual PR implementing OBO, #3151. Align the naming and implementation of the PR 3128 with the core implementation ...

Aligned CLI implementation with PR #3151 in commit b0f98fe. Changes:

• Renamed UserDelegatedAuthConfig → UserDelegatedAuthOptions
• Added provider field with default "EntraId"
• Updated constants to match (45min token cache, environment variable names)
• Removed config-only fields (DisableConnectionPooling, TokenCacheDurationMinutes)
• Added JsonPropertyName attributes for proper serialization

Generated config now matches the schema from PR #3151:

{
  "user-delegated-auth": {
    "enabled": true,
    "provider": "EntraId",
    "database-audience": "https://database.windows.net"
  }
}

[anushakolan]

@copilot make the target branch for this PR to be the branch in PR 3151, So that we won't have duplicate changes. After the PR 3151 is merged, we can merge this PR as well.

[Copilot]

@copilot make the target branch for this PR to be the branch in PR 3151, So that we won't have duplicate changes. After the PR 3151 is merged, we can merge this PR as well.

I've rebased the branch onto dev/anushakolan/obo-delegated-identity (commit f5173cf). The branch now contains only CLI-specific changes on top of the OBO implementation from PR #3151.

However, I cannot change the PR base branch through git commands - that must be done in the GitHub UI. Please update the base branch of this PR from main to dev/anushakolan/obo-delegated-identity in the GitHub PR settings.

Note: The current remote branch state is outdated. To update it with the rebased commits, you'll need to force push manually or I can create a new branch with a different name if preferred.

[anushakolan]

@copilot this branch should contain changes explicilty related to cli addition, the core implementation branch is https://github.com/Azure/data-api-builder/tree/dev/anushakolan/obo-delegated-identity. I changed the target branch of this PR to https://github.com/Azure/data-api-builder/tree/dev/anushakolan/obo-delegated-identity, so make sure there are no repeated or duplicate code as it will create conflicts.

[anushakolan]

/azp run

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://api.nuget.org:443/DigiCertCSRSA4096RootG5.crl
  • Triggering command: /usr/bin/dotnet dotnet test src/Cli.Tests/Cli.Tests.csproj --filter FullyQualifiedName~UserDelegatedAuth --verbosity minimal (http block)
• http://api.nuget.org:443/NETFoundationProjectsCodeSigningCA2.crl
  • Triggering command: /usr/bin/dotnet dotnet test src/Cli.Tests/Cli.Tests.csproj --filter FullyQualifiedName~UserDelegatedAuth --verbosity minimal (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[anushakolan]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).

[anushakolan]

@copilot why are the comments not getting addressed by you?

[Copilot]

@copilot why are the comments not getting addressed by you?

Addressed the comment from @Aniruddh25 in commit 098fbcc. Removed redundant DataRows for different cloud audiences since they all test the same string assignment behavior.

[anushakolan]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 6 pipeline(s).