[FEATURE REQUEST] Deprecate authentication.type = azure-active-directory-password

[David-Engel]

Is your feature request related to a problem? If so, please give a short summary of the problem and how the feature would resolve it

From: Plan for mandatory Microsoft Entra multifactor authentication (MFA) - Microsoft Entra ID | Microsoft Learn

At Microsoft, we're committed to providing our customers with the highest level of security. One of the most effective security measures available to them is multifactor authentication (MFA). Research by Microsoft shows that MFA can block more than 99.2% of account compromise attacks.

That's why, starting in 2024, we'll enforce mandatory MFA for all Azure sign-in attempts. For more background about this requirement, see our blog post. This topic covers which applications and accounts are affected, how enforcement gets rolled out to tenants, and other common questions and answers.

There's no change for users if your organization already enforces MFA for them, or if they sign in with stronger methods like passwordless or passkey (FIDO2). To verify that MFA is enabled, see How to verify that users are set up for mandatory MFA.

UsernamePasswordCredential is deprecated in the Azure Identity libraries for .NET, Java, JavaScript, and Python and acquireTokenByUsernamePassword is deprecated in the MSAL libraries. See the details at Plan for mandatory Microsoft Entra multifactor authentication (MFA) - Microsoft Entra ID | Microsoft Learn.

Aligning with the above effort, we are planning to deprecate Microsoft Entra ID (formerly Azure Active Directory) Username + Password authentication methods in Microsoft Drivers for SQL Server in future releases. Ref: dotnet/SqlClient#3188 and microsoft/mssql-jdbc#2623

Describe the preferred solution

Deprecate authentication.type = azure-active-directory-password

I recommend that tedious follow suit to encourage users to move away from these authentication methods that are prime targets for attackers.

@arthurschreiber
CC: @scottaddie