azsqlshell — an interactive Azure SQL shell with AAD bearer‑token authentication

azsqlshell is an SQL client designed for Azure SQL. It uses an Azure Active Directory bearer token instead of a traditional username/password authentication flow.

The tool is written in Python 3.9+ and can automatically perform a read‑only privilege audit on connection, with color‑coded access level highlights: ⚪️ PUBLIC — nothing notable; 🟢 READ — the current permissions allow executing SELECT queries against tables and views; 🟡 WRITE — the current permissions allow INSERT, UPDATE and DELETE operations; 🔴 DDL — the current permissions allow executing data definition language commands such as CREATE, ALTER or DROP; 🔴 OWNER — the current permissions grants full database‑level control.

The tool is useful for red team engagements when an Azure token has been extracted from a Managed Identity (for example, through an SSRF attack against the Instance Metadata Service or after compromising a host).

Closest alternatives are sqlcmd and Azure Data Studio: both primarily rely on traditional authentication methods and do not support using an already obtained bearer token, while offering a richer UI and editor experience.

📎 Tool: https://github.com/clou42/azsqlshell