AI agents are only as useful as the data they can access. And for most enterprises, that data lives in SQL databases — systems built for precision, security, and reliability. The problem has always been connecting those systems to AI without compromising what makes them valuable in the first place.
Microsoft has an answer. The company recently introduced SQL MCP Server, a new addition to its Data API builder (DAB) platform that gives AI agents secure, structured access to enterprise SQL data. It’s open source, free, and available now.
What is SQL MCP Server?
SQL MCP Server gives enterprises a secure, feature-rich way to enable agents to access data without exposing the schema, risking data consistency, or relying on fragile natural-language parsing.
It’s built on top of the Data API builder, which already handles REST and GraphQL endpoints. DAB 2.0 provides a production-ready surface for REST, GraphQL, and MCP, with automatic configuration, native integration with Microsoft Foundry, a first-class query builder, and developer tooling, including dedicated VS Code extensions, built-in REST and GraphQL tools, and a cross-platform CLI.
The practical upside: Developers don’t have to build new infrastructure. They configure it using a JSON file, run three CLI commands — init, add, and start — and it’s operational.
Why it Matters for Agentic Workflows
One of the persistent challenges with AI agents in enterprise settings is safely connecting them to production data. Most approaches either expose too much of the underlying schema or rely on the model to generate SQL queries on the fly — a method that introduces risk and unpredictability.
SQL MCP Server takes a different path. It intentionally doesn’t support NL2SQL. Models aren’t deterministic, and complex queries are the most likely to produce subtle errors. Instead, it uses what Microsoft calls an NL2DAB model — routing requests through the entity abstraction layer and DAB’s built-in query builder to produce accurate, deterministic T-SQL every time.
That design choice matters. In production environments, the difference between a query that works 95% of the time and one that works 100% of the time is often the difference between a tool people trust and one they don’t.
The context window is the agent’s thinking space. When too many tools are exposed, that space fills with tool definitions instead of reasoning. SQL MCP Server avoids this by using a fixed, small set of tools, regardless of database size.
Those tools cover the core operations agents need: describe entities, create records, read records, update records, delete records, execute stored procedures, and aggregate data. Enterprises can also promote stored procedures as custom tools to support more specialized workflows.
Security Built In, Not Bolted On
Security is where SQL MCP Server makes a strong case for enterprise adoption. The Data API builder is role-aware and exposes only the entities and operations that the current role is permitted to access. That same RBAC system extends automatically across REST, GraphQL, and MCP — no additional configuration required.
The server also supports Azure Key Vault integration, custom OAuth and Microsoft Entra support, first-level and second-level caching with integration with Redis and Azure Managed Redis, and complete instrumentation and telemetry with integration with Azure Log Analytics, Application Insights, and OpenTelemetry.
For teams running sensitive data workloads, that’s not a nice-to-have. It’s a prerequisite.
According to Mitch Ashley, VP and practice lead for software lifecycle engineering at The Futurum Group, “Microsoft’s SQL MCP Server positions MCP as the enterprise-grade interface between AI agents and production data, replacing schema exposure with a governed, role-aware abstraction. The deliberate rejection of NL2SQL in favor of deterministic T-SQL through DAB’s entity model reflects how seriously Microsoft is treating production reliability in agentic workflows.”
“For enterprise teams, the signal is clear: Agent-to-data connectivity requires the same security and predictability disciplines as any production system. Role-based access, deterministic query execution, and minimal tool surface area are design requirements. Platforms that treat these as optional will not earn production trust.”
Broad Database Support
SQL MCP Server isn’t limited to Azure SQL. It supports hybrid queries and multiple data sources, including Microsoft SQL Server, PostgreSQL, Azure Cosmos DB, and MySQL. That flexibility matters for organizations with mixed environments or those managing data across both cloud and on-premises systems.
It runs in any cloud, including on-premises, as a simple MCR container that requires a JSON configuration file — a zero-code solution that reduces friction, dependencies, and entire blocks of repetitive, error-prone CRUD code from line-of-business applications, custom websites, tailored mobile apps, and AI agents.
The MCP Standard Behind It
For those new to the protocol, the Model Context Protocol (MCP) is a standard that defines how AI agents discover and invoke external tools. Each tool describes its inputs, outputs, and behavior. MCP provides a predictable way for agents to discover and use capabilities.
SQL MCP Server implements MCP protocol version 2025-06-18 as a fixed default, supporting two transports: streamable HTTP for standard hosting scenarios and stdio for local or CLI scenarios.
MCP is gaining traction as the standard for agentic tool integration. Microsoft building SQL access around it signals that the company sees MCP as foundational infrastructure — not a passing trend.
The Bottom Line
SQL MCP Server closes a real gap. Enterprises want to use AI agents to automate workflows, answer business questions, and interact with data — but they need guardrails. They need to know agents won’t generate unpredictable queries or expose schema details they shouldn’t.
Microsoft’s approach is methodical. It leverages existing Data API builder infrastructure, enforces role-based access at every layer, avoids the unpredictability of NL2SQL, and keeps the agent’s context clean with a minimal tool set.
For teams already in the Azure ecosystem, it’s worth a close look. For teams evaluating how to safely connect AI agents to production data, it’s one of the more thoughtful implementations available today.
Get started at aka.ms/sql/mcp.
