https://thedotnetblog.com/tags/sql-server/Articles, tutorials and insights from the .NET community.Hugoen@thedotnetblog (The .NET Blog)@thedotnetblogSun, 26 Apr 2026 00:00:00 +0000https://thedotnetblog.com/posts/emiliano-montesdeoca/sql-server-2025-agent-ready-security-mcp/Sun, 26 Apr 2026 00:00:00 +0000Emiliano Montesdeocahttps://thedotnetblog.com/posts/emiliano-montesdeoca/sql-server-2025-agent-ready-security-mcp/The final part of the Polyglot Tax series tackles the hard production problems: unified Row-Level Security across relational, JSON, graph, and vector data — plus cryptographic audit trails and MCP integration that make SQL Server 2025 genuinely agent-ready.<p>I&rsquo;ve been following the Polyglot Tax series by Aditya Badramraju with a lot of interest. Parts 1-3 built a compelling case for SQL Server 2025 as a genuinely multi-model database — JSON, graph, vectors, and relational data all in one engine with a unified query planner. Part 4 closes the series with the parts that actually determine whether you&rsquo;d trust this architecture in production.</p> <p>Spoiler: the production story is solid.</p> <h2 id="one-security-model-to-rule-all-data-models">One Security Model to Rule All Data Models</h2> <p>Here&rsquo;s the thing with polyglot stacks: when an auditor asks &ldquo;prove that Tenant A cannot see Tenant B&rsquo;s data,&rdquo; you have to answer that question for each database independently. Five databases, five security models, five proofs.</p> <p>With SQL Server 2025, you define one Row-Level Security policy and it covers every data model:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">CREATE</span><span class="w"> </span><span class="k">FUNCTION</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">fn_TenantFilter</span><span class="p">(</span><span class="o">@</span><span class="n">TenantID</span><span class="w"> </span><span class="nb">INT</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">RETURNS</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="k">WITH</span><span class="w"> </span><span class="n">SCHEMABINDING</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">AS</span><span class="w"> </span><span class="k">RETURN</span><span class="w"> </span><span class="k">SELECT</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="n">fn_result</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WHERE</span><span class="w"> </span><span class="o">@</span><span class="n">TenantID</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">CAST</span><span class="p">(</span><span class="n">SESSION_CONTEXT</span><span class="p">(</span><span class="n">N</span><span class="s1">&#39;TenantID&#39;</span><span class="p">)</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="nb">INT</span><span class="p">);</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">CREATE</span><span class="w"> </span><span class="k">SECURITY</span><span class="w"> </span><span class="n">POLICY</span><span class="w"> </span><span class="n">TenantIsolation</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ADD</span><span class="w"> </span><span class="n">FILTER</span><span class="w"> </span><span class="n">PREDICATE</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">fn_TenantFilter</span><span class="p">(</span><span class="n">TenantID</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ON</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">Customers</span><span class="p">,</span><span class="w"> </span><span class="c1">-- Relational </span></span></span><span class="line"><span class="cl"><span class="k">ADD</span><span class="w"> </span><span class="n">FILTER</span><span class="w"> </span><span class="n">PREDICATE</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">fn_TenantFilter</span><span class="p">(</span><span class="n">TenantID</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ON</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">Events</span><span class="p">,</span><span class="w"> </span><span class="c1">-- JSON data </span></span></span><span class="line"><span class="cl"><span class="k">ADD</span><span class="w"> </span><span class="n">FILTER</span><span class="w"> </span><span class="n">PREDICATE</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">fn_TenantFilter</span><span class="p">(</span><span class="n">TenantID</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ON</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">Relationships</span><span class="p">,</span><span class="w"> </span><span class="c1">-- Graph edges </span></span></span><span class="line"><span class="cl"><span class="k">ADD</span><span class="w"> </span><span class="n">FILTER</span><span class="w"> </span><span class="n">PREDICATE</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">fn_TenantFilter</span><span class="p">(</span><span class="n">TenantID</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">ON</span><span class="w"> </span><span class="n">dbo</span><span class="p">.</span><span class="n">Embeddings</span><span class="w"> </span><span class="c1">-- Vector data </span></span></span><span class="line"><span class="cl"><span class="k">WITH</span><span class="w"> </span><span class="p">(</span><span class="k">STATE</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">ON</span><span class="p">);</span><span class="w"> </span></span></span></code></pre></div><p>From that point, every query — relational joins, JSON path queries, graph traversals, vector similarity searches — is automatically filtered by tenant. The engine injects the predicate into the execution plan before any data leaves storage. Your calling code doesn&rsquo;t need <code>WHERE TenantID = @id</code> everywhere. You test the policy once.</p> <p>The layers compose further: Dynamic Data Masking for columns that shouldn&rsquo;t show full values to certain roles, Always Encrypted for end-to-end encryption (even DBAs can&rsquo;t read it), and stored procedures as the permission boundary so agents only call what you explicitly exposed.</p> <p>This is the part of the architecture that matters most for compliance-heavy SaaS. One policy, one proof.</p> <h2 id="unified-backup--atomic-recovery">Unified Backup = Atomic Recovery</h2> <p>One statement, all data models, consistent point in time:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="n">BACKUP</span><span class="w"> </span><span class="k">DATABASE</span><span class="w"> </span><span class="n">MultiModelApp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">TO</span><span class="w"> </span><span class="n">URL</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;https://storage.blob.core.windows.net/backups/MultiModelApp.bak&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WITH</span><span class="w"> </span><span class="n">COMPRESSION</span><span class="p">,</span><span class="w"> </span><span class="n">ENCRYPTION</span><span class="w"> </span><span class="p">(</span><span class="n">ALGORITHM</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">AES_256</span><span class="p">,</span><span class="w"> </span><span class="n">SERVER</span><span class="w"> </span><span class="n">CERTIFICATE</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">BackupCert</span><span class="p">);</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="n">RESTORE</span><span class="w"> </span><span class="k">DATABASE</span><span class="w"> </span><span class="n">MultiModelApp</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="n">URL</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;https://storage.blob.core.windows.net/backups/MultiModelApp.bak&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WITH</span><span class="w"> </span><span class="n">STOPAT</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">&#39;2026-02-01 10:30:00&#39;</span><span class="p">;</span><span class="w"> </span></span></span></code></pre></div><p>In a polyglot stack, point-in-time recovery across five databases means coordinating five restore operations and hoping the timestamps line up within a second or two. For financial data, that two-second inconsistency is unacceptable. With one database, one transaction log, one restore — recovery is atomic by definition.</p> <h2 id="ledger-tables-for-tamper-evident-audit-trails">Ledger Tables for Tamper-Evident Audit Trails</h2> <p>For regulated industries, you need more than &ldquo;we have logs.&rdquo; You need cryptographic proof that those logs weren&rsquo;t modified:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sql" data-lang="sql"><span class="line"><span class="cl"><span class="k">CREATE</span><span class="w"> </span><span class="k">TABLE</span><span class="w"> </span><span class="n">FinancialTransactions</span><span class="w"> </span><span class="p">(</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">TransactionID</span><span class="w"> </span><span class="nb">INT</span><span class="w"> </span><span class="k">PRIMARY</span><span class="w"> </span><span class="k">KEY</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">AccountID</span><span class="w"> </span><span class="nb">INT</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">Amount</span><span class="w"> </span><span class="n">MONEY</span><span class="w"> </span><span class="k">NOT</span><span class="w"> </span><span class="k">NULL</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">TransactionType</span><span class="w"> </span><span class="n">NVARCHAR</span><span class="p">(</span><span class="mi">20</span><span class="p">),</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">TransactionDate</span><span class="w"> </span><span class="n">DATETIME2</span><span class="w"> </span><span class="k">DEFAULT</span><span class="w"> </span><span class="n">SYSUTCDATETIME</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="k">WITH</span><span class="w"> </span><span class="p">(</span><span class="n">SYSTEM_VERSIONING</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">ON</span><span class="p">,</span><span class="w"> </span><span class="n">LEDGER</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">ON</span><span class="p">);</span><span class="w"> </span></span></span></code></pre></div><p>Every insert, update, and delete gets cryptographically hashed into a blockchain-style structure. You can prove to an auditor — mathematically — that a row hasn&rsquo;t been tampered with since it was written. In a polyglot stack, this capability doesn&rsquo;t exist uniformly across all your databases.</p> <h2 id="mcp-integration-agents-without-hand-coded-middleware">MCP Integration: Agents Without Hand-Coded Middleware</h2> <p>The series built toward this: SQL Server 2025 supports the SQL MCP Server directly, which means your agents can call the database through natural language tool calls without you writing middleware for every operation.</p> <p>Combine that with stored procedures as the permission boundary and Row-Level Security enforced at the engine, and you have a model where:</p> <ol> <li>Agent calls a tool (e.g., &ldquo;get customer context for account 12345&rdquo;)</li> <li>MCP translates to the stored procedure you defined</li> <li>SQL engine enforces tenant isolation and column masking automatically</li> <li>Agent gets exactly the data it&rsquo;s allowed to see</li> </ol> <p>No middleware layer. No ad-hoc query injection risk. The engine handles authorization, not the agent.</p> <h2 id="why-this-matters-for-net-developers">Why This Matters for .NET Developers</h2> <p>If you&rsquo;re building .NET services with SQL Server as your primary store, the message from this series is: you don&rsquo;t need to add Redis for caching, a graph DB for relationships, or a vector store for embeddings. SQL Server 2025 handles all of that — with better operational consistency than a polyglot stack and unified security that&rsquo;s actually auditable.</p> <p>The MCP integration means your Semantic Kernel agents or Microsoft Agent Framework workflows can interact with your data tier through the same SQL MCP Server, with the same security guarantees you&rsquo;d enforce for human queries.</p> <h2 id="wrapping-up">Wrapping up</h2> <p>The Polyglot Tax series is worth reading end-to-end. Parts 1-3 prove the query planner story. Part 4 proves the production story. For .NET developers building agent-first or AI-augmented applications on Azure SQL, this architecture deserves serious consideration.</p> <p>Original post by Aditya Badramraju: <a href="https://devblogs.microsoft.com/azure-sql/the-polyglot-tax-part-4/">The Polyglot Tax – Part 4</a>.</p>