Accessing SQL Server over an SSH tunnel

Instead of connecting to localhost:3398 Use 127.0.0.1,3398

For Authentication type Azure Active Directory - Universal with MFA (Mutli-Factor Authentication), in addition to specifying the port correctly (127.0.0.1,3398), I also had to point the host to localhost.

On Windows, I had to edit my hosts file to include the server host:

127.0.0.1    server.example.com

Then, in SSMS, I could connect to server.example.com,3398, which would perform the MFA correctly.

I could have performed this redirection at a higher DNS level as well.