Adding Users to Azure SQL Databases

Problem

You know how to manage logins and users on traditional on-premises SQL Servers with SQL Server Management Studio (SSMS), but now you’ve created an Azure SQL Database and are now ready to add users.

It’s presumed you are not and will not have users and / or applications using the server level "sa" like server admin credentials chosen when the Azure SQL Database server was built. What is the best way to manage users in Azure SQL Databases?

Solution

Let’s do a quick review. With traditional on-premises SQL Server, you have a login to the SQL Server. The login can be an Active Directory account or created in the SQL Server using local SQL authentication. The login gets you access to the SQL Server only. Then you have a user mapped to the login in individual databases that give you access to a databases(s) with permissions typically granted by putting it in a specific security group(s).

Security at a server / database level with on-premises SQL Server and Azure SQL Database are very similar but you will find some definite differences.

The first difference is the concept of a contained user, which is a user not mapped to a login and authentication is done in Azure Active Directory or in the database itself. Traditional logins to the SQL Server with a user in a database mapped to it still exists, but this breaks from the concept of the required login that gets you access to the server and the user gets you access to the database. Contained users make the database more easily portable.

And the traditional database level roles like db_datareader, db_datawriter, db_ddladmin, etc. are the same, but the traditional server level roles like sysadmin, serveradmin, etc. don’t exist in Azure SQL Database. However, there are two server admin roles, dbmanager (similar to dbcreator) that can create and drop databases, and loginmanager (similar to securityadmin) that can create new logins.

Also, you will immediately notice in SSMS that when you right click on Logins or Users from the Object Explorer and choose New it will open a new query window with the command syntax instead of greeting you with a familiar GUI.

Now that we have reviewed the basics, have some background, know the differences and what to expect, here are our options:

Create a SQL authentication login and add a user(s) to a database(s) that is mapped to the login. This would be used when you want to manage one login and password for users in multiple databases. This is just like an on-premises SQL Server.
Create a contained SQL Authentication user in a database(s) not mapped to any login.
Create a contained Azure Active Directory user for a database(s).
Create a SQL authentication login, add a user mapped to it in master and add the user to a server level admin role.
Create a user mapped to an Azure Active Directory user and add the user to a server level admin role.

Examples

Following are examples of our options listed above:

Connect to your Azure SQL Database server with SSMS as an admin in master. Create a SQL authentication login called ‘test’ with a password of ‘SuperSecret!’, create a user mapped to the login called ‘test’ in a database, and then add it to the db_datareader and db_datawriter roles.

-- create SQL auth login from master 
CREATE LOGIN test 
WITH PASSWORD = 'SuperSecret!'

Open another query window and choose your user database in the dropdown.

-- select your db in the dropdown and create a user mapped to a login 
CREATE USER [test] 
FOR LOGIN [test] 
WITH DEFAULT_SCHEMA = dbo; 
  
-- add user to role(s) in db 
ALTER ROLE db_datareader ADD MEMBER [test]; 
ALTER ROLE db_datawriter ADD MEMBER [test];

Repeat second step for all databases you are adding ‘test’ to. Note, you will need to open a new connection(s).
Connect to your Azure SQL Database server with SSMS as an admin and choose the database you want to add the user(s) to in the dropdown. Create a SQL authentication contained user called ‘test’ with a password of ‘SuperSecret!’ then adding it to the db_datareader and db_datawriter roles.

-- select your db in dropdown and create a contained user 
CREATE USER [test] 
WITH PASSWORD = 'SuperSecret!', 
DEFAULT_SCHEMA = dbo; 
  
-- add user to role(s) in db 
ALTER ROLE db_datareader ADD MEMBER [test]; 
ALTER ROLE db_datawriter ADD MEMBER [test];

Connect to your Azure SQL Database server with SSMS as an admin and choose the database you want to add a user to in the dropdown. Add Azure Active Directory user ‘[email protected]’ then add it to the db_datareader and db_datawriter roles.

-- add contained Azure AD user 
CREATE USER [[email protected]] 
FROM EXTERNAL PROVIDER 
WITH DEFAULT_SCHEMA = dbo;  
  
-- add user to role(s) in db 
ALTER ROLE db_datareader ADD MEMBER [test]; 
ALTER ROLE db_datawriter ADD MEMBER [test];

Next, we'll create a login and user in master that can manage databases and logins. Connect to your Azure SQL Database server with SSMS as an admin in master. Add a SQL authentication login called ‘test2’ and a password of ‘SuperSecret!’, create a user mapped to it in master and add the user to the dbmanager and login manager roles.

-- add login  
CREATE LOGIN [test2] 
WITH PASSWORD='SuperSecret!';  
  
-- add user 
CREATE USER [test2] 
FROM LOGIN [test2] 
WITH DEFAULT_SCHEMA=dbo; 
  
-- add user to role(s) in db 
ALTER ROLE dbmanager ADD MEMBER [test2]; 
ALTER ROLE loginmanager ADD MEMBER [test2];

Lastly, we'll add an Azure Active Directory user that can also manage databases and logins. Connect to your Azure SQL Database server with SSMS as an admin in master. Add a contained user ‘[email protected]’ and add it to the dbmanager and login manager roles.

-- add contained Azure AD user 
CREATE USER [[email protected]] 
FROM EXTERNAL PROVIDER 
WITH DEFAULT_SCHEMA = dbo;  
  
-- add user to role(s) in db 
ALTER ROLE dbmanager ADD MEMBER [[email protected]]; 
ALTER ROLE loginmanager ADD MEMBER [[email protected]];

Next Steps

Hopefully this tip has given you everything you need to know to manage logins and users in SQL Azure Database but you can find further info here:

About the author

Joe Gavin is from the Greater Boston area. He started working with SQL Server and Sybase in 1998 in the financial services industry and has been a SQL Server Database Administrator for a dairy cooperative since 2011. He graduated from Northeastern University in Boston with a Bachelor of Science in Engineering Technology (BSET) degree in Computer Technology. Joe has spoken at the Boston and Providence SQL Saturday events.

This author pledges the content of this article is based on professional experience and not AI generated.

View all my tips

Article Last Updated: 2021-12-08

Tuesday, January 30, 2024 - 1:59:10 PM - Joe Gavin	Back To Top (91899)
Excellent Peter.

Tuesday, January 30, 2024 - 9:38:50 AM - Peter Farrer	Back To Top (91896)
Thanks Joe, Successfully connected to SQL Database with MFA.

Wednesday, January 20, 2021 - 10:08:18 AM - Hari	Back To Top (88072)
Thanks Joe . If I got it right , we can add an AD account/security group to Azure SQL database in two ways : 1) As an Active directory Admin from the portal 2) As a contained user in a database , with the CREATE statement using EXTERNAL PROVIDER And there is no concept of CREATE LOGIN [AD user/group] in Azure sql database .

Monday, January 18, 2021 - 1:39:10 PM - Joe Gavin	Back To Top (88065)
Hari, you really don't have the option of an Azure Active Directory login as you would with an on-premises server. However, you could have an Azure Active Directory account in a security group that has admin access to the server. FOR and FROM are interchangeable. Either can be used. Thanks for the questions.

Monday, January 18, 2021 - 10:12:02 AM - Hari	Back To Top (88064)
1) Is it possible to create Active Directory based logins in master database in Azure sql database? Like we created SQL logins. 2) What is the difference between FOR LOGIN and FROM LOGIN in CREATE statements

Friday, November 13, 2020 - 8:45:31 AM - Joe Gavin	Back To Top (87798)
Anne, you would need to be in as a server admin or in loginmanager to execute 'CREATE LOGIN' and a server admin, loginmanager or db_owner in the database you're executing a 'CREATE USER' in.

Thursday, November 12, 2020 - 2:47:51 PM - Anne Cao	Back To Top (87793)
Sorry I meant db_datareader and db_dataWriter in my above post. Also for these SQL statements, it has to be server admin role to do these, correct?

Thursday, November 12, 2020 - 2:45:02 PM - Joe Gavin	Back To Top (87792)
Thanks for catching that Anne. You are correct. Looks like I had a little copy/paste mishap when I was testing.

Thursday, October 29, 2020 - 7:29:46 AM - Joe Gavin	Back To Top (86713)
Hi Sandeep. You may want to look at restricting access via firewall.

Wednesday, October 28, 2020 - 3:23:10 PM - Sandeep	Back To Top (86709)
Hi, I created SQL account for application to connect to database and the connection string is placed in web.config file. Since, the user name and password is visible in config file is there a way for me to restrict that particular account not to connect using ssms or azure data studio. Note: I was able to do in onpremise but not in azure sql database ( paas cloud ) Thank You.

Tuesday, January 14, 2020 - 2:02:03 AM - Saumya Suhagiya	Back To Top (83759)
Thanks! Worked like a charm in Azure SQL DB

Monday, October 21, 2019 - 9:36:01 AM - René Imthorn	Back To Top (82844)
Thanks!

Monday, July 29, 2019 - 11:22:11 AM - Carsten Pedersen	Back To Top (81893)
Thanks very much! Very consicely written and exactly what I needed.

Thursday, March 29, 2018 - 3:48:34 PM - Joe Gavin	Back To Top (75555)
Marios, good question and I'm curious now as well. I'll see what I can find for you.