Microsoft Entra server principals
Applies to: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics (dedicated SQL pools only)
You can now create and utilize server principals from Microsoft Entra ID (formerly Azure Active Directory), which are logins in the virtual master
database of Azure SQL Database (Preview) and Azure SQL Managed instance.
Note
Microsoft Entra server principals (logins) are currently in public preview for Azure SQL Database and Azure Synapse Analytics. Microsoft Entra logins are generally available for Azure SQL Managed Instance and SQL Server 2022.
There are several benefits of using Microsoft Entra server principals with your Azure SQL resource:
- Support Azure SQL Database server roles for permission management.
- Support multiple Microsoft Entra users with special roles for SQL Database, such as the
loginmanager
anddbmanager
roles. - Functional parity between SQL logins and Microsoft Entra logins.
- Increase functional improvement support, such as utilizing Microsoft Entra-only authentication. Microsoft Entra-only authentication allows SQL authentication to be disabled, which includes the SQL server admin, SQL logins and users.
- Allows Microsoft Entra principals to support geo-replicas. Microsoft Entra principals can connect to the geo-replica of a user database, with read-only and deny permissions to the primary server.
- Use Microsoft Entra service principal logins with special roles to fully automate user and database creation and maintenance with Microsoft Entra applications.
For more information on Microsoft Entra authentication in Azure SQL, see Use Microsoft Entra authentication.
Permissions
The following permissions are required to utilize or create Microsoft Entra logins in the virtual master
database.
- Microsoft Entra admin permission or membership in the
loginmanager
server role. The first Microsoft Entra login can only be created by the Microsoft Entra admin. - Must be a member of Microsoft Entra ID within the same directory used for Azure SQL Database.
By default, newly created Microsoft Entra logins in the master
database are granted the VIEW ANY DATABASE permission.
Microsoft Entra principals syntax
Use the following syntax to create and manage Microsoft Entra server and database principals.
Create login
This syntax creates a server-level login based on a Microsoft Entra identity. Only the Microsoft Entra admin can execute this command in the virtual master
database.
CREATE LOGIN login_name
{
FROM EXTERNAL PROVIDER [WITH OBJECT_ID = 'objectid']
| WITH <option_list> [,..]
}
<option_list> ::=
PASSWORD = { 'password' }
[ , SID = sid ]
The login_name specifies the Microsoft Entra principal, which is a Microsoft Entra user, group, or application.
For more information, see CREATE LOGIN (Transact-SQL).
Create user from login
The following T-SQL syntax creates a database-level Microsoft Entra principal mapped to a Microsoft Entra login in the virtual master
database. Similar to the syntax for creating a database contained Microsoft Entra user, the only difference is specifying FROM LOGIN [login_name]
rather than FROM EXTERNAL PROVIDER
.
To create a Microsoft Entra user from a Microsoft Entra login, use the following syntax.
CREATE USER [user_name] FROM LOGIN [login_name]
You can use the SID
column from sys.database_principals to distinguish between a Microsoft Entra contained database user and a Microsoft Entra user created from a login. For a contained database user, the SID
is a binary string of length 16. For a login-based user, the SID
is of length 18 with an AADE
suffix.
Note
Appending the AADE
suffix to the SID is how we identify a Microsoft Entra user as being created from a login. However, this also means that the SIDs for the login and its user(s) don't match between sys.server_principals
and sys.database_principals
. To correlate the user back to its login, the AADE
suffix must first be removed.
To understand the conceptual difference between login-based users and contained database users, see contained database users.
For more information on all create user syntax, see CREATE USER (Transact-SQL).
Disable or enable a login using ALTER LOGIN
The ALTER LOGIN (Transact-SQL) DDL syntax is used to enable or disable a Microsoft Entra login in Azure SQL Database.
ALTER LOGIN [login_name] DISABLE
When a login is disabled, connections are no longer allowed using that server principal. It also disables all database principals (users) created from that login from being able to connect to their respective databases.
Note
ALTER LOGIN login_name DISABLE
won't affect contained database users, since they aren't associated to logins.ALTER LOGIN login_name DISABLE
is not supported for Microsoft Entra groups.An individual disabled login cannot belong to a user who is part of a login group created in the
master
database (for example, a Microsoft Entra admin group).For the
DISABLE
orENABLE
changes to take immediate effect, the authentication cache and the TokenAndPermUserStore cache must be cleared using the T-SQL commands.DBCC FLUSHAUTHCACHE DBCC FREESYSTEMCACHE('TokenAndPermUserStore') WITH NO_INFOMSGS
Roles for Microsoft Entra principals
Special roles for SQL Database can be assigned to users in the virtual master
database for Microsoft Entra principals, including dbmanager and loginmanager.
Azure SQL Database server roles can be assigned to logins in the virtual master
database.
For a tutorial on how to grant these roles, see Tutorial: Create and utilize Microsoft Entra server logins.
Limitations and remarks
- The SQL server admin can't create Microsoft Entra logins or users in any databases.
- A SQL admin or SQL user can't execute the following Microsoft Entra operations:
CREATE LOGIN [bob@contoso.com] FROM EXTERNAL PROVIDER
CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER
EXECUTE AS USER [bob@contoso.com]
ALTER AUTHORIZATION ON securable::name TO [bob@contoso.com]
- Impersonation of Microsoft Entra server principals (logins) isn't supported for Azure SQL Database and Azure Synapse Analytics. It is supported for SQL Managed Instance:
- EXECUTE AS Clause (Transact-SQL)
- EXECUTE AS (Transact-SQL)
- Impersonation of Microsoft Entra database principals (users) in a user database is supported on all Microsoft SQL products.
- Microsoft Entra logins can't overlap with the Microsoft Entra administrator. The Microsoft Entra admin takes precedence over any login. If a Microsoft Entra account already has access to the server as a Microsoft Entra admin, individually or as part of a group, any login created for this account won't have any effect. However, the login creation isn't blocked through T-SQL. After the account authenticates to the server, the login will have the effective permissions of a Microsoft Entra admin, and not of a newly created login.
- Changing permissions on specific Microsoft Entra login object isn't supported:
GRANT <PERMISSION> ON LOGIN :: <Microsoft Entra account> TO <Any other login>
- When you alter permissions for a Microsoft Entra login, by default the changes only take effect the next time the login connects to the Azure SQL Database. Any existing open connections with the login aren't affected. To force permissions changes to take immediate effect, you can manually clear the authentication and TokenAndPermUserStore, as described earlier in disable or enable a login using ALTER LOGIN. This behavior also applies when making server role membership changes with ALTER SERVER ROLE.
- In SQL Server Management Studio and Azure Data Studio, the scripting command to create a user doesn't check if there's already a Microsoft Entra login in
master
with the same name. It always generates the T-SQL for a contained database Microsoft Entra user. - An error might occur if you're trying to create a login or user from a service principal with a nonunique display name. For more information about mitigating this error, see Microsoft Entra logins and users with nonunique display names.
Microsoft Entra group server principal limitations
With Microsoft Entra logins in public preview for Azure SQL Database and Azure Synapse Analytics, the following are known limitations:
- Azure SQL Database server roles aren't supported for Microsoft Entra groups.
- If your SQL admin is a Microsoft Entra group, there are some limitations when users of that group connect. Each Microsoft Entra user individually isn't part of the
sys.server_principals
table. This has various consequences, including calls toSUSER_SID
returningNULL
. - Microsoft Entra user logins that are part of Microsoft Entra group logins are also not implicitly created, meaning they won't have a default schema, and not be able to perform operations like
CREATE SCHEMA
until a login for the Microsoft Entra user is created, or a default schema is assigned to the group. - Changing a database's ownership to a Microsoft Entra group as database owner isn't supported.
ALTER AUTHORIZATION ON database::<mydb> TO [my_aad_group]
fails with an error message:Msg 33181, Level 16, State 1, Line 4 The new owner cannot be Azure Active Directory group.