@Fernando Gutierrez Thank you for reaching out.
Specifies the Microsoft Entra principal for which the database user is being created. The Microsoft_Entra_principal can be a Microsoft Entra user, a Microsoft Entra group, or a Microsoft Entra application. (Microsoft Entra users can't have Windows Authentication logins in SQL Database; only database users.) The connection string must specify the contained database as the initial catalog.
For Microsoft Entra principals, the CREATE USER syntax requires:
UserPrincipalName of the Microsoft Entra object for Microsoft Entra Users.
-
CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER;
-
CREATE USER [alice@fabrikam.onmicrosoft.com] FROM EXTERNAL PROVIDER;
CREATE USER [bob@contoso.com] FROM LOGIN [bob@contoso.com]
-
https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa
Use the syntax extension FROM EXTERNAL PROVIDER
to create server-level Microsoft Entra logins in Azure SQL Database and Azure SQL Managed Instance. Microsoft Entra logins allow database-level Microsoft Entra principals to be mapped to server-level Microsoft Entra logins. To create a Microsoft Entra user from a Microsoft Entra login use the following syntax:
CREATE USER [Microsoft_Entra_principal] FROM LOGIN [Microsoft Entra login]
When creating the user in the Azure SQL database, the login_name must correspond to an existing Microsoft Entra login, or else using the FROM EXTERNAL PROVIDER clause will only create a Microsoft Entra user without a login in the master database. For example, this command will create a contained user:
CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER
Please let us know if you need more clarification
Regards,
Oury