First thing to remember is that Azure SQL Database are "contained" databases - so you don't normally define a login to access it but normally you create a USER directly in the database.
There can still be some cases where you need a LOGIN created in the master database and allow this to have access across many databases that are created on that logical server. However, when you look at the master database in Azure, it does not have the same security roles as SQL Server in a VM does - it only has loginmanager (similar to securityadmin role) and dbmanager (similar to dbcreator role). These exist only in the master database. Also, although the other fixed roles will appear in queries against the master database, since you cannot create any database objects in master in Azure SQL Database then these are effectively irrelevant and redundant.
In each user database, you will have the same internal fixed database roles as for a VM based instance.
Server Role Permissions
As this is effectively limited to the loginmanager and dbmanager roles and these are fixed and restricted and pretty much well defined, there isn't much you need to be able to query around these other than membership.
To see who is a member you first need to connect in the context of the master database (remember that each connection to Azure SQL Database is to a specific database, not just to an instance like a VM based SQL Server).
The system views
sys.server_role_members
and
sys.server_principals
are not valid for Azure SQL Database and so you will need to instead look at
sys.database_role_members
and
sys.database_principals
in the context of the master database.
Once connected to master then running
SELECT DP1.name AS DatabaseRoleName,
isnull (DP2.name, N'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
LEFT OUTER JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.name IN (N'dbmanager', N'loginmanager')
ORDER BY DP1.name;
will show you if any LOGINS have been added to these Roles.
Database Role Permissions
This should essentially be exactly as you would do for a VM based SQL Server instance. As above however, note that you probably only need to be working from
sys.database_principals
and not need to link this back to LOGINS defined in master for most cases.
Once connected to each individual database you can use the same system views as a VM based SQL instance to check permissions:
SELECT * FROM sys.database_role_members
SELECT * FROM sys.database_principals
SELECT * FROM sys.database_permissions
Hope that makes it a bit clearer?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 79%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 44%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
