Database user password change in Azure SQL after Import bacpac

Question

Database user password change in Azure SQL after Import bacpac

Prakash M, Bhanu 211

On Prem:\

I have a db called db1
User test is having access to db1
Now I have exported bacpac

in Azure SQL Single DB:

Import bacpac file
Able to Connect with server admin and able to see db1 in Azure.

Issue: I wanted to connect with db user called Test and it is failed with login failure. I tried to reset the password and got below error. The parameter PASSWORD cannot be provided for users that cannot authenticate in a database.

Please help me, instead of dropping this db user and recreate any other way to make the connectivity with the test user? So that existing db objects will remain same in the database.

Please suggest

Accepted answer

1 additional answer

Your answer

Answer 1

Hi @Prakash M, Bhanu ,

Here are the steps you need to take once you import the DB using backpack file.

Once you import the backpack file from on-prem to Azure SQL, your login(serverlevel) and users(DBlevel) will be created.

The backpac holds the information of users. The passwords of these users are changed in the background due to security compliance.

You will need to reset the password once the backpack file is imported.

 on Master   
      
 CREATE USER testuser FROM LOGIN testuser ;  -- since the SQL account won't exist on the master DB   
  
once the user is created on the master DB, then change the password using the below command   
  
on master   
  
ALTER login testuser WITH PASSWORD = 'PasswordHere'

You no need to drop the users or re-map the permissions again. The only extra steps are 1) create user on the master 2) reset login password

Before you run the commands, you can check the DB users and roles using the below command on the user DB.

 SELECT p2.name AS UserName,  
 STRING_AGG(p1.name, ', ') AS DatabaseRoleName  
 FROM sys.database_role_members AS m  
 RIGHT OUTER JOIN sys.database_principals AS p1  
  ON m.role_principal_id = p1.principal_id  
 LEFT OUTER JOIN sys.database_principals AS p2  
  ON m.member_principal_id = p2.principal_id  
 WHERE p2.name IS NOT NULL  
  AND p2.name NOT IN ('dbo')  
 GROUP BY p2.name  
 ORDER BY p2.name

Hope this helps

------------------------------

Please don't forget to click on or upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification
If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

Prakash M, Bhanu 211 Reputation points

2022-08-05T02:45:53.027+00:00

Hi Bhargava
Thanks a lot for your efforts.

I have login manager role. But As per your inputs I am unable to create user in the Master database, where as I can create users on any other database.

So I have started again in the below order. It worked

1) Before Importing bacpac, create login on PAAS SQL Instance with the same password of Onprem (This will own AzureSID for login)

2) Exported bacpac from Source (This has its onpremSID)

3) Imported the bacpac to Azure (After that verified and confirmed the during Import the SID got changed from OnPremSID to AzureSID as what we created the login in step1)

4) After that able to connect with the db user.

So in this way, I haven't got requirement to reset the password.

It looks like the way you did and the way I did almost similar, you changed the password after login created.
I in advance created login before importing.

Thanks a lot for your inputs. Please do confirm if my steps are also valid or not.
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2022-08-05T03:56:43.053+00:00

Hi @Prakash M, Bhanu ,
Thank you so much for accepting the answer.

Yes, you are exactly right. It works in this method too. I just tried your approach and worked as expected.

Answer 2

Alberto Morillo 34,671 MVP Volunteer Moderator

Please run these while connected to the master database on the Azure Logical Server.

CREATE LOGIN YourLogin WITH PASSWORD = 'YourPassword'  
  
CREATE USER YourLogin FROM LOGIN YourLogin ;

After that run the following script on the imported database.

DROP USER YourLogin ;  
  
CREATE USER YourLogin FROM LOGIN YourLogin ;

Hope that helps;

Prakash M, Bhanu 211 Reputation points

2022-07-29T03:50:42.93+00:00

Hey Alberto thanks a lot for always guiding me. I have a few doubts on your answer as below.

CREATE USER YourLogin FROM LOGIN YourLogin ; --> Why do we need to create user to Master database. In fact I need it for my database called db1

DROP USER YourLogin ; --> If we drop the user which came along with the bacpac, then all the explicitly given permissions for this user on the database will be lost (At one prem it has db_datareader BUT also has some execute permissions explicitly at Source)

If we recreate with the user on db1 from login, then we can give db_datareader permission. But how come we will explicitly given permissions from Onprem.

Correct me if I am wrong.

Also, without dropping user from the Imported database, is there any way to fix it? All my Intention is need to retain db objects level permissions too on Azure DB.

Please suggest.
Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator

2022-08-04T04:20:50.59+00:00
Hi @Prakash M, Bhanu ,

CREATE USER YourLogin FROM LOGIN YourLogin ; --> Why do we need to create user to Master database. In fact I need it for my database called db1

for this question, you will need the login first to authenticate the login to the Azure SQL server.

Once you create the login on the master(which will authenticate to SQL), you will need to create user and permissions to user DB(which will authenticate and provide the access to user DB)

--on master CREATE LOGIN test WITH PASSWORD = 'Password-here' GO --on user DB create user test from login test ALTER ROLE db_datareader ADD MEMBER test; SELECT p2.name AS UserName, STRING_AGG(p1.name, ', ') AS DatabaseRoleName FROM sys.database_role_members AS m RIGHT OUTER JOIN sys.database_principals AS p1 ON m.role_principal_id = p1.principal_id LEFT OUTER JOIN sys.database_principals AS p2 ON m.member_principal_id = p2.principal_id WHERE p2.name IS NOT NULL AND p2.name NOT IN ('dbo') GROUP BY p2.name ORDER BY p2.name

Run this above code on the user DB this will provide the existing users and DB role name from the DB.

I believe if your user already exists on the user db, then you don't need to drop and re-create. In your case, I believe you are missing the user on the master DB causing the issue. Let me test this scenario and get back to you with more details.
Prakash M, Bhanu 211 Reputation points

2022-08-04T07:36:53.437+00:00

Thaknks.

In my case, db user came along with the database. (.bacpac)

Now how to connect to the database on Azure (It is not allowing to connect with the same password and tried change password and ended with the above error.)

iBecause, if we drop user...then db object level permissions (Which has given explicitly on source side) will go along with if any db level permissions.

Regards,
Bhanu

Share via

Database user password change in Azure SQL after Import bacpac

1 additional answer

Your answer