Azure SQL Database authentication fails when accessed from Azure Function (Login failed for user '<token-identified principal>')

Question

Azure SQL Database authentication fails when accessed from Azure Function (Login failed for user '<token-identified principal>')

Roberto Patuelli 0

Azure SQL Database authentication fails when accessed from Azure Function (Flex Consumption) using Azure AD Managed Identity (User Assigned).

The issue started suddenly after a period of correct operation, without any application or configuration changes.

Environment:

Azure Function App (Flex Consumption)
.NET 8 isolated worker
Microsoft.Data.SqlClient 7.0.0
Authentication: Active Directory Managed Identity (User Assigned)

Identity details:

Token AppId matches SQL EXTERNAL_USER SID
SQL user exists and is mapped via FROM EXTERNAL PROVIDER
Entra admin is correctly configured on the SQL server

Observed behavior:

Access token is successfully acquired from DefaultAzureCredential
Token is valid and contains correct tenant, appid and oid
Connection attempt fails with:

Login failed for user '<token-identified principal>' (Error 18456, State 1)

The same issue occurs both when:

Using SqlConnection.AccessToken manually
Using Authentication=Active Directory Managed Identity

Expected behavior:

Azure SQL should authenticate the Managed Identity successfully

Impact:

Production Azure Function cannot access Azure SQL Database

Manoj Kumar Boyini 17,870 Punti di reputazione Personale Esterno Microsoft Moderatore

2026-06-30T15:33:05.98+00:00

Hi @Roberto Patuelli

The error Login failed for user '<token-identified principal>' (Error 18456, State 1) commonly indicates that Azure SQL was unable to map or authorize the Microsoft Entra identity in the target database. Even when the managed identity exists, Azure SQL requires that the identity be configured as a principal in the database being accessed and have the necessary permissions.

Please verify the following:

1.The Function App is connecting to the intended database and not inadvertently connecting to master or a different database.

2.The user-assigned managed identity exists as a database principal in the target database:

SELECT name, type_desc

FROM sys.database_principals

WHERE type IN ('E','X');

Show more lines

If needed, recreate the user:

CREATE USER [<managed-identity-name>] FROM EXTERNAL PROVIDER;

3.The managed identity has the required database permissions or role memberships. A Microsoft Entra principal must have at least CONNECT permission to access the database.

4.The Azure SQL logical server still has a valid Microsoft Entra administrator configured, as Microsoft Entra authentication depends on the server-level Entra admin configuration.

5.If using Authentication=Active Directory Managed Identity, ensure the connection string uses the Client ID of the user-assigned managed identity and that the application is using the current Microsoft.Data.SqlClient requirements for Entra authentication.

Given that the application reportedly worked previously without changes, I would pay particular attention to verifying the target database name, the managed identity mapping in that database, and the current permissions assigned to that principal.

**References
**https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure?view=azuresql&tabs=azure-powershell#create-contained-database-users-in-your-database-mapped-to-azure-ad-identities
https://techcommunity.microsoft.com/blog/azuredbsupport/aad-auth-error---login-failed-for-user-/1417535

Please let us know if you have any questions.

Condividi tramite

Azure SQL Database authentication fails when accessed from Azure Function (Login failed for user '<token-identified principal>')

Risposta