Here are my steps:
Step #1. Create a contained user in my SQL Server 2019 database
Step #2. Use this database-level user to connect to “Partially contained database” in my SQL Server. Yes, it works
Step #3. Export this SQL Server 2019 database to a .bacpac file, and import it into Azure database via Azure Portal
Step #4. Use this database-level user to connect to Azure database, no luck. But if I logged in as SA to Azure, I can see this user.
Step #5. Drop this user and recreate it in Azure database. All good. I could connect.
I was expecting that step #4 would work. Not sure why it failed. I googled some but could not find answers. Any suggestions?
Export and import the .bacpac file to create the new database in Azure SQL database, it's a database migration.
The limit is that We must create the login/user manually.
We can not database-level user to connect to Azure database directly, we must enable the login and user first.
To improve security, SQL Server Authentication logins are stored in a
DAC export file without a password. When the file is imported, the
login is created as a disabled login with a generated password. To
enable the logins, sign in using a login that has ALTER ANY LOGIN
permission and use ALTER LOGIN to enable the login and assign a new
password that can be communicated to the user. This is not needed for
Windows Authentication logins because their passwords are not managed
by SQL Server.
For more details, you could ref: Import a BACPAC File to Create a New User Database
HTH.
Adding on to the answer by #LeonYue, you can change the password for users that have no login (i.e. database-level SQL authentication) after import by connecting to the database as sysadmin and executing ALTER USER <user-name> WITH PASSWORD='<user-password>';.
Like on-prem contained database users, Azure SQL Database allows SQL authentication at the database level for users with a password (no associated login). However, the password is not exported/imported for security reasons.
Related
I have a Database server created in Azure [not a managed instance] and a Server Admin user was created, many SQL users were added and they were able to login without any issues. Now all of a sudden, SQL users I newly create can't login. It's giving Login failed message with Error# 18456
Here are the SQL commands I am using to create the user [after logging in as Server Admin]:
CREATE LOGIN reportslogin WITH password='' - this in "master" database
CREATE USER reportsuser from LOGIN reportslogin - this is in MyDatabase
ALTER ROLE db_datareader ADD MEMBER reportsuser - this again is in MyDatabase
Now I disconnect the server and when I try reconnecting to the server using the reportsuser, I get this:
What am I doing wrong?
Actually, the error is caused by you database login name.
You should using the Login reportslogin to login the database, not the username reportsuser !
We must using the login name to access the Azure SQL database, not the username.
A login is a simple credential for accessing SQL Server. For example,
SQL Login is for Authentication and SQL Server User is for Authorization. Authentication can decide if we have permissions to access the server or not and Authorization decides what are different operations we can do in a database. Login are created at the SQL Server instance level and User is created at SQL Server database level.
Please reference:
Login and SQL User
Difference between a User and a Login in SQL Server
Suggestions:
create the login and user with the same name:
USE master
CREATE LOGIN reportslogin WITH password='Xunmi110'
USE user_database
CREATE USER reportsuser FOR LOGIN reportslogin
ALTER ROLE db_datareader ADD MEMBER reportsuser
One login for one user.
Hope this helps.
I need to create a login on a server that will have access to all databases on this server.
I have two azure servers: production and stage. I make a copy of a database from prod server on stage server. Then I need to do insert some test data in this new copied database.
The copying process is made on runbooks in azure automation account so every time I want to execute SQL script on a database I need to provide a login&password to a server.
If I create a login TestLogin on stage server and then copy database from prod server to stage, then this login does not have access to a new db. Thus, I need to login as administrator and create a TestUser in this new database for TestLogin.
This does not work for Azure:
GRANT CONTROL SERVER TO TestLogin;
Is there any way I can grant a TestLogin all rights so that it can have access to all the databases on server?
When you create a login in one instance of SQL Server and assign any roles to this user on a specific database, and then copy the database to another SQL Server instance, you have this user in the database, but no login for that user in the second SQL Server. This is also called an "orphaned user". Here is an article that describes how to fix that.
This does not work on Azure. You have to use ALTER USER instead.
As you said in comment, you must login with admin, then you have the permission to alter the new user in master DB, set the user as DB manager or db_owner.
If you only create new login or user and don't give it more permission, this login/user only and login the Database but can't access no database.
Fore details, please see Controlling and granting database access to SQL Database and SQL Data Warehouse.
Hope this helps.
I have been trying to research this subject and have not been able to glean any solid information, but what is the default "guest" account used for and should I revoke connect privilege from this account in my Production databases?
Guest access to master database is not enabled by default on SQL Azure Database service. With on premise SQL Server you always have guest access to master database even if no user is created in it for some login you're using to connect to the server. With SQL Azure a database user should also be created on master to be able to have guest access to DMVs like sys.database_usage and sys.bandwidth_usage.
My suggestion is to create database users only since logins created on the master can be disconnected while scaling the tiers or while failovers are occurring. I don't see why a guest access should be needed for master database.
`Login is Server principle and User is database principle Means we need Login to connect Sql Server and User to access a particular Database , Tables etc
There is a features called Connect Any Database in Sql Server 2014 which allows to give rights of all Db's to a Login I created a New Login and using the Connect Any Database I was able to give Rights of All Db to Login
Now My question is if I can give Database Rights to a Login also why should I Created a User
Refer Below Steps
1) Use Below Script
Create Login Test With Password ='Avengers#012015'
Grant Connect Any DATABASE To Test
2) Create Database One
3)Now Login Using the nelwly created Login Test and type
Use One
and you will see that you are able to connect to the Database one without using Any User
Connect Any Database Just allow to connect to any DB it does not give any Write/Read access for which I have to create a User Only
I have an ASP.NET app that needs to connect to a SQL Server 2008 database. When I try add the user (specified in a connection string within the app) using Management Studio it doesn't ask for a password for that user - why is this?
(so all i keep getting when i run the app is "Login failed for user 'user'.")
Because users don't have passswords in SQL Server. Only logins have passwords. You need to create first a login (a server principal), see How to: Create a SQL Server Login and then create a corresponding user in the database (a database principal), see How to: Create a Database User.
To understand the difference between logins and users read Identity and Access Control (Database Engine).
Could either be using windows authentication so it doesn't need a password as they are authenticated by the OS/domain.
If it is using SQL Authentication (which requires a username and password). Add the user in the server > security > logins section then give that user access to the database required.
Does that help?