![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 84%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Azure SQL Database
An Azure relational database service.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 16%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
Thank you for approaching on Microsoft Q&A!
Great that you have already done basic troubleshooting steps.
The error message you’re getting suggests that the principal you’re trying to use might not be recognized or properly configured.
Can you please carefully check below ones:
- Permissions: Ensure that the managed identity has been assigned the necessary permissions in Azure Active Directory. Specifically, the identity may need both "Managed Identity Operator" and "Directory Readers" roles to interact with the SQL database effectively.
- Correct Identity Reference: Double-check that the user-assigned managed identity exists in your Microsoft Entra ID (formerly Azure Active Directory) and ensure that its Client ID is correctly referenced in your SQL command.
- Database Context: Make sure you are executing the
CREATE USERcommand in the correct database context and that you’re following the correct syntax:CREATE USER [User_name] FROM EXTERNAL PROVIDER; - Server Admin: Confirm that the Azure AD admin is set for your SQL server, which is required for creating users based on Azure AD identities.(as you already mentioned but can you check again)
- User Limitations: Keep in mind that if you're using a user-assigned managed identity, it may have certain limitations or require specific configurations for Azure SQL Database.
- Switch to System-Assigned Managed Identity If you're using a resource like Azure Function or VM, consider switching to a system-assigned identity, which is better supported in Azure SQL Database.
- Use SSMS or Azure CLI Instead of Query Editor
Some users report that the Azure Portal Query Editor (preview) fails due to token propagation issues. Try running the same command from:
- SQL Server Management Studio (SSMS)
Please let us know after going through everything, if the same happening with SSMS tool also we need to carefully check deeper
- Could you share the exact SQL command you are using to create the user?
- What role has been assigned to the user-assigned managed identity in Microsoft Entra ID?
- Are you utilizing any specific firewall rules or network configurations that could potentially block access?
Please go through the related Microsoft documents if required:
https://free.blessedness.top/en-us/azure/azure-sql/database/logins-create-manage?view=azuresql
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.do let us know for further queries happy to assist you.
Thanks!
Kalyani