Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: 
 SQL Server  
 Azure SQL Database 
 Azure SQL Managed Instance
This topic describes how to create an application role in SQL Server by using SQL Server Management Studio or Transact-SQL. Application roles restrict user access to a database except through specific applications. Application roles have no users, so the Role Members list is not displayed when Application role is selected.
Important
Password complexity is checked when application role passwords are set. Applications that invoke application roles must store their passwords. Application role passwords should always be stored encrypted.
In This Topic
- Before you begin: 
 Background
- To create an application role, using: 
Before You Begin
Background
Beginning with SQL Server 2012 (11.x), SQL Server and Azure SQL DB used a SHA-512 hash combined with a 32-bit random and unique salt. This method made it statistically infeasible for attackers to deduce passwords.
SQL Server 2025 (17.x) Preview introduces an iterated hash algorithm, RFC2898, also known as a password-based key derivation function (PBKDF). This algorithm still uses SHA-512 but hashes the password multiple times (100,000 iterations), significantly slowing down brute-force attacks. This change enhances password protection in response to evolving security threats and helps customers comply with NIST SP 800-63b guidelines. This security enhancement uses a stronger hashing algorithm, which may slightly increase login time for SQL Authentication logins. The impact is generally lower in environments with connection pooling, but may be more noticeable in scenarios without pooling or where login latency is closely monitored.
Security
Permissions
Requires ALTER ANY APPLICATION ROLE permission on the database.
Using SQL Server Management Studio
To create an application role
- In Object Explorer, expand the database where you want to create an application role. 
- Expand the Security folder. 
- Expand the Roles folder. 
- Right-click the Application Roles folder and select New Application Role.... 
- In the Application Role - New dialog box, on the General Page, enter the new name of the new application role in the Role name box. 
- In the Default Schema box, specify the schema that will own objects created by this role by entering the object names. Alternately, click the ellipsis (...) to open the Locate Schema dialog box. 
- In the Password box, enter a password for the new role. Enter that password again into the Confirm Password box. 
- Under Schemas owned by this role, select or view schemas that will be owned by this role. A schema can be owned by only one schema or role. 
- Select OK. 
Additional Options
The Application Role - New dialog box also offers options on two additional pages: Securables and Extended Properties.
- The Securables page lists all possible securables and the permissions on those securables that can be granted to the login. 
- The Extended properties page allows you to add custom properties to database users. 
Using Transact-SQL
To create an application role
- In Object Explorer, connect to an instance of Database Engine. 
- On the Standard bar, click New Query. 
- Copy and paste the following example into the query window and click Execute. - -- Creates an application role called "weekly_receipts" that has the password "987Gbv876sPYY5m23" and "Sales" as its default schema. CREATE APPLICATION ROLE weekly_receipts WITH PASSWORD = '987G^bv876sPY)Y5m23' , DEFAULT_SCHEMA = Sales; GO
For more information, see CREATE APPLICATION ROLE (Transact-SQL).