94

I am trying to use the following template:

-- =================================================
-- Create User as DBO template for SQL Azure Database
-- =================================================
-- For login <login_name, sysname, login_name>, create a user in the database
CREATE USER <user_name, sysname, user_name>
    FOR LOGIN <login_name, sysname, login_name>
    WITH DEFAULT_SCHEMA = <default_schema, sysname, dbo>
GO

-- Add user to the database owner role
EXEC sp_addrolemember N'db_owner', N'<user_name, sysname, user_name>'
GO

I would like to create a user called user1 with a password of 'user1pass'. I connected with my default database 'authentication' and I have a query window open.

But the template does not make sense for me. For example what's sysname, where do I supply the password and what should I use as the default_schema?

The particular user needs to have the power to do everything. But how do I set it up so he can do everything, is that done if I make the user a database owner?

So far I have tried:

CREATE USER user1, sysname, user1
    FOR LOGIN user1, sysname, user1
    WITH DEFAULT_SCHEMA = dbo, sysname, dbo
GO

Giving:

Msg 102, Level 15, State 1, Line 1 Incorrect syntax near ','.

and:

CREATE USER user1
    FOR LOGIN user1
    WITH DEFAULT_SCHEMA = dbo
GO

Giving:

Msg 15007, Level 16, State 1, Line 1 'user1' i

s not a valid login or you do not have permission.

DineshDB
  • 5,998
  • 7
  • 33
  • 49
  • 1
    Possible duplicate of [Creating new user/login in sql azure](http://stackoverflow.com/questions/6058058/creating-new-user-login-in-sql-azure) – Michael Freidgeim Jul 27 '16 at 05:03

9 Answers9

146

Edit - Contained User (v12 and later)

As of Sql Azure 12, databases will be created as Contained Databases which will allow users to be created directly in your database, without the need for a server login via master.

Sql (standard) User

CREATE USER [MyUser] WITH PASSWORD = 'Secret';
ALTER ROLE [db_datareader] ADD MEMBER [MyUser]; -- or sp_addrolemember

AAD linked User

CREATE USER [SomeUser@mydomain.com] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember 'db_datareader' , N'SomeUser@mydomain.com'

AAD linked Group

CREATE USER [SomeGroup] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember 'db_datareader' , N'SomeGroup'

NB! when connecting to the database when using a contained user that you must always specify the database in the connection string.

Connecting via a contained User

Traditional Server Login - Database User (Pre v 12)

Just to add to @Igorek's answer, you can do the following in Sql Server Management Studio:

Create the new Login on the server
In master (via the Available databases drop down in SSMS - this is because USE master doesn't work in Azure):

enter image description here

create the login:

CREATE LOGIN username WITH password=N'password';

Create the new User in the database
Switch to the actual database (again via the available databases drop down, or a new connection)

CREATE USER username FROM LOGIN username;

(I've assumed that you want the user and logins to tie up as username, but change if this isn't the case.)

Now add the user to the relevant security roles

EXEC sp_addrolemember N'db_owner', N'username'
GO

(Obviously an app user should have less privileges than dbo.)

StuartLC
  • 104,537
  • 17
  • 209
  • 285
  • This answer seems out of date, the user can be created directly in the database instance itself, see: https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql – tbone Sep 15 '17 at 05:02
  • You are right - Since 12 there's now Contained Users which don't need the `CREATE LOGIN` step. I've updated. – StuartLC Sep 15 '17 at 06:45
40

Check out this link for all of the information : https://azure.microsoft.com/en-us/blog/adding-users-to-your-sql-azure-database/

First you need to create a login for SQL Azure, its syntax is as follows:

CREATE LOGIN username WITH password='password';

This command needs to run in master db. Only afterwards can you run commands to create a user in the database. The way SQL Azure or SQL Server works is that there is a login created first at the server level and then it is mapped to a user in every database.

HTH

Luke Girvin
  • 13,221
  • 9
  • 64
  • 84
Igorek
  • 15,716
  • 3
  • 54
  • 92
  • So first time I should say "use master" then create the login, then say "use authentication" ? Also how can I connect as a different user when in the query window so I can try things out? –  Sep 30 '13 at 14:14
  • 2
    There is no way to switch databases after switching from master to another db in SQL Azure. Right-click on the query window and click on "Connection->Change Connection" - this will allow you to reconnect with different credentials, once you've created a user – Igorek Sep 30 '13 at 14:20
  • I'm having some difficulties to get this working on the latest SQL Azure server (V12). Any clues? – Geethanga Aug 18 '15 at 10:42
  • 3
    The post gives a really clear, and easy to follow example: http://kitsula.com/Article/How-to-create-custom-user-login-for-Azure-SQL-Database – uniquelau Dec 01 '16 at 13:52
  • 3
    This is misleading. A 'contained user' has no login in master so you can just create a user in the database itself. In fact this approach is recommended because `In a contained database, creating users helps separate the database from the instance of the Database Engine so that the database can easily be moved to another instance of SQL Server. ` https://learn.microsoft.com/en-us/sql/t-sql/statements/create-user-transact-sql – Simon_Weaver May 04 '17 at 19:19
37

I followed the answers here but when I tried to connect with my new user, I got an error message stating "The server principal 'newuser' is not able to access the database 'master' under the current security context".

I had to also create a new user in the master table to successfully log in with SSMS.

USE [master]
GO
CREATE LOGIN [newuser] WITH PASSWORD=N'blahpw'
GO
CREATE USER [newuser] FOR LOGIN [newuser] WITH DEFAULT_SCHEMA=[dbo]
GO

USE [MyDatabase]
CREATE USER newuser FOR LOGIN newuser WITH DEFAULT_SCHEMA = dbo
GO
EXEC sp_addrolemember N'db_owner', N'newuser'
GO
nthpixel
  • 3,041
  • 3
  • 30
  • 42
  • This appears to be the best answer that I could find. It appears to work without a flaw and it is a simple, direct answer. – pianocomposer Jul 06 '22 at 14:42
13

You can simply create a contained user in SQL DB V12. 

Create user containeduser with password = 'Password'

Contained user login is more efficient than login to the database using the login created by master. You can find more details @ http://www.sqlindepth.com/contained-users-in-sql-azure-db-v12/

Sirisha Chamarthi
  • 1,283
  • 12
  • 16
  • 1
    This requires a contained database which has some constraints – Shane Courtrille Nov 15 '16 at 15:14
  • On SQL Azure ALL databases support this feature. In fact it can't be disabled. – Simon_Weaver May 04 '17 at 19:16
  • 1
    This is the best answer IMO. Short and concise and it just works. – Philippe Jan 04 '18 at 17:18
  • best answer but anyway Azure SQL sucks – Toolkit Feb 17 '18 at 12:51
  • "As Microsoft evolves the SQL Database service and moves towards higher guaranteed SLAs you may be required to switch to the contained database user model and database-scoped firewall rules to attain the higher availability SLA and higher max login rates for a given database. Microsoft encourages you to consider such changes today." - https://learn.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable – Alexander Aug 08 '19 at 15:51
9

I use the Azure Management console tool of CodePlex, with a very useful GUI, try it. You can save type some code.

Jorge
  • 1,178
  • 2
  • 13
  • 33
  • I would definitely recommend this utility. Since `CodePlex` is shutting down. Mirror download location - https://firebasestorage.googleapis.com/v0/b/amber-heat-4041.appspot.com/o/Files%20Publicly%20Shared%2F2017%2FApril%2FAUMC_Setup.msi?alt=media&token=facd5c90-777e-4f19-8f1e-382078c2de25 – Adarsh Madrecha Apr 05 '17 at 18:40
3

1 Create login while connecting to the master db (in your databaseclient open a connection to the master db)

CREATE LOGIN 'testUserLogin' WITH password='1231!#ASDF!a';

2 Create a user while connecting to your db (in your db client open a connection to your database)

CREATE USER testUserLoginFROM LOGIN testUserLogin; Please, note, user name is the same as login. It did not work for me when I had a different username and login.

3 Add required permissions

EXEC sp_addrolemember db_datawriter, 'testUser'; You may want to add 'db_datareader' as well.

list of the roles:

https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/database-level-roles?view=sql-server-ver15

I was inspired by @nthpixel answer, but it did not work for my db client DBeaver. It did not allow me to run USE [master] and use [my-db] statements.

https://azure.microsoft.com/en-us/blog/adding-users-to-your-sql-azure-database/

How to test your user?

Run the query bellow in the master database connection.

SELECT A.name as userName, B.name as login, B.Type_desc, default_database_name, B.*
FROM sys.sysusers A
    FULL OUTER JOIN sys.sql_logins B
       ON A.sid = B.sid
WHERE islogin = 1 and A.sid is not null

List of all users in Azure SQL

Yan Khonski
  • 12,225
  • 15
  • 76
  • 114
2

create a user and then add user to a specific role:

CREATE USER [test] WITH PASSWORD=N'<strong password>'
go
ALTER ROLE [db_datareader] ADD MEMBER [test]
go
Antonio Santise
  • 302
  • 3
  • 5
  • Welcome to SO. This question already has an accepted answer which is identical to yours. See https://stackoverflow.com/help/how-to-answer. – Nick Jul 13 '18 at 14:08
1

I found this link very helpful:
https://azure.microsoft.com/en-gb/documentation/articles/sql-database-manage-logins/

It details things like:
- Azure SQL Database subscriber account
- Using Azure Active Directory users to access the database
- Server-level principal accounts (unrestricted access)
- Adding users to the dbmanager database role

I used this and Stuart's answer to do the following:
On the master database (see link as to who has permissions on this):

CREATE LOGIN [MyAdmin] with password='ReallySecurePassword'

And then on the database in question:

CREATE USER [MyAdmin] FROM LOGIN [MyAdmin]
ALTER ROLE db_owner ADD MEMBER [MyAdmin]

You can also create users like this, according to the link:

CREATE USER [mike@contoso.com] FROM EXTERNAL PROVIDER;
noelicus
  • 14,468
  • 3
  • 92
  • 111
0

I think the templates use the following notation: variable name, variable type, default value.

Sysname is a built-in data type which can hold the names of system objects.

It is limited to 128 Unicode character.

-- same as sysname type
declare @my_sysname nvarchar(128);
CRAFTY DBA
  • 14,351
  • 4
  • 26
  • 30
  • Thanks but given what you say then how would I create the user and password. I don't see a way to set the password. –  Sep 30 '13 at 13:21