SQL Server Management Studio - Login errors <Token identified principal>

Question

1. I have an Azure SQL Server resource for which I'm the Azure AD admin. I have provided the resource access "Contributor" to another user who cannot access the database through SQL Server Management Studio as he is receiving the following error using the correct server and database name with Azure authentication using MFA option:

2. Then, we thought of switching to Azure Data Studio, somehow the database is getting connected there but in there, the issue is that the user cannot alter the table designs, as the following error pops up:

What can be done to possibly sort at least one of the issues?

1. For ADS and SSMS, User is created within database with db_datareader, db_datawriter and db_ddladmin rights. He has a contributor role to the Azure SQL Server instance.

2. In SSMS, sometimes while connecting to the database, it accesses the database which tries to connect to the master db. We have tried entering the database name manually still the same error.

3. Under the SQL Server -> Azure AD Admin -> I have even tried to set that user as the admin, even then the SSMS shows the same error.

Please help.

Answer 1

Contributor role does nothing for SQL database access. It only gives access to Azure resource management APIs; SQL endpoints are not under those APIs.

The user must be added in the database with something like:

CREATE USER [test.user@example.com] FROM EXTERNAL PROVIDER;

-- Grant permissions etc.

Then the user should select "Azure Active Directory - Universal with MFA support" as the authentication type. They also need to ensure the target database is selected, not master.

I think the user also needs to ensure the right Azure AD tenant is selected. In Azure Data Studio there is a selection for it.

Answer 2

For the SSMS Connection to Azure SQL Server with MFA :

If you are connecting from SSMS you may also need to change the default database option . By default, it will try to connect to master DB where this user may not exist there as AAD users are contained inside each user database.

1. In the SSMS Connect Explorer > Options - Connection properties - Give the Database Name and in the Login Tab > Authentication as Azure AD - Universal with MFA and username is your Azure Account username.

   

   

2. I have made my user as SQL Server Admin in the Azure Portal.

3. While creating the SQL Server, selected the sample database provided by Azure and I have changed the design of the table, it is working as expected.

For the Azure Data Studio connection to the Azure SQL Server :
I have given below details in Data Studio Explorer to connect and it connected Successfully:

Added a column to the existing Table:

Result :

Note :

1. To use the SQL Server Authentication as Azure AD with Universal MFA, the user account must be Azure AD Account.
2. Make that user as Azure SQL - AD Admin and following the steps as @ Junnas said here - Create the user with Grant Permissions for working on the database using either database roles or database permissions.
3. Also Give the Contributor role to that user on the Azure SQL Server Instance Level by going to Azure Portal > SQL Server > Access Control > Add Role Assignment either to SQL Server Contributor or SQL DB Contributor :