Lessons Learned #535: BACPAC Import Failures in Azure SQL Database Due to Incompatible Users

We recently worked on a support case where a customer was trying to import a BACPAC file, generated on a different server and subscription, into their Azure SQL Database. The process kept failing with the following errors: "Could not import package. Error SQL72014: Framework Microsoft SqlClient Data Provider: Msg 33159 - Only connections established with Active Directory accounts can create other Active Directory user"

At first glance, this looked like a permissions issue, but digging deeper we realized that the error was triggered when the import process tried to create Entra ID (Azure AD) users while the connection was being made with a SQL Login,

We checked several things in the BACPAC:

• The BACPAC contained references to external Active Directory users that were valid in the source environment but not in the target.
• Both the Azure portal and SQL Server Management Studio (SSMS) failed with the same error.
• Since BACPAC files include both schema and user objects, incompatible users were being carried over and breaking the import.

After thorough investigation, the following resolution path was established:

• We created a dummy copy of the source database.
• We removed the external AD/Entra users from that copy.
• We generated a new BACPAC from this cleaned database.
• We imported it into the target Azure SQL Database — and this time it worked.

We explained several details:

• BACPAC files included both schema and security objects, including users. If external Active Directory users are not present in the target environment can cause import failures.
• Before exporting, review and remove or adjust user objects to avoid this issue — particularly when migrating across subscriptions, servers, or organizations with different Azure AD tenants.