Blog Post

Azure Database Support Blog

3 MIN READ

AAD Auth Error - Login failed for user '<token-identified principal>'

FonsecaSergio

Microsoft

May 26, 2020

An error may appear when trying to login to Azure SQL DB using AAD authentication

===================================
Cannot connect to SERVENAME.database.windows.net.
===================================
Login failed for user '<token-identified principal>'. (.Net SqlClient Data Provider)
------------------------------
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&Evtsrc=MSSQLServer&EvtID=18456&LinkId=20476
------------------------------
Server Name: SERVENAME.database.windows.net
Error Number: 18456
Severity: 14
State: 1
Line Number: 65536
------------------------------
Program Location:
at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling, SqlAuthenticationProviderManager sqlAuthProviderManager)
at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)
at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
at System.Data.SqlClient.SqlConnection.Open()
at Microsoft.SqlServer.Management.SqlStudio.Explorer.ObjectExplorerService.ValidateConnection(UIConnectionInfo ci, IServerType server)
at Microsoft.SqlServer.Management.UI.ConnectionDlg.Connector.ConnectionThreadUser()

This error mean the user is invalid in the database that you are trying to connect, usually related to a AAD user that does not have user created on SQL DB that you are trying to connect (User DB or Master DB) or that the user is not the AAD Server Admin

Just create the user in the DB - Create contained database users in your database mapped to Azure AD identities

CREATE USER <Azure_AD_principal_name> FROM EXTERNAL PROVIDER;
CREATE USER [bob@contoso.com] FROM EXTERNAL PROVIDER;
CREATE USER [alice@fabrikam.onmicrosoft.com] FROM EXTERNAL PROVIDER;
CREATE USER [ICU Nurses] FROM EXTERNAL PROVIDER;
CREATE USER [appName] FROM EXTERNAL PROVIDER;

*If you are connecting from SSMS you may also need to change the default database option (Image below). By default it will try to connect to master DB where this user may not exists there as AAD users are contained inside each user database.

Another sample where this issue can happen is when you typed incorrectly the DB name like sample below. Tks for my colleague Rui Cunha

Another scenario that happened on some customer is where a user / group does not match with SQL by ID. As sample when user was deleted and recreated on AAD with same name. Even though same name you need to make sure SQL User SID match the AAD Object ID or Application ID (In case of Service Principal or MSI).

To fix it you will need to recreate user and grant required permissions

To verify if this is the issue run query below in the database you are trying to connect

--SID to OBJECTID
SELECT
	DP.name
	,DP.principal_id
	,DP.type
	,DP.type_desc
	,DP.SID
	,OBJECTID = CONVERT(uniqueidentifier, DP.SID)
FROM SYS.database_principals DP
WHERE DP.type IN ('S','X','E')

And compare results with AAD object that you can check on Azure Portal

Just look for Azure Active Directory

You can look for users, groups or Enterprise applications (Service Principals / MSI)

Or just use search feature in overview page where you can look for the user found on SQL

In case of Service Principal and Managed Identities look for Application ID instead of Object ID

Updated Aug 11, 2023

Version 4.0

azuresqldb

Connectivity

FonsecaSergio

Microsoft

Joined February 21, 2019

View Profile

Azure Database Support Blog

Follow this blog board to get notified when there's new activity

18 Comments

FonsecaSergio
Microsoft
Aug 31, 2020
MrGalvan in this case as you said this is Server Admin this issue should not happen. Could be something else. I suggest you to open a case to further investigated it
MrGalvan
Copper Contributor
Aug 28, 2020
Hi all,
I'm having an issue when trying to connect an Active Directory user that is the Active Directory Admin over this sql server.

I have been connecting to this database in the past w/out any issues through Management Studio.

However, all of the sudden I am getting this error: login failed for user '<token-identified principal>'

Again, the user I'm using is the Active Directory Admin over this instance along w/ the databases within this instance in our Azure environment.

Also, I have tried just connecting to any other database other than the default (Master) db with no success.

Does anyone know why it's all the sudden doing this and what the fix is?
Steve Hollingshead
Copper Contributor
Aug 11, 2020
You are probably using a guest invite for someone who has access to multiple Azure tenants. If that's the case, they need to specify the tenant ID as well in the SSMS connection options at the bottom.

The tenant ID is xxxx.onmicrosoft.com (the tenant containing the SQL DB)
DianaLittle
Copper Contributor
Jul 23, 2020
I'm running into a similar issue with being able to deploy a NEW database onto an Azure SQL Server using token-based authentication from an Azure VM. I've added the Azure VM to the database server's firewall, I've ensured that the Azure VM has a system-assigned identity. When I publish the DACPAC to an existing Azure SQL database, there is no problem. When I try to use the same DACPAC to create a NEW database by simply changing the database name, I get the error message

Login failed foruser '<token-identified principal>'

I can't create the contained user before the database is created, obviously.

FonsecaSergio

Microsoft

Jul 23, 2020

EdvardGundersen this is not an issue. This is an expected behavior... When you create contained users, in this case was AAD user, but could be SQL login (contained user). You are only able to connect to the specified DB, if you want to connect to master db or to list the available dbs (master metadata) you need to have this user created also on master.

- If user is application user, its not needed any permission on master. And application connection should specify database name

- If user is a SSMS user and if you do not want to always specify the database name you can create user on master DB to have a more simple navigation on SSMS. You do not need any special permission on master, just create user on master should be enough

Traditional model	Contained database user model
When connected to the master database: `CREATE LOGIN login_name WITH PASSWORD = 'strong_password';` Then when connected to a user database: `CREATE USER 'user_name' FOR LOGIN 'login_name';`	When connected to a user database: `CREATE USER user_name WITH PASSWORD = 'strong_password';`

EdvardGundersen
Copper Contributor
Jul 16, 2020
Any progress on this issue?
FonsecaSergio
Microsoft
Jun 18, 2020
JuanParodi in this case (AAD Server Admin) yes, you should be able to login to ANY database. If getting error being AAD Server Admin we would need to investigate further and you can open a case on that
JuanParodi
Copper Contributor
Jun 17, 2020
What about when you're the server's "Active Directory Admin". i don't have a user created on each database, but i should be able to log in regardless in order to be able to grant access to other AAD Principals...