Azure Data Sync: Fixing “Cannot find the user ‘DataSync_executor’” When Creating a New Sync Group

Microsoft

Apr 22, 2026

Summary

When creating a new Azure SQL Data Sync group, customers may encounter the following error during setup—even when no active sync groups exist:

“Failed to perform data sync operation: Cannot find the user 'DataSync_executor', because it does not exist or you do not have permission.”

This failure typically occurs during certificate and symmetric key creation as Azure attempts to grant permissions to the DataSync_executor role. In this post, we’ll walk through:

The common scenario where this issue appears
Why cleanup scripts alone may not fix it
A supported, reliable resolution approach to restore Data Sync successfully

The Problem Scenario

A customer attempts to create a brand-new Azure SQL Data Sync group (hub + members), but the operation fails with an error similar to:

Cannot find the user 'DataSync_executor', because it does not exist or you do not have permission. Creating certificate Creating symmetric key Granting permission to [DataSync_executor] on certificate

Key observations from affected cases:

No active sync group exists
Cleanup scripts (including Data Sync complete cleanup.sql) were already executed
The failure persists even after retrying the setup

Why This Happens

Azure SQL Data Sync depends on system-managed database roles that must be created and configured only by the Azure Data Sync service itself.

If these roles (or related permissions) are:

Missing
Partially deleted
Left in an inconsistent state

then Data Sync may fail while attempting to create certificates or grant required permissions.

Important:
Manually creating or partially restoring these roles is not supported and often leads to repeated failures.

How to Detect the Issue

Before troubleshooting further, confirm whether the required Data Sync roles are missing.

1. Run the Data Sync Health Checker

Ask the customer to run Data Sync Health Checker, then review SyncDB_Log.

Common warnings include:

DataSync_reader IS MISSING
DataSync_executor IS MISSING
Missing EXECUTE/SELECT permissions on dss and TaskHosting schemas

This confirms the root cause is role and permission inconsistency.

Supported and Effective Resolution

Step 1: Verify Roles Are Missing

Run the following query on each affected database (hub and members):

SELECT name
FROM sys.database_principals
WHERE name IN ('DataSync_executor', 'DataSync_reader');

If no rows are returned, the roles are missing and must be recovered by Azure Data Sync itself - not manually.

Step 2: Fully Clean Up Leftover Data Sync Objects

Do this only if the database is not actively syncing

-- Remove roles if partially present
DROP ROLE IF EXISTS DataSync_executor;
DROP ROLE IF EXISTS DataSync_reader;

-- Drop DataSync schema
IF EXISTS (SELECT 1 FROM sys.schemas WHERE name = 'DataSync')
BEGIN
    DROP SCHEMA DataSync;
END

This ensures there are no partial or orphaned Data Sync objects left behind that could interfere with setup.

Step 3: Recreate the Sync Group (Critical Step)

Do not manually recreate roles or permissions
Instead:

Delete the existing (failed) Sync Group from the Azure Portal
Recreate the Sync Group from scratch
Re-add the hub and member databases

During this process, Azure will automatically:

Recreate DataSync_executor and DataSync_reader
Assign all required permissions
Deploy the correct schemas, certificates, and procedures

Key Takeaways

DataSync_executor and DataSync_reader are service-managed roles
Cleanup scripts alone may not fully reset a broken state
Manual role creation is not supported
Deleting and recreating the Sync Group is the only reliable recovery method once roles are missing