Blog Post

Azure Database Support Blog
2 MIN READ

SQLDBControlPlaneFirstPartyApp explained

akiohose's avatar
akiohose
Icon for Microsoft rankMicrosoft
Feb 09, 2026

You might have noticed an event initiated by SQLDBControlPlaneFirstPartyApp showing up in the Activity log.

 

You noticed an event showing up while reviewing activity logs.

Sample from Activity log

SQLDBControlPlaneFirstPartyApp explained

The SQLDBControlPlaneFirstPartyApp is an internal Azure application used by the Azure SQL Database control plane to synchronize resource state between the SQL engine and Azure Resource Manager (ARM). Its main purpose is to ensure that any changes made directly in the SQL engine (such as creating, updating, or deleting databases using T-SQL or other direct methods) are reflected and kept in sync with the ARM resource model, which is what the Azure Portal and management APIs use to represent resources.

When you see events initiated by SQLDBControlPlaneFirstPartyApp, it typically means that the control plane is performing a “hydration” or synchronization operation to update ARM with the latest state of the database resource. This is especially important for resources created or modified outside of the ARM/Portal path, as ARM needs to be aware of these changes for management, billing, and compliance purposes.

If the user has disabled the ability for this app to sign in at the tenant level, synchronization will be blocked, and you may see errors or failed events related to ARM resource hydration. In such cases, the user needs to enable sign-in for the SQLDBControlPlaneFirstPartyApp in the Azure Portal to allow these synchronization operations to proceed successfully.

In summary, the SQLDBControlPlaneFirstPartyApp is essential for keeping the SQL engine and ARM resource states consistent, especially for resources managed outside of the standard ARM/Portal workflows. Its actions are a normal part of Azure SQL Database’s internal management and are required for correct resource representation and operation in Azure.

First Party App

First Party Apps are Microsoft-owned applications and services that are integrated with your Azure environment to provide core platform functionality, security, and management features. These apps are developed, managed, and maintained by Microsoft, and are essential for enabling various Azure services and features to work seamlessly within your tenant.

The presence of these apps in your Enterprise Applications list is expected and necessary for the operation of Microsoft services such as Azure SQL Database, Microsoft Teams, Azure Active Directory, and others. For example, the “Azure SQL Database” application is a First Party App that enables Azure AD authentication and other identity-related features for Azure SQL Database. These apps are not third-party or external; they are part of the Microsoft cloud ecosystem and are required for secure and integrated service delivery.

Users cannot delete these applications, as they are protected and managed by Microsoft to ensure the stability and security of the platform. You can verify that an application is a Microsoft First Party App by checking its properties in the Azure portal, where you will see a message stating, “You can’t delete this application because it’s a Microsoft first party application.”

Disable sign-in to the SQLDBControlPlaneFirstPartyApp app

Although disabling sign‑in through an Enterprise Application is not recommended, it is technically possible. Doing so may prevent users from viewing their resources in the Azure portal or may cause resource information to appear incorrect.

 

 

Updated Feb 05, 2026
Version 1.0

2 Comments

  • wattr's avatar
    wattr
    Occasional Reader
    Mar 03, 2026

    This new behavior obscures the actual user identity behind SQLDBControlPlaneFirstPartyApp within the Activity Log for database and SQL actions.

    Accurate attribution of user-initiated operations is a requirement for auditing, governance, and security review. Until Activity Log entries consistently reflect the originating user identity, rather than a first-party application account.  We consider this unacceptable.

    TrackingID#2601060040004845

    • akiohose's avatar
      akiohose
      Icon for Microsoft rankMicrosoft
      Mar 03, 2026

      Thank you for sharing your feedback. We understand your concerns, especially from a compliance standpoint, and we’ve passed your comments along to the product group for further review.

      At present, preventing these events from being written to the Activity Log is challenging. All control‑plane requests to ARM are automatically logged (*1), and changing this behavior would likely require architectural updates within ARM itself.

      Your feedback is well noted, and we agree that this is an important area for improvement. Please be aware that any enhancement in this space may take time, as it will require coordination across multiple product teams.

      (*1): https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/control-plane-and-data-plane#control-plane