Blog Post

Modernization Best Practices and Reusable Assets Blog
5 MIN READ

Azure SQL Managed Instance – Sync Agent Jobs and Logins in Failover Groups

narenan's avatar
narenan
Icon for Microsoft rankMicrosoft
Oct 21, 2021
Introduction In an Azure SQL Managed Instance setup with Failover Group, the schema, data, and database-level users will always be synced between primary and secondary instance. As of October 2021,...
Updated Jan 05, 2024
Version 4.0
database platform cse
database platform cse – sql
Tim-Butters's avatar
Tim-Butters
Copper Contributor
Jan 07, 2025

Fantastic process and code - used it many times when I've had to sync.

Recently seen an issue when syncronizing Entra ID User accounts - the job runs without an error (returns code 0) but the generated SQL statement has syntax error and fails to run.

Here is my corrected code for the Creating DDL Statements for New Logins within the CreateLoginsInSecondary SP

 

        -- Insert DDL for new logins
        PRINT 'Creating DDL Statements for New Logins';
        INSERT INTO @DDLStmts 
        SELECT 
            CASE 
                WHEN l.[type] = 'S' THEN 
                    N' CREATE LOGIN [' + l.[name] + '] WITH PASSWORD=0x' 
                    + CONVERT(NVARCHAR(MAX), l.password_hash, 2) + N' HASHED'
                    + N', CHECK_POLICY = ' + CASE WHEN l.is_policy_checked = 1 THEN N'ON' ELSE N'OFF' END
                    + N', CHECK_EXPIRATION = ' + CASE WHEN l.is_expiration_checked = 1 THEN N'ON' ELSE N'OFF' END
                    + N', SID=0x' + CONVERT(NVARCHAR(MAX), l.[sid], 2)
					+ N', DEFAULT_DATABASE = [' + l.default_database_name + N']'
					+ ISNULL(N', DEFAULT_LANGUAGE = [' + l.default_language_name + N']', N'')
					+ N';'
                WHEN l.[type] IN ('E', 'X') THEN 
                    + N' CREATE LOGIN [' + l.[name] + '] FROM EXTERNAL PROVIDER'
					+ N' WITH DEFAULT_DATABASE = [' + l.default_database_name + N']'
					+ ISNULL(N', DEFAULT_LANGUAGE = [' + l.default_language_name + N']', N'')
					+ N';'
                WHEN l.[type] = 'R' THEN 
                    N' CREATE SERVER ROLE [' + l.[name] + ']'
					+ N', DEFAULT_DATABASE = [' + l.default_database_name + N']'
					+ ISNULL(N', DEFAULT_LANGUAGE = [' + l.default_language_name + N']', N'')
					+ N';'
            END 
        FROM @Logins l
        WHERE l.[name] NOT IN (SELECT [name] FROM master.sys.server_principals) 
        AND l.[type] IN ('S', 'E', 'X');

The problem was that FROM EXTERNAL PROVIDER requires the WITH clause for Default Database and Language instead of a comma.

ColinBlair's avatar
ColinBlair
Copper Contributor
Mar 26, 2025

The current scripts are version 2.0 with a modification date of 7/15/2024 and I think already had that fixed? It looks like there were other changes, so I am not 100% sure. If you read this and could check, I would like to know if the current scripts still have something that needs to be fixed or not.

  • ColinBlair's avatar
    ColinBlair
    Copper Contributor
    Jul 31, 2025

    Replying to myself: No, it isn't fixed in the newer modification date.