Lesson Learned #35: How to transfer the login and user from OnPremise to Azure SQL Database

Published Mar 13 2019 06:59 PM 3,926 Views
First published on MSDN on Mar 29, 2018
In some situations, we need to transfer the logins/user or contained user from our OnPremise Server to Azure SQL Database.

In previous version of SQL Server, running the script included in this URL the process will be successfully, but trying to execute into Azure SQL Database you will face the following errors at the step 2:

  • Msg 262, Level 14, State 18, Procedure sp_hexadecimal, Line 1 [Batch Start Line 5] CREATE PROCEDURE permission denied in database 'master'.

  • Msg 262, Level 14, State 18, Procedure sp_help_revlogin, Line 1 [Batch Start Line 37] CREATE PROCEDURE permission denied in database 'master'.


Unfortunately, this script is not supported to use in Azure SQL Database, due to several differentials in the engine. Even the Windows users will be not supported in Azure SQL Database, just only SQL Logins and Azure Active Directory. Also, some other properties of the users like DEFAULT_LANGUAGE or DEFAULT_DATABASE is not supported.

Also, there is very important to know that Azure SQL Database currently, doesn't support Windows Logins, so, if you need to export your database to Azure SQL Database, please, follow these steps:

  • Create a new database from a backup of your database

  • Remove the Windows Logins

  • Create the export

  • And import the database.


As we cannot use a native format backup, you need to generate a bacpac that will have the login, password and user.

  • If you are not using a contained database, if you try to create the user directly, for example, using Generate script/Export Data from SQL Server Management Studio, you are going to have the following scenario, when the user will be created.


CREATE USER [User1] FOR LOGIN [User1] WITH DEFAULT_SCHEMA=[dbo]
GO
ALTER ROLE [db_owner] ADD MEMBER [User1]
GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
CREATE TABLE [dbo].[Table_1](
[Id] [int] NOT NULL,
[Name] [varchar](20) NOT NULL,
CONSTRAINT [PK_Table_1] PRIMARY KEY CLUSTERED
(
[Id] ASC
)WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON) ON [PRIMARY]
) ON [PRIMARY]




  • So, you just only to create the login before executing the script: CREATE LOGIN [User1] WITH PASSWORD=’<PASSWORD123>’

  • The SID is not possible to transfer between OnPremise environment to Azure SQL Database. For example, if I try to execute the following I will have the following error:


CREATE LOGIN [User1]
WITH PASSWORD=N'8AHisc8cRB5dBpDaOuA7irbHP4CD',
SID = 0x54E338B637F93B4BAF54855EE70



In another hand, if you are transfering logins from Azure SQL Database to Azure SQL Database. In this case we have 4 different scenarios:

  • If you have created the login, review this link Geo-Replication

  • If you have contained users, there is not needed to do anything.

  • If you have the login and transferred the data using bacpac, there is not needed to do anything.

  • If you have the login and the transferred of the data has been used using CREATE DATABASE .. AS COPY OF from different servers, you need to do the following the same page that geo-replication

%3CLINGO-SUB%20id%3D%22lingo-sub-369031%22%20slang%3D%22en-US%22%3ELesson%20Learned%20%2335%3A%20How%20to%20transfer%20the%20login%20and%20user%20from%20OnPremise%20to%20Azure%20SQL%20Database%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-369031%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3EFirst%20published%20on%20MSDN%20on%20Mar%2029%2C%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%20In%20some%20situations%2C%20we%20need%20to%20transfer%20the%20logins%2Fuser%20or%20contained%20user%20from%20our%20OnPremise%20Server%20to%20Azure%20SQL%20Database.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20In%20previous%20version%20of%20SQL%20Server%2C%20running%20the%20script%20included%20in%20this%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F918992%2Fhow-to-transfer-logins-and-passwords-between-instances-of-sql-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20URL%20%3C%2FA%3E%20the%20process%20will%20be%20successfully%2C%20but%20trying%20to%20execute%20into%20Azure%20SQL%20Database%20you%20will%20face%20the%20following%20errors%20at%20the%20step%202%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EMsg%20262%2C%20Level%2014%2C%20State%2018%2C%20Procedure%20sp_hexadecimal%2C%20Line%201%20%5BBatch%20Start%20Line%205%5D%20CREATE%20PROCEDURE%20permission%20denied%20in%20database%20'master'.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EMsg%20262%2C%20Level%2014%2C%20State%2018%2C%20Procedure%20sp_help_revlogin%2C%20Line%201%20%5BBatch%20Start%20Line%2037%5D%20CREATE%20PROCEDURE%20permission%20denied%20in%20database%20'master'.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20Unfortunately%2C%20this%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F918992%2Fhow-to-transfer-logins-and-passwords-between-instances-of-sql-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20script%20%3C%2FA%3E%20is%20not%20supported%20to%20use%20in%20Azure%20SQL%20Database%2C%20due%20to%20several%20differentials%20in%20the%20engine.%20Even%20the%20Windows%20users%20will%20be%20not%20supported%20in%20Azure%20SQL%20Database%2C%20just%20only%20SQL%20Logins%20and%20Azure%20Active%20Directory.%20Also%2C%20some%20other%20properties%20of%20the%20users%20like%20DEFAULT_LANGUAGE%20or%20DEFAULT_DATABASE%20is%20not%20supported.%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20Also%2C%20there%20is%20very%20important%20to%20know%20that%20Azure%20SQL%20Database%20currently%2C%20doesn't%20support%20Windows%20Logins%2C%20so%2C%20if%20you%20need%20to%20export%20your%20database%20to%20Azure%20SQL%20Database%2C%20please%2C%20follow%20these%20steps%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ECreate%20a%20new%20database%20from%20a%20backup%20of%20your%20database%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3ERemove%20the%20Windows%20Logins%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3ECreate%20the%20export%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EAnd%20import%20the%20database.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%20As%20we%20cannot%26nbsp%3Buse%20a%20native%20format%20backup%2C%26nbsp%3Byou%20need%20to%20generate%20a%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-cloud-migrate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20bacpac%20%3C%2FA%3E%20that%20will%20have%26nbsp%3Bthe%20login%2C%20password%20and%20user.%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EIf%20you%20are%20not%20using%20a%20contained%20database%2C%20if%20you%20try%20to%20create%20the%20user%20directly%2C%20for%20example%2C%20using%20Generate%20script%2FExport%20Data%20from%20SQL%20Server%20Management%20Studio%2C%20you%20are%20going%20to%20have%20the%20following%20scenario%2C%20when%20the%20user%20will%20be%20created.%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3CP%3ECREATE%20USER%20%5BUser1%5D%20FOR%20LOGIN%20%5BUser1%5D%20WITH%20DEFAULT_SCHEMA%3D%5Bdbo%5D%20%3CBR%20%2F%3E%20GO%20%3CBR%20%2F%3E%20ALTER%20ROLE%20%5Bdb_owner%5D%20ADD%20MEMBER%20%5BUser1%5D%20%3CBR%20%2F%3E%20GO%20%3CBR%20%2F%3E%20SET%20ANSI_NULLS%20ON%20%3CBR%20%2F%3E%20GO%20%3CBR%20%2F%3E%20SET%20QUOTED_IDENTIFIER%20ON%20%3CBR%20%2F%3E%20GO%20%3CBR%20%2F%3E%20CREATE%20TABLE%20%5Bdbo%5D.%5BTable_1%5D(%20%3CBR%20%2F%3E%20%5BId%5D%20%5Bint%5D%20NOT%20NULL%2C%20%3CBR%20%2F%3E%20%5BName%5D%20%5Bvarchar%5D(20)%20NOT%20NULL%2C%20%3CBR%20%2F%3E%20CONSTRAINT%20%5BPK_Table_1%5D%20PRIMARY%20KEY%20CLUSTERED%20%3CBR%20%2F%3E%20(%20%3CBR%20%2F%3E%20%5BId%5D%20ASC%20%3CBR%20%2F%3E%20)WITH%20(PAD_INDEX%20%3D%20OFF%2C%20STATISTICS_NORECOMPUTE%20%3D%20OFF%2C%20IGNORE_DUP_KEY%20%3D%20OFF%2C%20ALLOW_ROW_LOCKS%20%3D%20ON%2C%20ALLOW_PAGE_LOCKS%20%3D%20ON)%20ON%20%5BPRIMARY%5D%20%3CBR%20%2F%3E%20)%20ON%20%5BPRIMARY%5D%3C%2FP%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3ESo%2C%20you%20just%20only%20to%20create%20the%20login%20before%20executing%20the%20script%3A%20CREATE%20LOGIN%20%5BUser1%5D%20WITH%20PASSWORD%3D%E2%80%99%3CPASSWORD123%3E%E2%80%99%3C%2FPASSWORD123%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EThe%20SID%20is%20not%20possible%20to%20transfer%20between%20OnPremise%20environment%20to%20Azure%20SQL%20Database.%20For%20example%2C%20if%20I%20try%20to%20execute%20the%20following%20I%20will%20have%20the%20following%20error%3A%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%3CBR%20%2F%3E%3CP%3ECREATE%20LOGIN%20%5BUser1%5D%20%3CBR%20%2F%3E%20WITH%20PASSWORD%3DN'8AHisc8cRB5dBpDaOuA7irbHP4CD'%2C%20%3CBR%20%2F%3E%20SID%20%3D%200x54E338B637F93B4BAF54855EE70%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F89022i4FAEA3B2EF27E71F%22%20%2F%3E%3C%2FP%3E%3CBR%20%2F%3E%20In%20another%20hand%2C%20if%20you%20are%20transfering%20logins%20from%20Azure%20SQL%20Database%26nbsp%3Bto%20Azure%20SQL%20Database.%20In%20this%20case%20we%20have%204%20different%20scenarios%3A%20%3CBR%20%2F%3E%3CUL%3E%3CBR%20%2F%3E%3CLI%3EIf%20you%20have%20created%20the%20login%2C%26nbsp%3Breview%20this%26nbsp%3Blink%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-geo-replication-security-config%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20Geo-Replication%3C%2FA%3E%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EIf%20you%20have%20contained%20users%2C%20there%20is%20not%20needed%20to%20do%20anything.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EIf%20you%20have%20the%20login%20and%20transferred%20the%20data%20using%20bacpac%2C%20there%20is%20not%20needed%20to%20do%20anything.%3C%2FLI%3E%3CBR%20%2F%3E%3CLI%3EIf%20you%20have%20the%20login%20and%20the%20transferred%20of%20the%20data%20has%20been%20used%20using%20CREATE%20DATABASE%20..%20AS%20COPY%20OF%20from%20different%20servers%2C%20you%20need%20to%20do%20the%20following%20the%20same%20page%20that%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-geo-replication-security-config%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20geo-replication%3C%2FA%3E%3C%2FLI%3E%3CBR%20%2F%3E%3C%2FUL%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-369031%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Mar%2029%2C%202018%20In%20some%20situations%2C%20we%20need%20to%20transfer%20the%20logins%2Fuser%20or%20contained%20user%20from%20our%20OnPremise%20Server%20to%20Azure%20SQL%20Database.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-369031%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20SQL%20Database%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecreate%20login%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecreate%20user%20for%20login%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Efor%20login%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELogin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOnPremise%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESQL%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETransfer%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Euser%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewith%20password%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ewith%20sid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Mar 13 2019 06:59 PM
Updated by: