Changing the password of SQL Logins in Azure SQL Database while connected as an Azure Active Directory (AAD) user can lead to encountering an error "Msg 15151, Level 16, State 1, Line 1 - Cannot alter the login 'UserName', because it does not exist or you do not have permission".
When attempting to change the password of a SQL Login in Azure SQL Database while connected as an Azure Active Directory (AAD) user, you may encounter the error message "Msg 15151, Level 16, State 1, Line 1 - Cannot alter the login 'UserName', because it does not exist or you do not have permission." This error occurs when the user connected as an AAD login lacks the necessary permissions to modify SQL Logins or when the targeted SQL Login does not exist.
Azure Active Directory admins do not have the permission to change the password of the SQL admin account directly.
To resolve this error, you have a couple of options:
1. Switch the connection to a SQL Login user: If you have access to a SQL Login user with the necessary permissions, you can switch your connection to that user and then proceed to change the password of the SQL Login. SQL Login users are managed separately from AAD logins and have the appropriate permissions to modify SQL Logins.
2. Use the portal to change the administrator password: Another option is to use the Azure portal or Azure PowerShell to change the password of the SQL administrator account.
Example
we have received a service request where a customer was trying to allow AAD group users to create a schema on Azure SQL database while having the minimum roles needed.
Sample script for the assigned roles to the AAD group:
CREATE USER [AADGroupName] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA = [dbo];
ALTER ROLE [db_datareader] ADD MEMBER [AADGroupName]
ALTER ROLE [db_datawriter] ADD MEMBER [AADGroupName]
ALTER ROLE [db_ddladmin] ADD MEMBER [AADGroupName]
GO
The AAD group had db_datareader, db_datawriter and db_ddladmin roles only, and while an AAD user was trying to create a schema they were receiving the below error:
Msg 15151, Level 16, State 1, Line 1
Cannot find the user '', because it does not exist or you do not have permission.
Msg 2759, Level 16, State 0, Line 1
CREATE SCHEMA failed due to previous errors.
As mentioned in our public document for create schema, “An Azure AD user does not have an individual database user account (a database principal in the database), but accesses a database as a member of an Azure AD group which has a database user account (a database principal for the Azure AD group).
By database-level roles structure, the CREATE_SCHEMA permission is granted for db_accessadmin and db_secuirtyadmin, while db_ddladmin does not have this permission as below:
For more information: Database-Level Roles - SQL Server | Microsoft Learn.
Therefore, to grant this permission with the minimum database roles we granted the db_accessadmin but we have denied the ALTE ANY USER permissions as below:
Create USER [AADGroupName] FROM EXTERNAL PROVIDER WITH DEFAULT_SCHEMA=[dbo]
GO
ALTER ROLE [db_datareader] ADD MEMBER [AADGroupName]
ALTER ROLE [db_datawriter] ADD MEMBER [AADGroupName]
ALTER ROLE [db_ddladmin] ADD MEMBER [AADGroupName]
ALTER ROLE [db_accessadmin] ADD MEMBER [AADGroupName]
DENY alter any user to [AADGroupName];
Disclaimer
Please note that the products and options presented in this article are subject to change. This article reflects the options in October 2023.
I hope this article was helpful to you, please feel free to share your feedback in the comments section.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.