Azure SQL Database
An Azure relational database service.
Login failed for user '<token-identified principal>' (I have spent many hours exhausting options)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 35%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
Jonathon Childs
0
Reputation points
Multiple App Service managed identities receive valid Entra tokens that are rejected by Azure SQL with "Login failed for user '<token-identified principal>'" even though:
- The DB user mapping exists with type EXTERNAL_USER
- The user's SID exactly matches the MI's Object ID
- The token's
oidandsubclaims match the SID - The token's
tidmatches the SQL server's Entra admin tenant
I have reproduced with sqlcmd/Invoke-Sqlcmd presenting the token directly.
Production database on the same server accepts MI tokens from the parent App Services with identical setup. Only test slot identities against CDS_Azure_Test fail.
Started ~March 27, 2026.
Azure SQL Database
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 49%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
SAI JAGADEESH KUDIPUDI 2,635 Reputation points Microsoft External Staff Moderator2026-05-05T17:31:08.2166667+00:00 Hi **Jonathon Childs,
Could you please share the error message?
**Could you please share requested details in private message? -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 2%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Manoj Kumar Boyini 13,930 Reputation points Microsoft External Staff Moderator2026-05-06T16:44:59.5666667+00:00 Based on your scenario, please validate the following:
- Correct database context Ensure the connection is targeting the intended database (not
master), as contained users must exist in the specific database. - User exists and SID matches
SELECT name, type_desc, CONVERT(uniqueidentifier, sid) AS ObjectId FROM sys.database_principals WHERE name = '<identity_name>';Confirm the ObjectId matches the Managed Identity Object ID.
- Important: App Service slot identities Each deployment slot has a separate Managed Identity (different Object ID). If the test slot is being used, ensure the database user was created for that specific identity — not just the parent app.
- Recreate user if needed If there is any mismatch or uncertainty:
DROP USER [<identity_name>]; CREATE USER [<identity_name>] FROM EXTERNAL PROVIDER;Given that production works and only the test slot fails, a mismatch in the identity (especially slot-specific) or stale user mapping is the most likely cause.
- Correct database context Ensure the connection is targeting the intended database (not
Sign in to comment
Sign in to answer