Administrator Permissions

Login using administrator credentials and create a new user on managed system using the following command:

CREATE LOGIN <USER> WITH PASSWORD = '<PASSWORD>'

The following minimum permissions are required for Microsoft Azure SQL Database service accounts (user) based on the operations:

Test Connection

Create respective database user in master database for service login account using the following command:

CREATE USER <USERNAME> FOR LOGIN <LOGIN_NAME>

Aggregation

Note
In order to access databases other than master, the service account must have database user mapping on the databases with public role defined.

Connect to master database and run the following commands:

ALTER ROLE loginmanager ADD MEMBER <USERNAME>

ALTER SERVER ROLE ##MS_DefinitionReader## ADD MEMBER <LOGIN_NAME>

Provisioning

The following permissions are required for adding and removing entitlements:

  • To add or remove fixed server roles to or from login accounts, complete the following:

    1. Connect to the master database and run the following command:

      ALTER SERVER ROLE <SERVER_ROLE_NAME> ADD MEMBER <LOGIN>

      Note
      Each member of a server role can add or remove other logins to that same role. Only the server admin account or the Azure Active Directory admin account (which can be an Azure Active Directory Group) can add or remove other Logins to or from any of the server roles.

      The user must have the proper server role assignments to assign the same role to another user. For example, if an administrator has granted ROLE1, ROLE2, and ROLE3 roles to user A, then user A can only grant ROLE1, ROLE2, and ROLE3 to other users. User A cannot assign other roles than those assigned to them.

  • To add or remove database roles other than fixed database roles to or from user on to the master database, complete the following:

    1. Connect to the master database and run the following command:

      ALTER SERVER ROLE ##MS_DatabaseManager## ADD MEMBER <LOGIN_NAME>

      Note
      Adding or removing to or from fixed database roles form master is not applicable in accordance with Microsoft Azure SQL Database.

  • To add or remove custom roles to or from user onto a database other than master, complete the following:

    1. Connect to the respective database and run the following command:

      GRANT ALTER ANY ROLE TO <USERNAME>

  • To add or remove fixed database roles to or from user onto a database other than master, complete the following:

    1. Connect to the respective database and run the following command:

      ALTER ROLE db_owner ADD MEMBER <USERNAME>

 

Use the following commands to manage other permissions:

Create, Enable, Disable, Change Password, or Delete Login

  1. Connect to the master database and run the following command:

    ALTER ROLE loginmanager ADD MEMBER <USERNAME>

Create Role on Databases Other Than Master

  1. Connect to the respective database and run the following command:

    GRANT CREATE ROLE TO <USERNAME>

Create Role on Master Database

  1. Connect to the master database and run the following command:

    ALTER SERVER ROLE ##MS_DatabaseManager## ADD MEMBER <LOGIN_NAME>

Delete Role on Databases Other Than Master

  1. Connect to the respective database and run the following command:

    GRANT ALTER ANY ROLE TO <USERNAME>

Delete Role on Master Database

  1. Connect to the master database and run the following command:

    ALTER SERVER ROLE ##MS_DatabaseManager## ADD MEMBER <LOGIN_MEMBER>

Revoke Permissions on Databases Other Than Master

  1. Connect to the respective database and run the following command:

    GRANT CONTROL TO <USERNAME>

    Note
    Granting or revoking permissions to or from accounts and groups is not applicable on the master database in accordance with Microsoft Azure SQL Database.