Azure SQL Database – contained users password

All we need is an easy explanation of the problem, so here it is.

Where is the password saved when creating a contained user for the Azure SQL database (PaaS)?

For example:

CREATE USER taiobtest WITH password='PVHz3U4A$LNytQF^';

For server logins I can get it from sys.sql_logins:password_hash column.

My use case is refreshing non-production from production backup. I need to script out the database contained users and all relevant permission before the restoration. Once restored clean up production database users/permission and reinstate non-production users and permissions.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

As Tibor points out, the practical answer here is "in the database", so it follows the database through backup/restore or an AG failover. That is the reason database users with passwords were added to partially contained databases and Azure SQL Database.

If you examine the object_definition of sys.database_principals you can discover that it’s actually in a system table called sys.sysowners, stored as a hash, which can only be queried from the Dedicated Administrator Connection.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply