Azure SQL Database
An Azure relational database service.
Troubleshooting azure sql connection through token w/ sqlclient.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 41%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWR%3C/text%3E%3C/svg%3E)
Whit Rooke
0
Reputation points Microsoft Employee
I'm trying to set up an inter-tenant connection from an azure hosted .NET application to an azure Sql database. Let's say the application is in tenant A, and the sql database in tenant B.
I would like to do this through token authorization, utilizing an enterprise application in tenant A with the application, that has a provisioned service principal in tenant B. In tenant B, I have given the service principal contributor and reader access to the sql server, as well as created a user in the database and given it reader and writer permissions. I've confirmed that the user exists and that its sid maps to the Application Id of the service principal. The sql server also has an Entra administrator assigned, and "allow azure services and resources to access the server" is set to true.
Yet when I try to connect by creating a sqlConnection object and assigning it an AccessToken, I receive and error saying Login failed for User ''. I've taken a look at the token utilized when generating the error, and the "aud" is "https://database.windows.net", the tenant id is that of tenant B with the sql server/database, the appid and oid correclty match to that of the service principal in tenant B, yet the connection still won't go through.
What else could I look into to troubleshoot this? Thanks.
Azure SQL Database
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 8%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Smaran Thoomu 28,225 Reputation points Microsoft External Staff Moderator2025-08-05T21:40:58.86+00:00 Hi Whit Rooke
Thanks for laying out the setup clearly.Since you're using a token with a service principal across tenants and getting
Login failed for user '', even though the token appears to be valid (correctaud,appid,oid), here are a few things worth checking:- SQL user creation: In the target database (tenant B), the user should be created using
CREATE USER [appId] FROM EXTERNAL PROVIDER;– make sure it maps directly to the service principal’sappId, not display name or object ID. - Connection string: With token auth, you don’t need to pass a username in the connection string. Just set the
AccessTokenproperty onSqlConnection. - Permissions: Double-check that the created SQL user in the DB actually has required roles (e.g.,
db_datareader,db_datawriter). Contributor/Reader roles on the SQL Server resource in Azure don’t grant access inside the database itself. - Allow Azure services: You mentioned it’s enabled - that’s good. But for inter-tenant access, firewall rules and the presence of an Entra admin still matter. Consider adding the service principal explicitly as a SQL AAD user.
If all of that checks out and it’s still failing, you can test the token by decoding it (via jwt.ms) and confirming claims like
oid,appid, andtidmatch what you expect. Also, worth verifying the token is forhttps://database.windows.netand hasn’t expired.
Useful references:- Use Microsoft Entra service principals to connect to Azure SQL
- Grant permissions to managed identities in Azure SQL
For a similar discussion and resolution steps, you might also find this helpful: https://learn.microsoft.com/en-us/answers/questions/1665815/error-attempting-to-create-user-from-external-prov
I hope this information helps. Please do let us know if you have any further queries.
Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.
- SQL user creation: In the target database (tenant B), the user should be created using
-
Whit Rooke 0 Reputation points Microsoft Employee
2025-08-06T15:59:59.2633333+00:00 Hey there Smaran, thanks for your input, as well as all the resources provided.
I was creating the user through the display name, and on your suggestion tried to create with a statement saying CREATE USER [app id] FROM EXTERNAL PROVIDER; This, however, resulted in an error stating "Principal 'app id' (with the actual app id present) could not be found or this principal type is not supported."
This seems like it might be related, due to the inability to map the token to the service principal's user. I also looked into trying to add the service principal explicitly as a SQL AAD user, but believe that that is the case, with the display name generated service principal database user created, though if I'm misunderstanding, I wouldn't be suprised!
Could this be an issue with the sql server needing directory reader access? Could that be why it can't match the appID to any service principal when trying to generate a database user that way?
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 95%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Saraswathi Devadula 10,855 Reputation points Microsoft External Staff Moderator2025-08-06T19:08:50.3466667+00:00 Hi Whit Rooke
Upon our discussion via remote session, you're initially attempting to connect using this service principal, but it results in a "login failed for user" error, followed by an empty response.
Even though the service principal has both Contributor and Data Reader roles assigned at the SQL Server and database levels, the connection still fails.
Interestingly, when accessed via Azure Data Factory, the connection works perfectly. There's another connection configured through Azure Data Factory that can successfully insert data and create tables in the same SQL Server—no issues there. The problem seems to arise specifically when connecting using token-based authentication through the SQL client.
The service principal exists in both tenants via resource sharing, since cross-tenant service principals aren't supported. Please capture the tokens used in both the successful and failed connection scenarios to assist with further investigation.
-
Whit Rooke 0 Reputation points Microsoft Employee
2025-08-08T21:54:52.3333333+00:00 The solution was not anything to do with the token. All was fine there, though after opening the sqlConnection, when generating the sqlCommand, a new sqlConnection was used to generate it, one without the token parameter. Thus the command couldn't authenticate, and was giving the '' user because it had nothing to base it's authentication on.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 4%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
SSingh-MSFT 16,381 Reputation points Moderator2025-08-12T06:47:19.95+00:00
Sign in to comment
Sign in to answer