Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: 
Azure SQL Database
This article describes the procedure to grant access to an Azure SQL Database Hyperscale named replica without granting access to the primary replica or other named replicas. This scenario allows resource and security isolation of a named replica - as the named replica will be running using its own compute node - and it's useful whenever isolated read-only access to an Azure SQL Hyperscale database is needed. Isolated, in this context, means that CPU and memory aren't shared between the primary and the named replica, queries running on the named replica don't use compute resources of the primary or of any other replicas, and principals accessing the named replica can't access other replicas, including the primary.
Note
Microsoft Entra ID was previously known as Azure Active Directory (Azure AD).
Create a login on the primary server
In the master database on the logical server hosting the primary database, execute the following to create a new login.
Replace <password> with a strong password.
CREATE LOGIN [third-party-login]
WITH PASSWORD = '<password>';
Retrieve the SID hexadecimal value for the created login from the sys.sql_logins system view:
SELECT SID
FROM sys.sql_logins
WHERE name = 'third-party-login';
Disable the login. This prevents this login from accessing any database on the server hosting the primary replica.
ALTER LOGIN [third-party-login] DISABLE;
Create a user in the primary read-write database
Once the login has been created, connect to the primary read-write replica of your database. For example, restore WideWorldImporters with the details available in Installation and configuration. Then, create a database user for that login:
CREATE USER [third-party-user] FOR LOGIN [third-party-login];
As an optional step, once the database user has been created, you can drop the server login created in the previous step if there are concerns about the login getting re-enabled in any way. Connect to the master database on the logical server hosting the primary database, and execute the following sample scripts:
DROP LOGIN [third-party-login];
Create a named replica on a different logical server
Create a new Azure SQL logical server that to be used to isolate access to the named replica. Follow the instructions available at Create and manage servers and single databases in Azure SQL Database. To create a named replica, this server must be in the same Azure region as the server hosting the primary replica.
Replace <password> with a strong password. For example, using Azure CLI:
az sql server create -g MyResourceGroup -n MyNamedReplicaServer -l MyLocation --admin-user MyAdminUser --admin-password <password>
Then, create a named replica for the primary database on this server. For example, using Azure CLI:
az sql db replica create -g MyResourceGroup -n WideWorldImporters -s MyPrimaryServer --secondary-type Named --partner-database WideWorldImporters_NR --partner-server MyNamedReplicaServer
Create a login on the named replica server
Connect to the master database on the logical server hosting the named replica, created in the previous step. Replace <password> with a strong password. Add the login using the SID retrieved from the primary replica:
CREATE LOGIN [third-party-login] WITH PASSWORD = '<password>', sid = 0x0...1234;
At this point, users and applications using third-party-login or bob@contoso.com can connect to the named replica, but not to the primary replica.
Grant object-level permissions within the database
Once you have set up login authentication as described, you can use regular GRANT, DENY and REVOKE statements to manage authorization, or object-level permissions within the database. In these statements, reference the name of the user you created in the database, or a database role that includes this user as a member. Remember to execute these commands on the primary replica. The changes propagate to all secondary replicas, but they will only be effective on the named replica where the server-level login was created.
Remember that by default a newly created user has a minimal set of permissions granted (for example, it can't access any user tables). If you want to allow third-party-user or bob@contoso.com to read data in a table, you need to explicitly grant the SELECT permission:
GRANT SELECT
ON [Application].[Cities] TO [third-party-user];
As an alternative to granting permissions individually on every table, you can add the user to the db_datareaders database role to allow read access to all tables, or you can use schemas to allow access to all existing and new tables in a schema.
Test access
You can test this configuration by using any client tool and attempt to connect to the primary and the named replica. For example, using sqlcmd, you can try to connect to the primary replica using the third-party-login user. Replace <password> with a strong password.
sqlcmd -S MyPrimaryServer.database.windows.net -U third-party-login -P <password> -d WideWorldImporters
This will result in an error as the user isn't allowed to connect to the server:
Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Login failed for user 'third-party-login'. Reason: The account is disabled.
The attempt to connect to the named replica succeeds. Replace <password> with a strong password.
sqlcmd -S MyNamedReplicaServer.database.windows.net -U third-party-login -P <password> -d WideWorldImporters_NR
No errors are returned, and queries can be executed on the named replica as allowed by granted object-level permissions.