The question:
Where is the password saved when creating a contained user for the Azure SQL database (PaaS)?
For example:
CREATE USER taiobtest WITH password='PVHz3U4A$LNytQF^';
GO
For server logins I can get it from sys.sql_logins:password_hash column.
My use case is refreshing non-production from production backup. I need to script out the database contained users and all relevant permission before the restoration. Once restored clean up production database users/permission and reinstate non-production users and permissions.
The Solutions:
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Method 1
As Tibor points out, the practical answer here is “in the database”, so it follows the database through backup/restore or an AG failover. That is the reason database users with passwords were added to partially contained databases and Azure SQL Database.
If you examine the object_definition of sys.database_principals you can discover that it’s actually in a system table called sys.sysowners, stored as a hash, which can only be queried from the Dedicated Administrator Connection.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0