Azure SQL Database – contained users password

The question:

Where is the password saved when creating a contained user for the Azure SQL database (PaaS)?

For example:

CREATE USER taiobtest WITH password='PVHz3U4A$LNytQF^';

For server logins I can get it from sys.sql_logins:password_hash column.

My use case is refreshing non-production from production backup. I need to script out the database contained users and all relevant permission before the restoration. Once restored clean up production database users/permission and reinstate non-production users and permissions.

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

As Tibor points out, the practical answer here is “in the database”, so it follows the database through backup/restore or an AG failover. That is the reason database users with passwords were added to partially contained databases and Azure SQL Database.

If you examine the object_definition of sys.database_principals you can discover that it’s actually in a system table called sys.sysowners, stored as a hash, which can only be queried from the Dedicated Administrator Connection.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment