Azure

How to fix Login failed for user errors in Azure SQL Database

Understanding “Login Failed for User” in Azure SQL

The error “Login failed for user” (Error 18456) in Azure SQL Database is one of the most common connection failures. This error occurs during the authentication phase — before any query execution — and can be caused by incorrect credentials, firewall blocking, AD authentication issues, or the database being unavailable. This guide covers every state and sub-error for Error 18456 and how to resolve each one.

Diagnostic Context

When encountering Login failed for user errors in Azure SQL Database, the first step is understanding what changed. In most production environments, errors do not appear spontaneously. They are triggered by a change in configuration, code, traffic patterns, or the platform itself. Review your deployment history, recent configuration changes, and Azure Service Health notifications to identify potential triggers.

Azure maintains detailed activity logs for every resource operation. These logs capture who made a change, what was changed, when it happened, and from which IP address. Cross-reference the timeline of your error reports with the activity log entries to establish a causal relationship. Often, the fix is simply reverting the most recent change that correlates with the error onset.

If no recent changes are apparent, consider external factors. Azure platform updates, regional capacity changes, and dependent service modifications can all affect your resources. Check the Azure Status page and your subscription’s Service Health blade for any ongoing incidents or planned maintenance that coincides with your issue timeline.

Common Pitfalls to Avoid

When fixing Azure service errors under pressure, engineers sometimes make the situation worse by applying changes too broadly or too quickly. Here are critical pitfalls to avoid during your remediation process.

First, avoid making multiple changes simultaneously. If you change the firewall rules, the connection string, and the service tier all at once, you cannot determine which change actually resolved the issue. Apply one change at a time, verify the result, and document what worked. This disciplined approach builds reliable operational knowledge for your team.

Second, do not disable security controls to bypass errors. Opening all firewall rules, granting overly broad RBAC permissions, or disabling SSL enforcement might eliminate the error message, but it creates security vulnerabilities that are far more dangerous than the original issue. Always find the targeted fix that resolves the error while maintaining your security posture.

Third, test your fix in a non-production environment first when possible. Azure resource configurations can be exported as ARM or Bicep templates and deployed to a test resource group for validation. This extra step takes minutes but can prevent a failed fix from escalating the production incident.

Fourth, document the error message exactly as it appears, including correlation IDs, timestamps, and request IDs. If you need to open a support case with Microsoft, this information dramatically speeds up the investigation. Azure support engineers can use correlation IDs to trace the exact request through Microsoft’s internal logging systems.

Error 18456 States

SQL Server returns different state codes with Error 18456 to indicate the specific cause. The state is logged in the server’s error log but not always shown to the client (for security).

State Description Fix
1 Error information not available Check server logs for details
2, 5 Invalid user ID User doesn’t exist in the database
6 Windows login attempted on SQL-auth-only server Use SQL authentication
7 Login disabled Re-enable the login
8 Incorrect password Verify password
9 Invalid password (old format) Reset password
11, 12 Valid login but server access failure Check server-level permissions
13 SQL Server service paused Resume the service
16 Target database not found Verify database name
18 Password must be changed at first login Change password
27 Initial database not found Check default database setting
38 Database not found for login Verify database exists and user has access
40 Explicit connection to master failed Check master database access
46 Firewall rule blocking Add client IP to firewall rules
58 Windows auth attempted on non-Windows login Use correct authentication mode

Most Common Fixes

1. Wrong Username or Password

# Verify the admin login
az sql server show \
  --name myserver \
  --resource-group myRG \
  --query "administratorLogin"

# Reset admin password
az sql server update \
  --name myserver \
  --resource-group myRG \
  --admin-password "NewP@ssword123!"

# Test connection
sqlcmd -S myserver.database.windows.net -U myadmin -P "NewP@ssword123!" -d mydb

2. User Doesn’t Exist in the Database

-- Check if user exists (run in target database)
SELECT name, type_desc, authentication_type_desc 
FROM sys.database_principals
WHERE type IN ('S', 'E', 'X')  -- SQL user, External user, External group
ORDER BY name;

-- Create SQL user
CREATE USER [myappuser] WITH PASSWORD = 'SecureP@ssword!';
ALTER ROLE db_datareader ADD MEMBER [myappuser];
ALTER ROLE db_datawriter ADD MEMBER [myappuser];

-- Create user from server login
CREATE USER [myappuser] FROM LOGIN [myappuser];

-- Create Azure AD user
CREATE USER [myapp@contoso.com] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [myapp@contoso.com];

3. Connecting to Wrong Database

Error: Login failed for user 'myappuser'. (State 38/27)
Reason: User exists on server but not in the target database
# List databases on the server
az sql db list \
  --server myserver \
  --resource-group myRG \
  --query "[].name" -o tsv

# Verify user exists in the specific database
sqlcmd -S myserver.database.windows.net -U myadmin -P "..." \
  -d mydb -Q "SELECT name FROM sys.database_principals WHERE name = 'myappuser'"

4. Firewall Blocking (State 46)

# Add your IP to firewall rules
az sql server firewall-rule create \
  --server myserver \
  --resource-group myRG \
  --name AllowMyIP \
  --start-ip-address $(curl -s https://api.ipify.org) \
  --end-ip-address $(curl -s https://api.ipify.org)

# Allow Azure services
az sql server firewall-rule create \
  --server myserver \
  --resource-group myRG \
  --name AllowAzureServices \
  --start-ip-address 0.0.0.0 \
  --end-ip-address 0.0.0.0

Azure AD Authentication Issues

# Set Azure AD admin
az sql server ad-admin create \
  --server myserver \
  --resource-group myRG \
  --display-name "SQL Admin" \
  --object-id "azure-ad-user-object-id"

# Check current AD admin
az sql server ad-admin list \
  --server myserver \
  --resource-group myRG
// C#: Connect with Azure AD authentication
// Using DefaultAzureCredential (managed identity in Azure, Azure CLI locally)
var credential = new DefaultAzureCredential();
var token = await credential.GetTokenAsync(
    new TokenRequestContext(new[] { "https://database.windows.net/.default" }));

var connectionString = "Server=myserver.database.windows.net;Database=mydb;";
using var connection = new SqlConnection(connectionString)
{
    AccessToken = token.Token
};
await connection.OpenAsync();
# Python: Azure AD token-based authentication
from azure.identity import DefaultAzureCredential
import pyodbc
import struct

credential = DefaultAzureCredential()
token = credential.get_token("https://database.windows.net/.default")

# Convert token to SQL Server format
token_bytes = token.token.encode("UTF-16-LE")
token_struct = struct.pack(f'

Root Cause Analysis Framework

After applying the immediate fix, invest time in a structured root cause analysis. The Five Whys technique is a simple but effective method: start with the error symptom and ask "why" five times to drill down from the surface-level cause to the fundamental issue.

For example, considering Login failed for user errors in Azure SQL Database: Why did the service fail? Because the connection timed out. Why did the connection timeout? Because the DNS lookup returned a stale record. Why was the DNS record stale? Because the TTL was set to 24 hours during a migration and never reduced. Why was it not reduced? Because there was no checklist for post-migration cleanup. Why was there no checklist? Because the migration process was ad hoc rather than documented.

This analysis reveals that the root cause is not a technical configuration issue but a process gap that allowed undocumented changes. The preventive action is creating a migration checklist and review process, not just fixing the DNS TTL. Without this depth of analysis, the team will continue to encounter similar issues from different undocumented changes.

Categorize your root causes into buckets: configuration errors, capacity limits, code defects, external dependencies, and process gaps. Track the distribution over time. If most of your incidents fall into the configuration error bucket, invest in infrastructure-as-code validation and policy enforcement. If they fall into capacity limits, improve your monitoring and forecasting. This data-driven approach focuses your improvement efforts where they will have the most impact.

Contained Database Users

-- Azure SQL Database primarily uses contained database users
-- These users exist only in the specific database, not at server level

-- Create contained user with password
CREATE USER [appuser] WITH PASSWORD = 'StrongP@ssword!23';
ALTER ROLE db_datareader ADD MEMBER [appuser];
ALTER ROLE db_datawriter ADD MEMBER [appuser];
ALTER ROLE db_ddladmin ADD MEMBER [appuser];

-- Connection string for contained user
-- Server=myserver.database.windows.net;Database=mydb;User Id=appuser;Password=StrongP@ssword!23;Encrypt=True;

Transient Connection Errors

Azure SQL Database may return transient login failures during maintenance, failover, or resource governance:

Error Description Action
40613 Database not currently available Retry after a few seconds
40501 Service is busy Retry with backoff
40197 Service error processing request Retry
10928 Resource limit reached Reduce connections or scale up
10929 Server too busy Retry later
49918 Cannot process request (insufficient resources) Wait and retry 
// C#: Retry logic for transient errors
var retryPolicy = Policy
    .Handle<SqlException>(ex => new[] { 40613, 40501, 40197, 10928, 10929, 49918 }
        .Contains(ex.Number))
    .WaitAndRetryAsync(
        retryCount: 5,
        sleepDurationProvider: attempt => TimeSpan.FromSeconds(Math.Pow(2, attempt)),
        onRetry: (exception, timeSpan, retryCount, context) =>
        {
            logger.LogWarning($"Retry {retryCount} after {timeSpan.TotalSeconds}s: {exception.Message}");
        });

await retryPolicy.ExecuteAsync(async () =>
{
    using var connection = new SqlConnection(connectionString);
    await connection.OpenAsync();
    // Execute query
});

Error Classification and Severity Assessment

Not all errors require the same response urgency. Classify errors into severity levels based on their impact on users and business operations. A severity 1 error causes complete service unavailability for all users. A severity 2 error degrades functionality for a subset of users. A severity 3 error causes intermittent issues that affect individual operations. A severity 4 error is a cosmetic or minor issue with a known workaround.

For Login failed for user errors in Azure SQL Database, map the specific error codes and messages to these severity levels. Create a classification matrix that your on-call team can reference when triaging incoming alerts. This prevents over-escalation of minor issues and under-escalation of critical ones. Include the expected resolution time for each severity level and the communication protocol (who to notify, how frequently to update stakeholders).

Track your error rates over time using Azure Monitor metrics and Log Analytics queries. Establish baseline error rates for healthy operation so you can distinguish between normal background error levels and genuine incidents. A service that normally experiences 0.1 percent error rate might not need investigation when errors spike to 0.2 percent, but a jump to 5 percent warrants immediate attention. Without this baseline context, every alert becomes equally urgent, leading to alert fatigue.

Implement error budgets as part of your SLO framework. An error budget defines the maximum amount of unreliability your service can tolerate over a measurement window (typically monthly or quarterly). When the error budget is exhausted, the team shifts focus from feature development to reliability improvements. This mechanism creates a structured trade-off between innovation velocity and operational stability.

Dependency Management and Service Health

Azure services depend on other Azure services internally, and your application adds additional dependency chains on top. When diagnosing Login failed for user errors in Azure SQL Database, map out the complete dependency tree including network dependencies (DNS, load balancers, firewalls), identity dependencies (Azure AD, managed identity endpoints), and data dependencies (storage accounts, databases, key vaults).

Check Azure Service Health for any ongoing incidents or planned maintenance affecting the services in your dependency tree. Azure Service Health provides personalized notifications specific to the services and regions you use. Subscribe to Service Health alerts so your team is notified proactively when Microsoft identifies an issue that might affect your workload.

For each critical dependency, implement a health check endpoint that verifies connectivity and basic functionality. Your application's readiness probe should verify not just that the application process is running, but that it can successfully reach all of its dependencies. When a dependency health check fails, the application should stop accepting new requests and return a 503 status until the dependency recovers. This prevents requests from queuing up and timing out, which would waste resources and degrade the user experience.

Connection String Formats

# SQL Authentication
Server=tcp:myserver.database.windows.net,1433;Initial Catalog=mydb;Persist Security Info=False;User ID=myuser;Password=mypassword;MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;

# Azure AD Password
Server=tcp:myserver.database.windows.net,1433;Initial Catalog=mydb;Authentication=Active Directory Password;User ID=user@contoso.com;Password=mypassword;Encrypt=True;

# Azure AD Managed Identity  
Server=tcp:myserver.database.windows.net,1433;Initial Catalog=mydb;Authentication=Active Directory Managed Identity;Encrypt=True;

# Azure AD Interactive (for tools)
Server=tcp:myserver.database.windows.net,1433;Initial Catalog=mydb;Authentication=Active Directory Interactive;User ID=user@contoso.com;Encrypt=True;

Diagnostic Steps

# 1. Test network connectivity
Test-NetConnection -ComputerName myserver.database.windows.net -Port 1433

# 2. Check your public IP
curl -s https://api.ipify.org

# 3. Verify firewall rules include your IP
az sql server firewall-rule list --server myserver --resource-group myRG -o table

# 4. Test with sqlcmd
sqlcmd -S myserver.database.windows.net -U myadmin -P "password" -d mydb -Q "SELECT 1"

# 5. Check server audit logs
az sql server audit-policy show --server myserver --resource-group myRG

Post-Resolution Validation and Hardening

After applying the fix, perform a structured validation to confirm the issue is fully resolved. Do not rely solely on the absence of error messages. Actively verify that the service is functioning correctly by running health checks, executing test transactions, and monitoring key metrics for at least 30 minutes after the change.

Validate from multiple perspectives. Check the Azure resource health status, run your application's integration tests, verify that dependent services are receiving data correctly, and confirm that end users can complete their workflows. A fix that resolves the immediate error but breaks a downstream integration is not a complete resolution.

Implement defensive monitoring to detect if the issue recurs. Create an Azure Monitor alert rule that triggers on the specific error condition you just fixed. Set the alert to fire within minutes of recurrence so you can respond before the issue impacts users. Include the remediation steps in the alert's action group notification so that any on-call engineer can apply the fix quickly.

Finally, conduct a brief post-incident review. Document the root cause, the fix applied, the time to detect, diagnose, and resolve the issue, and any preventive measures that should be implemented. Share this documentation with the broader engineering team through a blameless post-mortem process. This transparency transforms individual incidents into organizational learning that raises the entire team's operational capability.

Consider adding the error scenario to your integration test suite. Automated tests that verify the service behaves correctly under the conditions that triggered the original error provide a safety net against regression. If a future change inadvertently reintroduces the problem, the test will catch it before it reaches production.

Summary

"Login failed for user" (Error 18456) in Azure SQL is caused by incorrect credentials (states 2, 5, 8), the user not existing in the target database (states 16, 27, 38), firewall blocking the connection (state 46), or Azure AD configuration issues. Start by verifying the admin login and password, then check firewall rules include your client IP, confirm the user exists in the specific database (not just at the server level), and implement retry logic for transient errors (40613, 40501) that occur during platform maintenance.

For more details, refer to the official documentation: What is Azure SQL Database?, Troubleshoot connectivity issues and other errors.

Leave a Reply