Press "Enter" to skip to content

SQL vs Azure Permissions

Rebecca Lewis continues a series on how Azure permissions and SQL Server (or Azure SQL Database) permissions are not the same thing:

Welcome to cloud permissions, where ‘Contributor’ doesn’t mean you can contribute and ‘Reader’ doesn’t mean you can read.

In my last post, I explained the management plane vs data plane split. This post is the promised follow-up for the minimum permission combinations for common DBA tasks. aka, what you need, how to verify it, and how to fix it when it fails.

I’m the guy pushing up my no-longer-existent glasses and saying “Well, actually…” to the first sentence, though stylistically, it’s a good one. But getting past the first sentence, there are some nice breakdowns of what it takes to do what you need to do on a cloud-hosted database.

2 Comments

  1. Rebecca
    Rebecca 2026-02-04

    Fair! But ‘Welcome to cloud permissions, where role names describe abstract API scopes rather than user expectations’ didn’t fit. 🙂 Thank you for the repost, Kevin. I need to think on the best revision. Until then…

    Contributor does let you contribute — to the management plane (creating, configuring, deleting Azure resources)
    Reader does let you read — the management plane metadata

    • Kevin Feasel
      Kevin Feasel 2026-02-04

      Oh, for sure, the names can be confusing to people who don’t know what they mean because so many of these terms are overloaded. I mean, overloading terms in a Microsoft product? Never!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.