Share via

User gets "Login failed for user '<token-identified principal>'" when creating a DB in Synapse serverless SQL pool, despite having admin roles

Priyesh Shrestha 0 Reputation points
2025-10-23T10:49:18.9866667+00:00

Hi everyone,

I have an Azure Synapse Analytics workspace, and I’m trying to give another user access to create a database in the Built-in serverless SQL pool.

Here’s what I’ve done so far:

In the Synapse workspace, under Manage → Security → Access Control (IAM), I’ve assigned the user the following roles:

  • Synapse SQL Administrator
  • Synapse Administrator

I’ve also tried giving the user Owner permissions at the subscription level in the Azure portal, but the issue persists.

When the user tries to create a database in the Built-in (serverless) SQL pool, they get the following error:

Login failed for user '<token-identified principal>'.
You don’t have access to the serverless SQL pool, Built-in.
To be granted access, contact a Synapse Admin for this workspace.

I’ve verified that the user can access the workspace itself but cannot run SQL commands or create a database in the built-in pool.

Could anyone help me understand what might be missing or what additional configuration is required to allow the user to access and create databases in the serverless SQL pool?

Thanks in advance!

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vinodh247 40,141 Reputation points MVP Volunteer Moderator
    2025-10-23T13:48:59.1033333+00:00

    Hi ,

    Thanks for reaching out to Microsoft Q&A.

    In synapse serverless SQL, Azure RBAC roles (like synapse administrator/owner) do not automatically grant db level access to the built in SQL pool. Access must be explicitly granted inside the SQL pool itself using AAD authentication.

    To fix this, try the below:

    1. Log in to the builtin SQL pool using an account that already has access (for ex, the workspace creator).
    2. Run these commands in the built-in pool:

      CREATE LOGIN [@domain.com] FROM EXTERNAL PROVIDER; CREATE USER [@domain.com] FROM LOGIN [@domain.com]; EXEC sp_addrolemember 'db_owner', [@domain.com];

    3. If the user still gets the <token-identified principal> error, ensure they connect via AAD (Integrated) authentication from synapse studio/azure data studio SQL auth is not supported for serverless.

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

    0 comments
  2. Abhisek Mishra 1,020 Reputation points Microsoft External Staff Moderator
    2025-11-05T17:55:12.8633333+00:00

    Hi Priyesh Shrestha,

    The main reason for this error is that even though the user has workspace-level roles, they still need specific permission setup inside the serverless SQL pool itself.

    Workspace Managed Identity Permission: The Synapse workspace uses a special identity to access user info in Azure Active Directory. This identity must have Directory Readers permission in Azure AD. Without this, the serverless SQL pool won’t recognize users properly, causing the login error.

    Login Conflicts in SQL Pool: Sometimes, a login for the user exists but not correctly linked to their email. This can prevent the system from creating or recognizing them. You need to check and, if necessary, delete any conflicting login and then recreate it with the commands you tried.

    Correct Authentication Method: Ensure the user “Maja” is connecting using Azure Active Directory authentication (not SQL authentication). This is essential for serverless pools.

    Could you please check on below and confirm:

    • Ask your Azure AD admin to give Directory Readers permission to the Synapse workspace managed identity.
    • Run a check in the serverless pool to find and remove any conflicting logins for Maja.
    • Re-run the login and role assignment commands.
    • Confirm with User that they are connecting via Azure AD authentication.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.