Restoring a database backup (.bak) to a new server or Azure SQL — the database user exists in the backup but the server login SID does not match, creating an orphaned user that blocks new CREATE USER calls for the same name. Running a deployment or CI/CD script a second time without idempotent guards — the CREATE USER statement succeeds on first run and fails on every subsequent run. A migration script (Flyway, Liquibase, dbt pre-hook) tries to create a user that was already provisioned manually by a DBA or via the Azure portal. Cloning an Azure SQL database with CREATE DATABASE ... AS COPY OF — the copy inherits all database users, but a subsequent setup script assumes they do not exist yet. Contained database users in Azure SQL — a user with PASSWORD was created in database scope, and a later script attempts to re-create the same principal with FOR LOGIN syntax, hitting the duplicate name check

Step 1: Identify orphaned users — run: SELECT dp.name AS orphaned_user, dp.sid FROM sys.database_principals dp LEFT JOIN sys.server_principals sp ON dp.sid = sp.sid WHERE dp.type IN ('S','U') AND sp.sid IS NULL AND dp.name NOT IN ('dbo','guest','INFORMATION_SCHEMA','sys'); — any rows returned are orphaned.. Step 2: Re-map each orphaned user to its server login: ALTER USER [username] WITH LOGIN = [loginname]; — this updates the SID in the database to match the server login.. Step 3: If no matching server login exists, create one first: CREATE LOGIN [loginname] WITH PASSWORD = 'StrongP@ss1'; then run the ALTER USER from Step 2.. Step 4: For contained databases on Azure SQL (no server logins), drop and recreate the user: DROP USER [username]; CREATE USER [username] WITH PASSWORD = 'StrongP@ss1'; — verify the app connection string uses the database-scoped credential.. Step 5: Make deployment scripts idempotent to prevent recurrence: IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name = N'username') CREATE USER [username] FOR LOGIN [loginname]; — add this guard to every CREATE USER in your migration files.. Step 6: For bulk fixes after a large restore, use Auto_Fix: EXEC sp_change_users_login 'Auto_Fix', 'username', NULL, 'TempP@ss1'; — this creates a matching login if none exists and remaps the user in one call. Repeat per orphaned user from Step 1.. Step 7: Verify the fix — reconnect from ADF or your pipeline tool using the affected credential and re-run the failed activity. Check sys.database_principals to confirm the SID now matches sys.server_principals.

Medium severityauthentication

SQL Server Error:
15023

Impact

Any ADF pipeline or dbt run that provisions database users as part of deployment will fail and block all downstream activities. If the affected user is also the service account used for data movement, all subsequent Copy Activities and Stored Procedure calls fail too — downstream tables go stale until the orphaned user is remapped.

Error 15023 halts the specific pipeline activity that runs the CREATE USER statement — typically a post-deploy provisioning step or a Stored Procedure activity. ADF does not retry DDL failures by default, so the activity stays in Failed state. All downstream activities in the same pipeline are skipped. If the affected user is also the service account used for data movement, subsequent pipelines that depend on that credential will fail at connection time, causing stale tables and missed SLA windows until the orphaned user is remapped.

What does this error mean?

SQL Server raises error 15023 when a CREATE USER, sp_adduser, or sp_grantdbaccess statement tries to add a database principal that already exists in sys.database_principals. In a data-pipeline context you typically hit this after restoring a .bak file to a different server: the database carries its own user list, but the server-level logins have different SIDs — creating an orphaned user. ADF, dbt, or Synapse pipelines that run post-deploy provisioning scripts will fail at the exact CREATE USER step, and the pipeline activity shows status Failed with message 'User, group, or role already exists in the current database'. The connection itself works; it is the user-creation DDL inside the pipeline that breaks.

Common causes

1Restoring a database backup (.bak) to a new server or Azure SQL — the database user exists in the backup but the server login SID does not match, creating an orphaned user that blocks new CREATE USER calls for the same name
2Running a deployment or CI/CD script a second time without idempotent guards — the CREATE USER statement succeeds on first run and fails on every subsequent run
3A migration script (Flyway, Liquibase, dbt pre-hook) tries to create a user that was already provisioned manually by a DBA or via the Azure portal
4Cloning an Azure SQL database with CREATE DATABASE ... AS COPY OF — the copy inherits all database users, but a subsequent setup script assumes they do not exist yet
5Contained database users in Azure SQL — a user with PASSWORD was created in database scope, and a later script attempts to re-create the same principal with FOR LOGIN syntax, hitting the duplicate name check

How to fix it

1Step 1: Identify orphaned users — run: SELECT dp.name AS orphaned_user, dp.sid FROM sys.database_principals dp LEFT JOIN sys.server_principals sp ON dp.sid = sp.sid WHERE dp.type IN ('S','U') AND sp.sid IS NULL AND dp.name NOT IN ('dbo','guest','INFORMATION_SCHEMA','sys'); — any rows returned are orphaned.
2Step 2: Re-map each orphaned user to its server login: ALTER USER [username] WITH LOGIN = [loginname]; — this updates the SID in the database to match the server login.
3Step 3: If no matching server login exists, create one first: CREATE LOGIN [loginname] WITH PASSWORD = 'StrongP@ss1'; then run the ALTER USER from Step 2.
4Step 4: For contained databases on Azure SQL (no server logins), drop and recreate the user: DROP USER [username]; CREATE USER [username] WITH PASSWORD = 'StrongP@ss1'; — verify the app connection string uses the database-scoped credential.
5Step 5: Make deployment scripts idempotent to prevent recurrence: IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name = N'username') CREATE USER [username] FOR LOGIN [loginname]; — add this guard to every CREATE USER in your migration files.
6Step 6: For bulk fixes after a large restore, use Auto_Fix: EXEC sp_change_users_login 'Auto_Fix', 'username', NULL, 'TempP@ss1'; — this creates a matching login if none exists and remaps the user in one call. Repeat per orphaned user from Step 1.
7Step 7: Verify the fix — reconnect from ADF or your pipeline tool using the affected credential and re-run the failed activity. Check sys.database_principals to confirm the SID now matches sys.server_principals.

Example log output

Msg 15023, Level 16, State 1, Line 12
User, group, or role 'etl_service' already exists in the current database.
2026-05-11 08:22:14.003 [ERROR] ADF activity 'Provision_DB_Users' failed: SqlFailedError, Message='User, group, or role 'etl_service' already exists in the current database.' (ErrorCode: 15023, SqlState: S0001)

Frequently asked questions

What is an orphaned user in SQL Server?

An orphaned user is a database-level principal whose SID does not match any login in sys.server_principals. This happens when you restore a .bak to a different server, or copy an Azure SQL database. The user record travels with the database, but the server login does not. Detect orphaned users with: SELECT dp.name, dp.sid FROM sys.database_principals dp LEFT JOIN sys.server_principals sp ON dp.sid = sp.sid WHERE sp.sid IS NULL AND dp.type IN ('S','U'); Fix each one with ALTER USER [name] WITH LOGIN = [login].

How do I fix all orphaned users at once after a restore?

Query the orphaned users list from sys.database_principals (see above), then loop through them with sp_change_users_login: EXEC sp_change_users_login 'Auto_Fix', 'username', NULL, 'TempPassword1!'; for each row. Auto_Fix creates a matching server login if one does not exist and remaps the SID. For Azure SQL contained databases, Auto_Fix is not available — use DROP USER + CREATE USER WITH PASSWORD instead.

How do I prevent error 15023 in deployment scripts?

Wrap every CREATE USER in an existence check: IF NOT EXISTS (SELECT 1 FROM sys.database_principals WHERE name = N'username' AND type IN ('S','U')) CREATE USER [username] FOR LOGIN [loginname]; This makes the script idempotent — safe to run on first deploy and every redeploy after. In Flyway or Liquibase, put this in a versioned migration so it runs exactly once.

Why do I get error 15023 on Azure SQL after cloning a database?

CREATE DATABASE ... AS COPY OF copies all database users and their SIDs into the new database. If you then run a setup script that issues CREATE USER for the same names, SQL Server rejects them because they already exist. The fix: skip CREATE USER if the principal is already present, or use ALTER USER to update the password or login mapping instead of creating from scratch.

Source · learn.microsoft.com/en-us/sql/relational-databases/errors-events/mssqlserver-15023-database-engine-error