Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
AJAJ
Regular Visitor

Azure SQL Firewall

‎08-07-2025 06:11 AM

Hi there,

I have 2 environments - Dev and Prod (Both have same issue). I'm more of admin on Azure environment (recently made as subscription admin)

after which I'm having difficulty to remove IP from Azure SQL Firewall. (Those IPs are my own IPs added via SSMS before my i became Azure Subscription admin) (Earlier i was able to delete IPs) today my manager granted me subscription admin and as SQL Security Manager and it still not able to remove grayed out IPs. 

 

AJAJ_1-1754572070938.png



Prod Resource group has lock. Looks like permission are messed up. What permission do I need to have control over RGroups?

AJAJ_2-1754572169826.png

 

Thanks


Message 1 of 7
419 Views
0
2 ACCEPTED SOLUTIONS
v-sdhruv
Community Support
Community Support

‎08-08-2025 06:28 AM

Hi @AJAJ ,

Grayed-out IPs in Azure SQL Firewall typically indicate server-level firewall rules that were created by the server-level principal login. According to Microsoft documentation, only the server-level principal login—the account created during the initial provisioning of the SQL server—can delete these rules using sp_delete_firewall_rule
Refer-

https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-delete-firewa...

 

Even with Subscription Admin and SQL Security Manager roles, you won’t have access to delete these rules unless:

  • You are logged in as the server-level principal login, or
  • You are assigned as a Microsoft Entra  admin for the SQL server

Therefore you can follow these steps-

  1. Confirm whether you are the server-level principal login or request access from whoever is.
  2. If you’re not, ask your Azure admin to assign you as a Microsoft Entra admin for the SQL server.
  3. Remove the resource group lock if you have the necessary permissions or request it from someone who does.

Hope this helps!

View solution in original post

Message 2 of 7
362 Views
0
v-sdhruv
Community Support
Community Support

Monday

 Hi @AJAJ ,

( To get full of Azure SQL but dont want my ID to be as admin unnecessarily to avoid any unknown breaches )
You will  need either the Owner or Contributor role at server-level.

To  regain the ability to manage those grayed-out IPs:

Try connecting to the master database in SSMS and run:

EXEC sp_delete_firewall_rule @name = N'YourRuleName';

If you get an error like “User must be in the master database,” you're not the principal login.
Your current role change may have revoked or overridden that access.
To answer-

What do I need to do for full control of resource group. Azure SQL DB is within that RG?

If the RG is locked, only users with delete or write permissions can remove or modify the lock.

You can assign yourself the necessary roles using Azure RBAC:

Go to the RG in Azure Portal

Navigate to Access Control (IAM)

Click Add Role Assignment

Select either Owner or Contributor

Refer - https://learn.microsoft.com/en-us/azure/role-based-access-control/

Hope this helps!

View solution in original post

Message 7 of 7
291 Views
0
6 REPLIES 6
v-sdhruv
Community Support
Community Support

Monday

 Hi @AJAJ ,

( To get full of Azure SQL but dont want my ID to be as admin unnecessarily to avoid any unknown breaches )
You will  need either the Owner or Contributor role at server-level.

To  regain the ability to manage those grayed-out IPs:

Try connecting to the master database in SSMS and run:

EXEC sp_delete_firewall_rule @name = N'YourRuleName';

If you get an error like “User must be in the master database,” you're not the principal login.
Your current role change may have revoked or overridden that access.
To answer-

What do I need to do for full control of resource group. Azure SQL DB is within that RG?

If the RG is locked, only users with delete or write permissions can remove or modify the lock.

You can assign yourself the necessary roles using Azure RBAC:

Go to the RG in Azure Portal

Navigate to Access Control (IAM)

Click Add Role Assignment

Select either Owner or Contributor

Refer - https://learn.microsoft.com/en-us/azure/role-based-access-control/

Hope this helps!

Message 7 of 7
292 Views
0
AJAJ
Regular Visitor

‎08-08-2025 01:52 PM

What do I need to do for full control of resource group. Azure SQL DB is within that RG.

Message 6 of 7
345 Views
0
v-sdhruv
Community Support
Community Support

‎08-08-2025 06:28 AM

Hi @AJAJ ,

Grayed-out IPs in Azure SQL Firewall typically indicate server-level firewall rules that were created by the server-level principal login. According to Microsoft documentation, only the server-level principal login—the account created during the initial provisioning of the SQL server—can delete these rules using sp_delete_firewall_rule
Refer-

https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-delete-firewa...

 

Even with Subscription Admin and SQL Security Manager roles, you won’t have access to delete these rules unless:

  • You are logged in as the server-level principal login, or
  • You are assigned as a Microsoft Entra  admin for the SQL server

Therefore you can follow these steps-

  1. Confirm whether you are the server-level principal login or request access from whoever is.
  2. If you’re not, ask your Azure admin to assign you as a Microsoft Entra admin for the SQL server.
  3. Remove the resource group lock if you have the necessary permissions or request it from someone who does.

Hope this helps!

Message 2 of 7
363 Views
0
AJAJ
Regular Visitor
In response to v-sdhruv

Tuesday

Thanks. 

For someone referring this in future. 

I got myself as Owner of resource group, navigated to Azure SQL DB. Of course as recommended above, need to be a contributor (i guess may not matter since your id is admin). On the other hand, you could ask whoever is the admin to do the below to remove / clean up greyed out IPs on Azure SQL.

AJAJ_0-1755029642491.png

 

Message 4 of 7
237 Views
v-sdhruv
Community Support
Community Support
In response to AJAJ

Tuesday

Thank you @AJAJ  for sharing your inputs.
This would definitely help the community members who are facing such issue.

Message 5 of 7
178 Views
0
AJAJ
Regular Visitor
In response to v-sdhruv

‎08-08-2025 01:50 PM

Thanks. Those grey IPs are my own IPs created when I logged into SSMS. I was able to delete it myself for many months earlier. Once I got subscription level admin, later on i got to know my ips are greyed out and now want to clean up. Does it mean once i become S-Admin i lost server-level principal login. im still able to login and continue db development activities with no issues. Anyway what should be done to so i become server level principal login again? 

I remember i was sql contributor. I never had much of any admin access till last 2 weeks (except PBI admin) and many months i was still able to add/remove SQL IPs under firewall. Im not sure seeking S-Admin, AAD admin is all necessary to delete the SQL firewall. I dont want unnecessary admin access when i was able to delete IPs without admin access earlier. All i need is full control of Azure SQL. Not SAdmin, not AAD admin,etc.. Can you please guide me to get full of Azure SQL but dont want my ID to be as admin unnecessarily to avoid any unknown breaches.

AJAJ_0-1754686249234.png

 

Message 3 of 7
348 Views
0

Helpful resources

Announcements
Fabric July 2025 Monthly Update Carousel

Fabric Monthly Update - July 2025

Check out the July 2025 Fabric update to learn about new features.

August 2025 community update carousel

Fabric Community Update - August 2025

Find out what's new and trending in the Fabric community.

View All
Top Solution Authors
View All