Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Calling all Data Engineers! Fabric Data Engineer (Exam DP-700) live sessions are back! Starting October 16th. Sign up.

Reply
AJAJ
New Contributor III

Azure SQL Firewall

โ€Ž08-07-2025 06:11 AM

Hi there,

I have 2 environments - Dev and Prod (Both have same issue). I'm more of admin on Azure environment (recently made as subscription admin)

after which I'm having difficulty to remove IP from Azure SQL Firewall. (Those IPs are my own IPs added via SSMS before my i became Azure Subscription admin) (Earlier i was able to delete IPs) today my manager granted me subscription admin and as SQL Security Manager and it still not able to remove grayed out IPs. 

 

AJAJ_1-1754572070938.png



Prod Resource group has lock. Looks like permission are messed up. What permission do I need to have control over RGroups?

AJAJ_2-1754572169826.png

 

Thanks


Message 1 of 9
2,081 Views
0
2 ACCEPTED SOLUTIONS
v-sdhruv
Honored Contributor

โ€Ž08-08-2025 06:28 AM

Hi @AJAJ ,

Grayed-out IPs in Azure SQL Firewall typically indicate server-level firewall rules that were created by the server-level principal login. According to Microsoft documentation, only the server-level principal loginโ€”the account created during the initial provisioning of the SQL serverโ€”can delete these rules using sp_delete_firewall_rule
Refer-

https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-delete-firewa...

 

Even with Subscription Admin and SQL Security Manager roles, you wonโ€™t have access to delete these rules unless:

  • You are logged in as the server-level principal login, or
  • You are assigned as a Microsoft Entra  admin for the SQL server

Therefore you can follow these steps-

  1. Confirm whether you are the server-level principal login or request access from whoever is.
  2. If youโ€™re not, ask your Azure admin to assign you as a Microsoft Entra admin for the SQL server.
  3. Remove the resource group lock if you have the necessary permissions or request it from someone who does.

Hope this helps!

View solution in original post

Message 2 of 9
2,024 Views
0
v-sdhruv
Honored Contributor

โ€Ž08-11-2025 02:29 AM

 Hi @AJAJ ,

( To get full of Azure SQL but dont want my ID to be as admin unnecessarily to avoid any unknown breaches )
You will  need either the Owner or Contributor role at server-level.

To  regain the ability to manage those grayed-out IPs:

Try connecting to the master database in SSMS and run:

EXEC sp_delete_firewall_rule @name = N'YourRuleName';

If you get an error like โ€œUser must be in the master database,โ€ you're not the principal login.
Your current role change may have revoked or overridden that access.
To answer-

What do I need to do for full control of resource group. Azure SQL DB is within that RG?

If the RG is locked, only users with delete or write permissions can remove or modify the lock.

You can assign yourself the necessary roles using Azure RBAC:

Go to the RG in Azure Portal

Navigate to Access Control (IAM)

Click Add Role Assignment

Select either Owner or Contributor

Refer - https://learn.microsoft.com/en-us/azure/role-based-access-control/

Hope this helps!

View solution in original post

Message 8 of 9
1,953 Views
0
8 REPLIES 8
v-sdhruv
Honored Contributor

โ€Ž08-08-2025 06:28 AM

Hi @AJAJ ,

Grayed-out IPs in Azure SQL Firewall typically indicate server-level firewall rules that were created by the server-level principal login. According to Microsoft documentation, only the server-level principal loginโ€”the account created during the initial provisioning of the SQL serverโ€”can delete these rules using sp_delete_firewall_rule
Refer-

https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-delete-firewa...

 

Even with Subscription Admin and SQL Security Manager roles, you wonโ€™t have access to delete these rules unless:

  • You are logged in as the server-level principal login, or
  • You are assigned as a Microsoft Entra  admin for the SQL server

Therefore you can follow these steps-

  1. Confirm whether you are the server-level principal login or request access from whoever is.
  2. If youโ€™re not, ask your Azure admin to assign you as a Microsoft Entra admin for the SQL server.
  3. Remove the resource group lock if you have the necessary permissions or request it from someone who does.

Hope this helps!

Message 2 of 9
2,025 Views
0
AJAJ
New Contributor III
In response to v-sdhruv

โ€Ž08-08-2025 01:50 PM

Thanks. Those grey IPs are my own IPs created when I logged into SSMS. I was able to delete it myself for many months earlier. Once I got subscription level admin, later on i got to know my ips are greyed out and now want to clean up. Does it mean once i become S-Admin i lost server-level principal login. im still able to login and continue db development activities with no issues. Anyway what should be done to so i become server level principal login again? 

I remember i was sql contributor. I never had much of any admin access till last 2 weeks (except PBI admin) and many months i was still able to add/remove SQL IPs under firewall. Im not sure seeking S-Admin, AAD admin is all necessary to delete the SQL firewall. I dont want unnecessary admin access when i was able to delete IPs without admin access earlier. All i need is full control of Azure SQL. Not SAdmin, not AAD admin,etc.. Can you please guide me to get full of Azure SQL but dont want my ID to be as admin unnecessarily to avoid any unknown breaches.

AJAJ_0-1754686249234.png

 

Message 3 of 9
2,010 Views
0
AJAJ
New Contributor III
In response to v-sdhruv

โ€Ž08-12-2025 01:14 PM

Thanks. 

For someone referring this in future. 

I got myself as Owner of resource group, navigated to Azure SQL DB. Of course as recommended above, need to be a contributor (i guess may not matter since your id is admin). On the other hand, you could ask whoever is the admin to do the below to remove / clean up greyed out IPs on Azure SQL.

AJAJ_0-1755029642491.png

 

Message 4 of 9
1,899 Views
v-sdhruv
Honored Contributor
In response to AJAJ

โ€Ž08-12-2025 10:02 PM

Thank you @AJAJ  for sharing your inputs.
This would definitely help the community members who are facing such issue.

Message 5 of 9
1,840 Views
0
maruthi_P
New Contributor
In response to v-sdhruv

โ€Ž09-11-2025 05:28 AM

Please use azure cli command

az sql server firewall-rule delete --resource-group [yourResourceGroupName] --server [yourServerNamewithout.database.windows.net] --name "ClientIPAddress_2025-08-28_08:02:45"

Note: As client IP address is string case senstive, please add string format ""

Cli Command>az sql server firewall-rule list --resource-group resourceGroupName  --server serverName  --output table
Cli Command>az sql server firewall-rule delete --resource-group resourceGroupName --server serverName  --name "ClientIPAddress_2025-08-28_08:02:45"
Cli Command>az sql server firewall-rule list --resource-group resourceGroupName  --server serverName  --output table

Message 6 of 9
1,071 Views
0
AJAJ
New Contributor III

โ€Ž08-08-2025 01:52 PM

What do I need to do for full control of resource group. Azure SQL DB is within that RG.

Message 7 of 9
2,007 Views
0
v-sdhruv
Honored Contributor

โ€Ž08-11-2025 02:29 AM

 Hi @AJAJ ,

( To get full of Azure SQL but dont want my ID to be as admin unnecessarily to avoid any unknown breaches )
You will  need either the Owner or Contributor role at server-level.

To  regain the ability to manage those grayed-out IPs:

Try connecting to the master database in SSMS and run:

EXEC sp_delete_firewall_rule @name = N'YourRuleName';

If you get an error like โ€œUser must be in the master database,โ€ you're not the principal login.
Your current role change may have revoked or overridden that access.
To answer-

What do I need to do for full control of resource group. Azure SQL DB is within that RG?

If the RG is locked, only users with delete or write permissions can remove or modify the lock.

You can assign yourself the necessary roles using Azure RBAC:

Go to the RG in Azure Portal

Navigate to Access Control (IAM)

Click Add Role Assignment

Select either Owner or Contributor

Refer - https://learn.microsoft.com/en-us/azure/role-based-access-control/

Hope this helps!

Message 8 of 9
1,954 Views
0
maruthi_P
New Contributor

โ€Ž09-11-2025 06:26 AM

You can use Azure CLI command because 'sp_delete_firewall_rule' procedure may not have available in all the Azure SQL Servers

First step:

CliCommand>az sql server firewall-rule list --resource-group [resourceGroupName] --server [serverNamewithout.database.window.net] --output table

You can see all the Network Ip's
CliCommand>az sql server firewall-rule delete --resource-group resourceGroupName --server serverName --name "ClientIPAddress_2025-08-28_08:02:45"

CliCommand>az sql server firewall-rule list --resource-group [resourceGroupName] --server [serverNamewithout.database.window.net] --output table







Message 9 of 9
1,066 Views
0

Helpful resources

Announcements
View All
Top Solution Authors
View All
Top Kudoed Authors
View All
Users online (12,084)