Azure SQL Database - contained users password

Question

Where is the password saved when creating a contained user for the Azure SQL database (PaaS)?

For example:

CREATE USER taiobtest WITH password='PVHz3U4A$LNytQF^';
GO

For server logins I can get it from sys.sql_logins:password_hash column.

My use case is refreshing non-production from production backup. I need to script out the database contained users and all relevant permission before the restoration. Once restored clean up production database users/permission and reinstate non-production users and permissions.

Answer 1

As Tibor points out, the practical answer here is "in the database", so it follows the database through backup/restore or an AG failover. That is the reason database users with passwords were added to partially contained databases and Azure SQL Database.

If you examine the object_definition of sys.database_principals you can discover that it's actually in a system table called sys.sysowners, stored as a hash, which can only be queried from the Dedicated Administrator Connection.