I have always seen people get confused with the different permissions available through RBAC and the permissions to data inside the resource. I am loosely using the term data here as ‘being a dba’ I am generally more concerned about the data but what I actually mean is having permission onto the resource in Azure portal and having the real permission to get into that resource are two completely different things.
If you are providing someone Contributor permission to Azure SQL Server or a VM machine doesn’t mean that they can login into the SQL Server or into the VM machine respectively. The “Contributor” role for the resource can provide permission onto the “resource” only and not into the resource.
I have many a times seen clients providing contributor permission to the SQL Server resource using IAM in the portal and than wondering about the issue when getting the login failures. (yes they do white-list their IPs)
To provide permission to the SQL Server and its databases you need to have a login/user created inside SQL Server, nothing through IAM can provide you access to the SQL Server.
If someone asks you to provide permission to any resource in which you have to login make sure you are either creating a login inside that resource or providing the appropriate IAM permission to it. Some IAM roles which can also provide access “into” the resource are as below:
1. Virtual Machine User Login: To provide access to the VM. Contributor or Owner cannot login into the VM.
2. Virtual Machine Administrator Login: To login as admin into the VM.
3. Data Factory Contributor: To create and manage data factories.
There are many more which can be checked from this link, but above are the ones which I use the most.