Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: 
SQL Server
Azure SQL Database
Azure SQL Managed Instance
Adds an application role to the current database.
Transact-SQL syntax conventions
Syntax
CREATE APPLICATION ROLE application_role_name
WITH PASSWORD = 'password' [ , DEFAULT_SCHEMA = schema_name ]
Arguments
application_role_name
Specifies the name of the application role. This name must not already be used to refer to any principal in the database.
PASSWORD = 'password'
Specifies the password that database users will use to activate the application role. You should always use strong passwords. password must meet the Windows password policy requirements of the computer that is running the instance of SQL Server.
DEFAULT_SCHEMA = schema_name
Specifies the first schema that will be searched by the server when it resolves the names of objects for this role. If DEFAULT_SCHEMA is left undefined, the application role will use dbo as its default schema. schema_name can be a schema that doesn't exist in the database.
Remarks
Important
Password complexity is checked when application role passwords are set. Applications that invoke application roles must store their passwords. Application role passwords should always be stored encrypted.
Application roles are visible in the sys.database_principals catalog view.
For information about how to use application roles, see Application Roles.
Note
Schemas aren't equivalent to database users. Use System catalog views to identify any differences between database users and schemas.
Beginning with SQL Server 2012 (11.x), SQL Server and Azure SQL DB used a SHA-512 hash combined with a 32-bit random and unique salt. This method made it statistically infeasible for attackers to deduce passwords.
SQL Server 2025 (17.x) Preview introduces an iterated hash algorithm, RFC2898, also known as a password-based key derivation function (PBKDF). This algorithm still uses SHA-512 but hashes the password multiple times (100,000 iterations), significantly slowing down brute-force attacks. This change enhances password protection in response to evolving security threats and helps customers comply with NIST SP 800-63b guidelines.
Permissions
Requires ALTER ANY APPLICATION ROLE permission on the database.
Examples
The following example creates an application role called weekly_receipts that has the password 987Gbv876sPYY5m23 and Sales as its default schema.
CREATE APPLICATION ROLE weekly_receipts
WITH PASSWORD = '987G^bv876sPY)Y5m23'
, DEFAULT_SCHEMA = Sales;
GO