How to Handle NT AUTHORITY\SYSTEM in Azure SQL Managed Instance After an On-Premises Restore
You restored an on-prem SQL Server database to Azure SQL Managed Instance. Now NT AUTHORITY\SYSTEM appears as a database user with a non-blank login name — yet no such login exists under server-level logins. Is it a display glitch? A hidden login? Is it safe to delete? Here is the complete explanation and what to do about it.
What You Actually Have: Three Distinct Categories of Users
When you restore an on-premises SQL Server database to Azure SQL Managed Instance, the database carries all its existing database-level users with it — the backup and restore process preserves the entire sys.database_principals catalog. What it cannot carry is the server-level login mapping, because Azure SQL MI has a completely different set of server-level logins. The result is three distinct categories of users in the restored database, and each needs to be handled differently.
Why NT AUTHORITY\SYSTEM Shows a Non-Blank Login — The Well-Known SID Mechanism
SQL Server has two fundamentally different ways to resolve a principal's name from its stored SID. Most principals use a lookup: SQL Server takes the SID from sys.database_principals, queries sys.server_principals at the server level, and returns the login name it finds there. If no matching row exists in sys.server_principals, the login name field is blank — which is why your regular Windows users (DOMAIN\JohnSmith, DOMAIN\SvcAccount) show blank login names.
But a small set of Windows identities are well-known SIDs — identifiers that are universal, fixed constants in the Windows security model. They are the same on every computer, in every domain, in every cloud. NT AUTHORITY\SYSTEM has the well-known SID S-1-5-18. NT AUTHORITY\NETWORK SERVICE is S-1-5-20. NT AUTHORITY\LOCAL SERVICE is S-1-5-19. SQL Server's security subsystem knows these SIDs and can resolve their names without querying any login table — the name is embedded in SQL Server's own code.
When SSMS asks SQL Server to display the login name for the NT AUTHORITY\SYSTEM database user, SQL Server sees the SID 0x01 (the binary representation of S-1-5-18 in SQL Server's internal format), recognises it as a well-known SID, and returns the name NT AUTHORITY\SYSTEM directly — without needing a row in sys.server_principals. This is not a display glitch. It is correct, intentional behaviour. The login "exists" as an implicit, always-present identity, not as a stored row.
Querying the Database to Confirm What You Have
Run these T-SQL queries against the restored database to understand exactly what is present and what each user actually is. These queries work on Azure SQL Managed Instance and standard SQL Server.
GO
SELECT
dp.name AS UserName,
dp.type AS PrincipalType, -- S=SQL user, U=Windows user, W=Windows group
dp.type_desc AS PrincipalTypeDesc,
dp.sid AS StoredSID,
SUSER_SNAME(dp.sid) AS ResolvedLoginName, -- This is what SSMS shows in the Login Name field
sp.name AS ActualServerLogin, -- NULL = no matching server-level login
CASE
WHEN dp.sid = 0x01 THEN 'Well-known SID: NT AUTHORITY\SYSTEM'
WHEN dp.sid = 0x02 THEN 'Well-known SID: NT AUTHORITY\NETWORK SERVICE'
WHEN dp.sid IS NULL THEN 'No SID (contained user or special)'
WHEN sp.sid IS NULL AND dp.type IN ('U','S') THEN 'ORPHANED — no server login'
ELSE 'Mapped to server login'
END AS Status
FROM sys.database_principals dp
LEFT JOIN sys.server_principals sp ON dp.sid = sp.sid
WHERE dp.type NOT IN ('R') -- Exclude roles
AND dp.name NOT IN ('dbo','guest','INFORMATION_SCHEMA','sys')
ORDER BY Status, dp.name;
GO
The output will clearly show the distinction. NT AUTHORITY\SYSTEM will show:
- type = W (Windows Group — SQL Server classifies all NT AUTHORITY principals as group type)
- StoredSID = 0x01
- ResolvedLoginName = NT AUTHORITY\SYSTEM (resolved from well-known SID)
- ActualServerLogin = NULL (no row in sys.server_principals)
- Status = Well-known SID: NT AUTHORITY\SYSTEM
All other Windows users (DOMAIN\name) will show ActualServerLogin = NULL and Status = ORPHANED — these are the truly pointless users that can be removed.
name,
type,
type_desc,
sid,
SUSER_SNAME(sid) AS resolves_to,
create_date,
modify_date
FROM sys.database_principals
WHERE name = 'NT AUTHORITY\SYSTEM';
-- Expected output: -- name: NT AUTHORITY\SYSTEM -- type: W -- type_desc: WINDOWS_GROUP -- sid: 0x01 ← the universal well-known SID for NT AUTHORITY\SYSTEM -- resolves_to: NT AUTHORITY\SYSTEM (SQL Server knows this SID without a login row)
-- Also check: is there actually a server-level login for this name? SELECT name, type_desc, sid, is_disabled
FROM sys.server_principals
WHERE name = 'NT AUTHORITY\SYSTEM';
-- Expected: 0 rows — there is NO server-level login stored for this principal in Azure SQL MI
Why NT AUTHORITY\SYSTEM Was Added to Your Database on On-Premises
This user was added to the on-premises database by one or more Windows services or SQL Server features that ran as NT AUTHORITY\SYSTEM — the Local System account. The most common causes, in order of likelihood:
- Azure Backup for SQL Server on Azure VMs: Azure Backup explicitly uses NT AUTHORITY\SYSTEM for database discovery and queries. Microsoft's own documentation states: "Databricks uses the NT AUTHORITY\SYSTEM account for database discovery/inquiry, so this account needs to be a public login on SQL." When Azure Backup is configured against an on-premises SQL instance (or a SQL instance on an Azure VM), it creates or requires this user.
- SQL Server service running as Local System: On many on-premises SQL Server installations, the SQL Server Database Engine service or SQL Server Agent runs as Local System (NT AUTHORITY\SYSTEM). Any database-level operation performed by the service itself — maintenance plans, auto-statistics updates, internal queries — runs under this identity. SQL Server tracks this as a database principal.
- SQL Server maintenance plans or scheduled jobs: Maintenance plans that run as the SQL Server service account create this user in any database they touch.
- SCOM (System Center Operations Manager): Microsoft's SCOM agent requires NT AUTHORITY\SYSTEM as a SQL Server login with VIEW SERVER STATE permission for monitoring. The agent may also create this as a database user in monitored databases.
- Mirroring, replication, or log shipping: Some high-availability and data distribution features use the SQL Server service account, which may be Local System, for internal communications.
All of these are legitimate reasons for the user to exist. None of them indicate a security problem on the original on-premises server.
What to Do with NT AUTHORITY\SYSTEM in Azure SQL MI — Three Scenarios
Whether to remove, keep, or recreate this user depends on what your Azure SQL Managed Instance uses it for. In pure Azure deployments, there is rarely a need for NT AUTHORITY\SYSTEM as a database user — but there are exceptions.
Scenario A — Your MI has no Azure Backup for SQL on VM and no SCOM (most common)
If you are using Azure SQL MI managed backups (not Azure Backup for SQL on VM), and you do not run SCOM or any on-prem Windows service that connects to the MI, then NT AUTHORITY\SYSTEM as a database user has no purpose and can be safely removed. It cannot log in to Azure SQL MI anyway — there is no NT AUTHORITY\SYSTEM Windows session in an Azure PaaS environment. The user is inert.
Check what permissions NT AUTHORITY\SYSTEM holds before removing it
Before dropping the user, check its permissions. You do not want to silently remove a database owner or a user with permissions that some process expects.
FROM sys.database_role_members drm
JOIN sys.database_principals dp_role ON drm.role_principal_id = dp_role.principal_id
JOIN sys.database_principals dp_user ON drm.member_principal_id = dp_user.principal_id
WHERE dp_user.name = 'NT AUTHORITY\SYSTEM';
-- Check explicit permissions SELECT permission_name, state_desc, class_desc, OBJECT_NAME(major_id) AS ObjectName
FROM sys.database_permissions dp
JOIN sys.database_principals pr ON dp.grantee_principal_id = pr.principal_id
WHERE pr.name = 'NT AUTHORITY\SYSTEM';
-- Check if NT AUTHORITY\SYSTEM is the database owner (dbo mapping) SELECT SUSER_SNAME(owner_sid) AS DatabaseOwner
FROM sys.databases
WHERE name = DB_NAME();
-- If this returns 'NT AUTHORITY\SYSTEM', change the owner before dropping the user
If NT AUTHORITY\SYSTEM is the database owner, change the owner first
If the previous query revealed that NT AUTHORITY\SYSTEM is the database owner (dbo), you must reassign ownership before dropping the user. Use ALTER AUTHORIZATION to assign ownership to a valid MI login.
ALTER AUTHORIZATION ON DATABASE::[YourRestoredDatabase] TO [sa];
GO
-- Verify the change SELECT SUSER_SNAME(owner_sid) AS NewDatabaseOwner FROM sys.databases WHERE name = DB_NAME();
-- Expected: sa (or your chosen login name)
Drop the user from the database — it is safe to do so
Once any ownership dependency is resolved and you have confirmed no permissions are needed, drop the user. This only removes the database-level principal — there is no server-level login to remove because no stored server-level login exists for this principal.
GO
-- Drop NT AUTHORITY\SYSTEM (only if permissions check above shows it is safe) IF EXISTS (SELECT 1 FROM sys.database_principals WHERE name = 'NT AUTHORITY\SYSTEM')
BEGIN
DROP USER [NT AUTHORITY\SYSTEM];
PRINT 'NT AUTHORITY\SYSTEM database user removed.';
END
GO
-- Also clean up other orphaned Windows users (login name = NULL in SSMS) -- Use sp_change_users_login to identify SQL auth orphaned users EXEC sp_change_users_login 'Report';
-- Returns list of SQL auth orphaned database users (Windows orphans won't appear here)
-- For each orphaned Windows user you want to drop: -- DROP USER [DOMAIN\UserName];
Scenario B — Your MI uses Azure Backup for SQL on VM or SQL Server on Azure VM
If you have SQL Server running on an Azure VM (not Azure SQL MI, but SQL Server installed on a Windows VM) and you are using Azure Backup for it, the Azure Backup service requires NT AUTHORITY\SYSTEM as a database user. Microsoft's documentation explicitly states that "NT AUTHORITY\SYSTEM account for database discovery/inquiry needs to be a public login on SQL." In this case, do not remove it — ensure it exists and has the correct permissions.
Note: this specific scenario only applies to SQL Server on Azure VMs, not to Azure SQL Managed Instance managed backups. If you are using Azure SQL MI's built-in automated backups, you do not need this user.
Scenario C — You want to understand it but leave it alone
The user is harmless in Azure SQL MI. NT AUTHORITY\SYSTEM cannot actually authenticate to Azure SQL Managed Instance — there is no Windows session context in a PaaS environment that could authenticate as the local system account. The user is inert. It holds whatever permissions it had on-premises, but cannot be used by any live process. Leaving it in place causes no harm, no security risk, and no functional impact. This is a perfectly valid choice if you want to minimise changes to the restored database.
| User | Login name in SSMS | Server login exists? | Action in Azure SQL MI |
|---|---|---|---|
| DOMAIN\JohnSmith | (blank) | No — orphaned | Drop or remap to Entra ID login |
| DOMAIN\SvcAccount | (blank) | No — orphaned | Drop or remap to Entra ID login |
| NT AUTHORITY\SYSTEM | NT AUTHORITY\SYSTEM ← the mystery | No — well-known SID | Safe to drop; inert in MI PaaS |
| AppUser | AppUser | Yes — SQL auth login | Keep — login exists and is mapped |
| dbo | (database owner) | Yes — owner mapping | Keep — always present |