Server identity does not have the Microsoft Entra Directory Readers permission.

Daniel Martinez 40 Reputation points
2026-06-18T08:41:48.62+00:00

I'm using a Service Principal that creates an SQL Server with an SMI (System-assigned managed identity) in an Azure DevOps pipeline, and then runs an .sql file with the SQL Server's SMI.

I made sure that the SMI has the following permissions in Azure:User's image

I granted most permissions and will start removing unnecessary permissions once my pipeline works.

However, when I want to run an .sql file containing some "CREATE USER" statements, it fails with the following error:

IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'my-app-api')
BEGIN
    CREATE USER [my-app-api] FROM EXTERNAL PROVIDER
END

Server identity does not have the Microsoft Entra Directory Readers permission. For more information, see https://go.microsoft.com/fwlink/?linkid=2323204.

I'm confused since the article "Directory Readers role in Microsoft Entra ID for Azure SQL" suggests looking for "Managed identities in Microsoft Entra for Azure SQL" and assign discrete Graph permissions like I did, instead of assigning the Entra ID role Directory Readers.

This external blog uses discrete permissions (e.g. "User.Read.All", "Group.Read.All", etc.) so that the SQL SMI can create users in the database, and it works for them!

https://blog.rufer.be/2025/02/27/howto-fix-server-identity-does-not-have-azure-active-directory-readers-permission-error-when-using-terraform-local-exec-provisioner-to-create-sql-database-users-from-external-provider-in-a-az-de/

However, in this Microsoft Learn question, the accepted answer suggests using the Directory Readers Entra ID role since nothing else works!
https://learn.microsoft.com/en-us/answers/questions/5551692/server-identity-does-not-have-the-required-permiss

Can I achieve what I want without the Entra ID role?

Azure SQL Database
0 comments No comments

2 answers

Sort by: Most helpful
  1. Pilladi Padma Sai Manisha 10,770 Reputation points Microsoft External Staff Moderator
    2026-06-22T09:00:18.06+00:00

    Hi @Daniel Martinez
    Yes, this can be achieved without assigning the Microsoft Entra Directory Readers role, but the key detail is that the required permissions must be granted to the Azure SQL logical server's managed identity (server identity), not to the Azure DevOps Service Principal or another managed identity used by the deployment pipeline.

    When CREATE USER ... FROM EXTERNAL PROVIDER is executed, Azure SQL uses the server identity to query Microsoft Entra ID and resolve the external principal. If that identity cannot read Entra objects, you'll receive the error:

    Server identity does not have the Microsoft Entra Directory Readers permission.

    Microsoft supports two approaches:

    • Assign the Directory Readers directory role to the Azure SQL server identity.
    • Grant the equivalent Microsoft Graph application permissions (least-privilege approach) to the Azure SQL server identity instead.

    If you're using Microsoft Graph permissions, ensure they are assigned as Application permissions, admin consent has been granted, and they are assigned to the Azure SQL server's managed identity. Depending on the scenario, commonly required permissions include User.Read.All, GroupMember.Read.All, Application.Read.All, and sometimes Group.Read.All.

    If you've already assigned these permissions and the error persists, verify that they were assigned to the correct identity (the SQL server identity) and allow some time for permission propagation.

    While Directory Readers is not mandatory, it remains the simplest and most reliable supported option if the Graph permission approach doesn't work in your environment.

    Was this answer helpful?


  2. Erland Sommarskog 135.1K Reputation points MVP Volunteer Moderator
    2026-06-18T15:06:10.56+00:00

    The topic for CREATE USER, the Azure SQL version, says:

    If the principal issuing the CREATE USER statement is a Microsoft Entra user principal, the principal (or principal's group) must be in the Directory Readers role in Microsoft Entra.

    So the answer to your questions is: No, it can't be done.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.