An Azure relational database service.
Hi @Daniel Martinez
Yes, this can be achieved without assigning the Microsoft Entra Directory Readers role, but the key detail is that the required permissions must be granted to the Azure SQL logical server's managed identity (server identity), not to the Azure DevOps Service Principal or another managed identity used by the deployment pipeline.
When CREATE USER ... FROM EXTERNAL PROVIDER is executed, Azure SQL uses the server identity to query Microsoft Entra ID and resolve the external principal. If that identity cannot read Entra objects, you'll receive the error:
Server identity does not have the Microsoft Entra Directory Readers permission.
Microsoft supports two approaches:
- Assign the Directory Readers directory role to the Azure SQL server identity.
- Grant the equivalent Microsoft Graph application permissions (least-privilege approach) to the Azure SQL server identity instead.
If you're using Microsoft Graph permissions, ensure they are assigned as Application permissions, admin consent has been granted, and they are assigned to the Azure SQL server's managed identity. Depending on the scenario, commonly required permissions include User.Read.All, GroupMember.Read.All, Application.Read.All, and sometimes Group.Read.All.
If you've already assigned these permissions and the error persists, verify that they were assigned to the correct identity (the SQL server identity) and allow some time for permission propagation.
While Directory Readers is not mandatory, it remains the simplest and most reliable supported option if the Graph permission approach doesn't work in your environment.