Verify if that users from the Entra ID group are created in the primary database, they will be automatically replicated to the read-only replica.
CREATE USER [sqlreader_usergroup] FROM EXTERNAL PROVIDER;
Assign the necessary read-only permissions to the Entra ID user group in the read-only replica.
ALTER ROLE db_datareader ADD MEMBER [sqlreader_usergroup];
To deny access to the primary database, you need to deny the CONNECT permission to the Entra ID user group on the primary database. This will prevent users in the group from logging in to the primary database.
DENY CONNECT TO [sqlreader_usergroup];
Since permissions changes might need to be replicated or consistently applied, consider using automation scripts or Azure Automation to ensure that any new user in the sqlreader_usergroup
is automatically denied access to the primary database.