Login creation failed while using Service Principal

Francesco AMENTA 5 Reputation points
2023-01-17T09:10:03.89+00:00

We are trying to create login from AAD using a Service Principal.
We did try to use both those two entries:

CREATE LOGIN [login] FROM EXTERNAL PROVIDER;
CREATE USER [login] FROM EXTERNAL PROVIDER;

but each time we face the following error:

[ERROR]: ('42000', '[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Server identity does not have Azure Active Directory Readers permission. Please follow the steps here : https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-service-principal (37353) (SQLExecDirectW)')

The Service Principal we are using has been granted access to Graph (as explained here: [https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity?view=azuresql):
User's image

The same sql entries will work if executed from the portal using a standard user account.

Any suggestion on how to solve this issue?

Thanks

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,929 questions
{count} vote

2 answers

Sort by: Most helpful
  1. CarlZhao-MSFT 42,031 Reputation points
    2023-01-17T10:33:43.55+00:00

    Hi @Francesco AMENTA

    Your server identity has not been granted the Azure AD Directory Reader role.

    User's image


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    2 people found this answer helpful.

  2. Roderick Bant 2,051 Reputation points
    2023-01-17T10:04:51.1566667+00:00

    Hi, thank you for your question at Q&A.

    As this documentation indicates you will need some more permissions on the Graph API for a managed identity assigned to the Azure SQL Database instance to be able to lookup users, groups and applications.

    The managed Identity needs at least User.Read.All, GroupMember.Read.All and Application.Read.All API permissions.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.