Hi James Kew •,
Thanks for your patience.
We got reply internally:
The Global Administrator and Privileged Role Administrator roles are used to assign the Directory Readers role to the identity representing your SQL instance.
The Directory Readers role should be the one to contain the permissions to list users / groups in Microsoft Entra ID.
The MS Graph permissions which directly map to those actions are:
- list users: Users.Read.All
and
- list groups/memberships: GroupMember.Read.All.
If you could share more specific details about what operations you're seeing these failures in, that would be helpful. We can also engage the Microsoft Graph team which may have more details specific to roles.
Thanks