Permission Issues with Application Registration for Creating External Users in Azure Synapse Databases

NavasMiguel-4566 0 Reputation points
2024-11-06T08:14:30.0266667+00:00

Hello everyone,

I’m encountering an issue with an Application Registration in Azure AD that needs to create external users in several on-demand Azure Synapse databases across multiple environments. Despite configuring the necessary permissions in Azure Active Directory and Microsoft Graph, the application is unable to complete this task.

Current Configuration:

  • Permissions in Azure Active Directory Graph:
    • Directory.Read.All (Delegated) – Admin Consent: required and granted
      • Directory.Read.All (Application) – Admin Consent: required and granted
      • Permissions in Microsoft Graph:
        • User.Read (Delegated) – Admin Consent: not required
          • User.ReadBasic.All (Delegated) – Admin Consent: not required

Error Received:


Exception calling 

I’ve tried several configurations without success but we haven’t been able to solve the issue. It seems the error might be due to insufficient permissions or a role limitation in Azure AD, but I haven’t found a clear solution.

Has anyone experienced a similar issue or can suggest an alternative configuration for the Application Registration that would enable the creation of external users in Azure Synapse?

Any guidance or shared experiences would be greatly appreciated.

Azure SQL Database
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,491 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 9,285 Reputation points Microsoft Vendor
    2024-11-06T13:16:13.4933333+00:00

    Hello @NavasMiguel-4566,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you’re trying to add external users to your directory so you can grant them access to Azure Synapse databases.

    From your current setup, I see that only Directory.Read.All, User.Read, and User.ReadBasic.All permissions have been granted for the application API. However, I’d like to highlight that permissions from the Azure AD Graph API are no longer applicable in Entra ID, as Azure AD Graph has been fully deprecated.

    User's image

    End of Support for Azure AD Graph

    Microsoft now recommends removing Azure AD Graph permissions and exclusively using Microsoft Graph permissions. To create external users in your directory, your application should have the Directory.ReadWrite.All permission in Microsoft Graph. This permission allows the application to both read and write data in the directory.

    If your process involves creating external users through a user context, assign the Delegated Directory.ReadWrite.All permission. If creating users through an application, add the Application permission for Directory.ReadWrite.All in Microsoft Graph. Here’s how to do it:

    1. Sign in to the Azure Portal.
    2. Go to Microsoft Entra ID > App Registrations.
    3. Select your application, then navigate to API Permissions.
    4. Click on Add a Permission, select Microsoft Graph.
    5. Choose either Delegated or Application permissions, search for Directory.ReadWrite.All, and add it.
    6. After adding, click Grant admin consent.

    User's image

    Once you’ve completed these steps, please perform a test to verify if the changes allow for the expected behavior. If the issue persists, please provide additional details on the exact steps you’re following. This will help in diagnosing any potential misconfigurations or permissions issues and in offering more targeted guidance.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.