Hello,
I would like to automate the AAD user creation at a Azure SQL Database at infrastructure creation time using bicep.
I currently create an SQL server (Microsoft.Sql/servers), assign a UMI as administrator and use the same UMI to run a powershell deployment script (Microsoft.Resources/deploymentScripts) which is passed a custom user object from bicep to run "Invoke-Sqlcmd" to create AAD users by running "CREATE USER [$($_.name)] FROM EXTERNAL PROVIDER;". The Invoke-Sqlcmd is passed an access token from "(Get-AzAccessToken -ResourceUrl https://database.windows.net).Token"
The user is not created, instead an error is shown that the server's identity must have the "Directory Readers" role in AAD which makes sense.
My solution which I am not comfortable with is:
- Create a group "DirectoryReaders" in AAD, give it the role "Directory Readers" (requires a P1 license)
- Create a resource group "SQL-Deploymentmanager" untouched by the bicep deployment, create a UMI "SQL-Deploymentmanager" in the portal.
- Make the UMI "SQL-Deploymentmanager" owner and member of the "DirectoryReaders" group
- Create a bicep deploymentscript running "az ad group add" with the identity of UMI "SQL-Deploymentmanager" and add the identity of the SQL server to the group "DirectoryReaders"
- After that the user provisioning script can run without problems.
I dislike this approach as it requires Azure resources and AAD configuration before a bicep deployment can take place.
I would very much appreciate any help.