From c12037c6e031bc4772bc4e76ee9d7cc23b7088c2 Mon Sep 17 00:00:00 2001 From: Mark Carrington <31017244+MarkMpn@users.noreply.github.com> Date: Mon, 14 Jul 2025 13:24:21 +0100 Subject: [PATCH] Update authentication-aad-service-principal.md --- azure-sql/database/authentication-aad-service-principal.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/azure-sql/database/authentication-aad-service-principal.md b/azure-sql/database/authentication-aad-service-principal.md index f1f280d6317..ddd9f7eb7b6 100644 --- a/azure-sql/database/authentication-aad-service-principal.md +++ b/azure-sql/database/authentication-aad-service-principal.md @@ -67,16 +67,12 @@ The following steps explain how to assign a managed identity to the server and a > [!NOTE] > The server identity can be assigned using REST API and CLI commands as well. For more information, see [az sql server create](/cli/azure/sql/server#az-sql-server-create), [az sql server update](/cli/azure/sql/server#az-sql-server-update), and [Servers - REST API](/rest/api/sql/servers). -1. Grant the server identity permissions to query Microsoft Graph. This can be done multiple ways: by adding the identity to the Microsoft Entra [**Directory Readers**](/entra/identity/role-based-access-control/permissions-reference#directory-readers) role, by assigning the identity the individual Microsoft Graph permissions, or by adding the identity to a role-assignable group that has the **Directory Readers** role: +1. Grant the server identity permissions to query Microsoft Graph. This can be done multiple ways: by adding the identity to the Microsoft Entra [**Directory Readers**](/entra/identity/role-based-access-control/permissions-reference#directory-readers) role, or by adding the identity to a role-assignable group that has the **Directory Readers** role: - Add server identity to a role-assignable group In production environments, it's recommended that a tenant administrator creates a [role-assignable group](/entra/identity/role-based-access-control/groups-concept) and assigns the **Directory Readers** role to it. Group owners can then add server identities to the group, inheriting those permissions. This removes the requirement for a **Privileged Roles Administrator** to grant permissions to each individual server identity, allowing administrators to delegate permission assignment to owners of the group for this scenario. For more information, see [Directory Readers role in Microsoft Entra ID for Azure SQL](authentication-aad-directory-readers-role.md). - - Assign Microsoft Graph permissions to server identity - - To assign the individual Microsoft Graph permissions to the server identity, you must have the Microsoft Entra **Privileged Roles Administrator** role. This is recommended over assigning the **Directory Readers** role, because there are permissions included in the role that the server identity doesn't need. Assigning only the individual Microsoft Graph read permissions limits the server identity's permissions within your tenant and maintains the principle of least privilege. For instructions, see [Managed identities in Microsoft Entra for Azure SQL](authentication-azure-ad-user-assigned-managed-identity.md). - - Add server identity to Directory Readers role To add the server identity to the **Directory Readers** role, you must be a member of the Microsoft Entra **Privileged Roles Administrator** role. In production environments this option isn't recommended for two reasons: the Directory Reader role gives more permissions than the server identity requires, and the role assignment process still requires administrator approvals for each server identity (unlike using groups). Follow the SQL Managed Instance instructions available in the article [Set Microsoft Entra admin (SQL Managed Instance)](authentication-aad-configure.md?tabs=azure-powershell#provision-azure-ad-admin-sql-managed-instance).