Skip to content

Removed guidance suggesting assigning Microsoft Graph permissions to SQL managed identity #10139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Removed guidance suggesting assigning Microsoft Graph permissions to SQL managed identity #10139

wants to merge 1 commit into from

Conversation

MarkMpn
Copy link
Contributor

@MarkMpn MarkMpn commented Jul 14, 2025

As noted in https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-directory-readers-role?view=azuresql#assign-the-directory-readers-role, assigning individual Graph permissions to the managed identity is not sufficient to allow an application user to create another user - the managed identity must have the Directory Readers role instead.

The current wording suggests this is the best way to apply the permissions because the Directory Readers role includes other permissions that are not required, which leads to wasted time trying to get this set up when actually the Directory Readers role is required.

@prmerger-automator PRMerger Automator
Copy link
Contributor

@MarkMpn : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

@prmerger-automator prmerger-automator bot requested a review from MashaMSFT July 14, 2025 12:28
@learn-build-service-prod Learn Build Service (PROD)
Copy link
Contributor

Learn Build status updates of commit c12037c:

✅ Validation status: passed

File Status Preview URL Details
azure-sql/database/authentication-aad-service-principal.md ✅Succeeded

For more details, please refer to the build report.

@ttorble
Copy link
Contributor

ttorble commented Jul 14, 2025

@VanMSFT

Can you review the proposed changes?

IMPORTANT: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

@prmerger-automator prmerger-automator bot added the aq-pr-triaged tracking label for the PR review team label Jul 14, 2025
@VanMSFT
Copy link
Member

VanMSFT commented Jul 14, 2025

@PratimDasgupta - Hey Pratim, can you please verify this? Thanks.

#assign:PratimDasgupta

@seesharprun
Copy link
Contributor

@VanMSFT

@VanMSFT
Copy link
Member

VanMSFT commented Jul 17, 2025

Hi @MarkMpn - Thanks for the PR. I've confirmed with the Product Team that this is incorrect. The doc https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-directory-readers-role?view=azuresql#assign-the-directory-readers-role is a little outdated and Directory Readers can be replaced with the permissions mentioned in https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity?view=azuresql#permissions

I'll make the updates to the Directory Readers doc.

For now, I'll close this PR, but please feel free to provide further feedback. Thanks!

@VanMSFT VanMSFT closed this Jul 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VanMSFT VanMSFT Awaiting requested review from VanMSFT

@WilliamDAssafMSFT WilliamDAssafMSFT Awaiting requested review from WilliamDAssafMSFT

@MashaMSFT MashaMSFT Awaiting requested review from MashaMSFT

Assignees

@VanMSFT VanMSFT

@PratimDasgupta PratimDasgupta

Labels
aq-pr-triaged tracking label for the PR review team azure-sql/svc Change sent to author do-not-merge security/subsvc
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MarkMpn @ttorble @VanMSFT @seesharprun @PratimDasgupta