You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: azure-sql/database/authentication-aad-directory-readers-role.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ description: Learn about the directory reader's role in Microsoft Entra for Azur
5
5
author: VanMSFT
6
6
ms.author: vanto
7
7
ms.reviewer: wiassaf, vanto, mathoma
8
-
ms.date: 06/10/2025
8
+
ms.date: 07/17/2025
9
9
ms.service: azure-sql
10
10
ms.subservice: security
11
11
ms.topic: conceptual
@@ -41,17 +41,17 @@ The **Directory Readers** role can be used as the server or instance identity to
41
41
42
42
In order to assign the [**Directory Readers**](/azure/active-directory/roles/permissions-reference#directory-readers) role to an identity, a user with [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) or higher permissions are needed. Users who often manage or deploy SQL Database, SQL Managed Instance, or Azure Synapse might not have access to these highly privileged roles. This can often cause complications for users that create unplanned Azure SQL resources, or need help from highly privileged role members that are often inaccessible in large organizations.
43
43
44
-
For SQL Managed Instance, the **Directory Readers** role must be assigned to the managed instance identity before you can [set up a Microsoft Entra admin for the managed instance](authentication-aad-configure.md#provision-azure-ad-admin-sql-managed-instance).
44
+
For SQL Managed Instance, the **Directory Readers** role or lower level permissions discussed in [Managed identities in Microsoft Entra for Azure SQL](authentication-azure-ad-user-assigned-managed-identity.md)must be assigned to the managed instance identity before you can [set up a Microsoft Entra admin for the managed instance](authentication-aad-configure.md#provision-azure-ad-admin-sql-managed-instance).
45
45
46
-
Assigning the **Directory Readers** role to the server identity isn't required for SQL Database or Azure Synapse when setting up a Microsoft Entra admin for the logical server. However, to enable Microsoft Entra object creation in SQL Database or Azure Synapse on behalf of a Microsoft Entra application, the **Directory Readers** role is required. If the role isn't assigned to the logical server identity, creating Microsoft Entra users in Azure SQL will fail. For more information, see [Microsoft Entra service principals with Azure SQL](authentication-aad-service-principal.md).
46
+
Assigning the **Directory Readers** role to the server identity isn't required for SQL Database or Azure Synapse when setting up a Microsoft Entra admin for the logical server. However, to enable Microsoft Entra object creation in SQL Database or Azure Synapse on behalf of a Microsoft Entra application, the **Directory Readers** role or lower level permissions discussed in [Managed identities in Microsoft Entra for Azure SQL](authentication-azure-ad-user-assigned-managed-identity.md)is required. If the role or permissions aren't assigned to the logical server identity, creating Microsoft Entra users in Azure SQL will fail. For more information, see [Microsoft Entra service principals with Azure SQL](authentication-aad-service-principal.md).
## Grant the Directory Readers role to a Microsoft Entra group
53
53
54
-
You can now have a [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) create a Microsoft Entra group and assign the [**Directory Readers**](/azure/active-directory/roles/permissions-reference#directory-readers) permission to the group. This will allow access to the Microsoft Graph API for members of this group. In addition, Microsoft Entra users who are owners of this group are allowed to assign new members for this group, including identities of the logical servers.
54
+
You can have a [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) create a Microsoft Entra group and assign the [**Directory Readers**](/azure/active-directory/roles/permissions-reference#directory-readers) permission to the group. This will allow access to the Microsoft Graph API for members of this group. In addition, Microsoft Entra users who are owners of this group are allowed to assign new members for this group, including identities of the logical servers.
55
55
56
56
This solution still requires a high privilege user (Privileged Role Administrator or higher permissions) to create a group and assign users as a one time activity, but the Microsoft Entra group owners will be able to assign additional members going forward. This eliminates the need to involve a high privilege user in the future to configure all SQL Databases, SQL Managed Instances, or Azure Synapse servers in their Microsoft Entra tenant.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments