I'm trying to utilize AAD identities to access Azure SQL server instead of SQL server users. I was following this article https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-configure. What I need to do based on Microsoft docs is to create contained users in the database. So I'm executing this from an Azure Function app.
CREATE USER [existing group in AAD] FROM EXTERNAL PROVIDER
ALTER ROLE db_datareader ADD MEMBER [existing group in AAD]
The function app is able to log into SQL server because its service principal is set as Azure Active Directory admin for SQL server.
I got the exception:
Principal 'existing group in AAD' could not be resolved. Error message: 'AADSTS700016: Application with
identifier '168d4e19-6718-4e50-8f96-c280e821ad6c' was not found in the directory 'my directory'. This can
happen if the application has not been installed by the administrator of the tenant or consented to by any
user in the tenant. You may have sent your authentication request to the wrong tenant.
So I assign system assign managed identity to the SQL server. Then I got:
Server identity does not have Azure Active Directory Readers permission. Please follow the steps here : https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-service-principal
I assigned Directory Readers permission to that identity as required and it started to work.
My problem is I need to use user assign managed identity, so I did the same but getting the first exception like there is no identity assigned to the SQL server.
Any ideas why system assigned identity works but not the user assigned?
