Change - razmipatel/Random GitHub Wiki

Temporary Assignment of Graph API Permissions to AIB-SP-Deployment-Root

Summary: To address issues assigning Entra ID groups as SQL Admins on SQL Managed Instances (MI) in the EDB Dev and TST subscriptions, we need to temporarily assign Microsoft Graph API permissions to the AIB-SP-Deployment-Root service principal.

Details: The AIB-SP-Deployment-Root service principal currently lacks the necessary Microsoft Graph API permissions (GroupMember.Read.All and Application.Read.All), which is causing failures when assigning Entra ID groups as SQL Admins during Terraform-based SQL MI deployments. These operations succeed when assigning individual users, confirming that missing permissions are likely the root cause.

This issue is not present in the Lab environment. We are actively working with Microsoft under support case 2506100050002951. As part of this troubleshooting effort, we will temporarily assign the required Graph API permissions to the service principal.

Important Notes:

A follow-up task is scheduled for the following day to remove the permissions after testing is completed and findings are reported back to Microsoft.

The change will be tracked as two tasks:

Task 1: Add permissions (GroupMember.Read.All and Application.Read.All)

Task 2: Remove permissions (scheduled for the next day)

Service Principal Details:

Name: AIB-SP-Deployment-Root

Client ID: 3b7b1636-4957-44f0-9c81-4f7f4bcc1f90

Temporary Permissions to Assign:

GroupMember.Read.All

Application.Read.All