From 701f1cf26636c8b21226ef0e37b75d38f8cc8dd4 Mon Sep 17 00:00:00 2001 From: Shailesh Panday Date: Tue, 7 Apr 2026 14:24:58 +0530 Subject: [PATCH 1/2] Update permissions guidance for managed identities The description is to make clear statement to end users that System Assigned Managed identities required graph permissions even if they are added to the group.. The current statement is confusing, hence the same was confirmed with MIcrosoft Support and propsing this statement. --- .../microsoft-entra-authentication-with-managed-identity.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md b/docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md index 556053c54ea..50c8cb38ae0 100644 --- a/docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md +++ b/docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md @@ -183,6 +183,9 @@ The system-assigned managed identity, which uses the Arc-enabled machine name, m You can use PowerShell to grant required permissions to the managed identity. Alternatively, you can [create a role-assignable group](/entra/identity/role-based-access-control/groups-create-eligible). After the group is created, assign the **Directory Readers** role or the `User.Read.All`, `GroupMember.Read.All`, and `Application.Read.All` permissions to the group, and add all system-assigned managed identities for your Azure Arc-enabled machines to the group. We don't recommend using the **Directory Readers** role in your production environment. +> [!Note] +> Even when the System-Assigned Managed Identity is a member of a group, the above three required Microsoft Graph application permissions must still be explicitly assigned to the managed identity itself. + The following PowerShell script grants the required permissions to the managed identity. Make sure this script is run on PowerShell 7.5 or a later version, and has the `Microsoft.Graph` module 2.28 or later installed. ```powershell From bef9c41585df89a9b6a1fec9faefe3cb429ddf31 Mon Sep 17 00:00:00 2001 From: Shailesh Panday Date: Wed, 8 Apr 2026 10:20:31 +0530 Subject: [PATCH 2/2] Update docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- .../microsoft-entra-authentication-with-managed-identity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md b/docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md index 50c8cb38ae0..91fcd39d3a4 100644 --- a/docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md +++ b/docs/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity.md @@ -183,8 +183,8 @@ The system-assigned managed identity, which uses the Arc-enabled machine name, m You can use PowerShell to grant required permissions to the managed identity. Alternatively, you can [create a role-assignable group](/entra/identity/role-based-access-control/groups-create-eligible). After the group is created, assign the **Directory Readers** role or the `User.Read.All`, `GroupMember.Read.All`, and `Application.Read.All` permissions to the group, and add all system-assigned managed identities for your Azure Arc-enabled machines to the group. We don't recommend using the **Directory Readers** role in your production environment. -> [!Note] -> Even when the System-Assigned Managed Identity is a member of a group, the above three required Microsoft Graph application permissions must still be explicitly assigned to the managed identity itself. +> [!NOTE] +> Even when the system-assigned managed identity is a member of a group, the preceding three required Microsoft Graph application permissions must still be explicitly assigned to the managed identity itself. The following PowerShell script grants the required permissions to the managed identity. Make sure this script is run on PowerShell 7.5 or a later version, and has the `Microsoft.Graph` module 2.28 or later installed.