Create login from Entra ID Security Group rather than individual

Question

This article says I can create a Login in Azure SQL Server from a Microsoft EntraID Security Group. I can, and it works, and it appears in sys.server_principals as type_desc 'EXTERNAL_GROUP' and type 'X'. (I note that non-group EntraID logins appear as type_desc 'EXTERNAL_LOGIN' and type 'E'.)

But when I try the next step in the article, which is to create a User from the Login, I get the error '<EntraIDGroupName> is not a valid login or you do not have permission'.

I have successfully created Users from non-group Logins, so I don't think it's a permission problem.

Is it the case that, despite the article, you can't actually create a group user this way - I have to create individual logins and users for each potential EntraID user I want to have access the database? Or am I missing a trick somewhere?

babatundedallas · Accepted Answer

JonathanGibbs&nbsp;You can create a login in Azure SQL Server from a Microsoft EntraID Security Group.&nbsp;However, creating a user from the login might not be possible.You might get an error message &lt;EntraIDGroupName&gt; is not a valid login or you do not have permission’.&nbsp;This error message is because the login is a group login, not an individual one.&nbsp;You can try creating individual logins and users for each potential EntraID user you want access to the database.&nbsp;You can read more at Microsoft Learn.https://learn.microsoft.com/en-us/entra/architecture/4-secure-access-groupshttps://learn.microsoft.com/en-us/entra/fundamentals/concept-learn-about-groups&nbsp;Let me know if this works for you.&nbsp;@ me in replies, or I'll lose your thread!!!&nbsp;&nbsp;Note:If this post is helpful, please mark it as the&nbsp;solution&nbsp;to help others find it easily. Also, if my answers contribute to a solution, show your appreciation by giving it a&nbsp;thumbs up!&nbsp;

Forum Discussion

Create login from Entra ID Security Group rather than individual

Share

Resources