I’ve been trying to use a user-assigned identity to a SQL managed instance and I was getting the following error:
Msg 37353, Level 16, State 1, Line 1
Server identity does not have Azure Active Directory Readers permission. Please follow the steps here : https://docs.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-service-principal
After spending hours researching I’ve found a quick and easy way to get this done with a PowerShell script
Connect-AzureAD
$umi = Get-AzureADServicePrincipal -SearchString "UserAssignedIdentityName"
$role = Get-AzureADDirectoryRole | Where-Object {$_.DisplayName -eq "Directory Readers"}
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $umi.ObjectId
You can now check the Directory Readers role assignments and you should see the managed identity.