Update permission references and add a note about additional required permissions

[rufer7]

This pull request includes changes to the azure-sql/database/authentication-azure-ad-user-assigned-managed-identity.md file to update permission references and add a note about additional required permissions for creating a contained database user for a Microsoft Entra group.

Permission reference updates:

• Updated the URLs for User.Read.All, GroupMember.Read.All, and Application.Read.All to correct paths.

Additional permissions note:

• Added a note indicating that the Group.Read.All permission is also required for the creation of a contained database user for a Microsoft Entra group.

[prmerger-automator]

@rufer7 : Thanks for your contribution! The author(s) have been notified to review your proposed change.

[learn-build-service-prod]

Learn Build status updates of commit e1c2b07:

✅ Validation status: passed

File	Status	Preview URL	Details
azure-sql/database/authentication-azure-ad-user-assigned-managed-identity.md	✅Succeeded

For more details, please refer to the build report.

For any questions, please:

• Try searching the learn.microsoft.com contributor guides
• Post your question in the Learn support channel

[v-dirichards]

@VanMSFT

Can you review the proposed changes?

Important: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

[learn-build-service-prod]

Learn Build status updates of commit ee91508:

✅ Validation status: passed

File	Status	Preview URL	Details
azure-sql/database/authentication-azure-ad-user-assigned-managed-identity.md	✅Succeeded

For more details, please refer to the build report.

For any questions, please:

• Try searching the learn.microsoft.com contributor guides
• Post your question in the Learn support channel

[VanMSFT]

Thanks, @rufer7 - I'm checking on this.

[PratimDasgupta]

Remove this line.

[PratimDasgupta]

Suggested change

	- [GroupMember.Read.All](/graph/permissions-reference#groupmemberreadall): Allows access to Microsoft Entra group information.
	- [Group.Read.All](/graph/permissions-reference#groupreadall): Allows access to contents of Microsoft Entra group.

[rufer7]

@PratimDasgupta thanks for the review. Are you sure about the replacement? At least I didn't test without GroupMember.Read.All permission. In case the replacement is intended, I will also adjust the PoeerShell script in this file

[PratimDasgupta]

I am still working on this, but the idea is to use Group.read.all until GroupMember.Read.All or any other least privilaged api that can support all scenarios. Note: GroupMember.Read.All is a least privilaged api, & thus is a subset of Group.read.all .

[rufer7]

@PratimDasgupta thx for the fast reply. Ah ok, I see. Will GroupMember.Read.All ever support the scenario outlined in the sentence I added in my PR? Because at least from the name itself it doesn't make sense to allow reading groups by GroupMember.Read.All

[rufer7]

@PratimDasgupta you can find more context on my use case here

[PratimDasgupta]

It's difficult to say that. Overall, I was trying to consolidate the api(s).

[rufer7]

@PratimDasgupta I would say least privilege depends on the use case. In the use case I described in the blog post linked in my last comment, assigning Group.Read.All only would be the least privilege way.

[PratimDasgupta]

@rufer7 , just read the blog. Thanks for that, it seems you are using a SMI(Sytem managed identity) & not a UMI(User Managed Identity). Did you try using a UMI & GroupMember.Read.All?

[rufer7]

@PratimDasgupta yes, exactly I'm using SMI. I prefer SMI over UMI but SMI case is not described in the docs. However the graph permission should not vary from SMI to UMI from my point of view. Otherwise it gets weird as both need to look up the Entra group when creating a user from external identity for a Entra group.

But no, I didn't test it with UMI