Error on Create User - Server identity does not have Azure Active Directory Readers permission.

Question

Error on Create User - Server identity does not have Azure Active Directory Readers permission.

Saish Paradkar 25

I do not have entry for my user in sys.database_principals. But I do have in sys.server_principals.
As per this I can add user to sys.database_principals using Create user command.
I am getting below error but not able to figure out how I can fix it or how I can give permission for Directory Readers?
{ED36011E-DC25-4E15-80A7-30877F095B72}

Anonymous

2025-04-17T15:05:38.9333333+00:00

Hi Saish Paradkar

Greeting!

Thank you for reaching out regarding the issue.

As I understand, you are unable to create a user and grant read permissions in Azure Active Directory.

As per my understanding You need to give the managed identity or service principal the “Directory Readers” role in Azure AD.

Your server identity has not been granted the Azure AD Directory Reader role.

Search for and select the managed identity, or service principal that your app or server is using.

I hope this information helps. Please do let us know if you have any further queries.
Anonymous

2025-04-18T07:42:39.3966667+00:00

Hi Saish Paradkar

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Anonymous

2025-04-21T08:53:08.1633333+00:00

Hi Saish Paradkar

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Joseph Perna 0 Reputation points

2025-10-17T15:26:42.4033333+00:00

I have the same problem, but the App Registration in question has the Microsoft Entra Directory Readers permission.

1 answer

Your answer

Anonymous

2025-04-17T15:05:38.9333333+00:00

Hi Saish Paradkar

Greeting!

Thank you for reaching out regarding the issue.

As I understand, you are unable to create a user and grant read permissions in Azure Active Directory.

As per my understanding You need to give the managed identity or service principal the “Directory Readers” role in Azure AD.

Your server identity has not been granted the Azure AD Directory Reader role.

Search for and select the managed identity, or service principal that your app or server is using.

I hope this information helps. Please do let us know if you have any further queries.
Anonymous

2025-04-18T07:42:39.3966667+00:00

Hi Saish Paradkar

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Anonymous

2025-04-21T08:53:08.1633333+00:00

Hi Saish Paradkar

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Joseph Perna 0 Reputation points

2025-10-17T15:26:42.4033333+00:00

I have the same problem, but the App Registration in question has the Microsoft Entra Directory Readers permission.

Answer 1

An orphaned user is a database user whose corresponding server login is missing or mismatched. You can't create a new user for the login because, as far as the database is concerned, a user for that login already exists it's just broken.

The solution is not to CREATE a new user, but to re-link the existing user to the server login.

Find the Existing User Name

First, run this query on the specific database to see if a user already exists that should be linked to your login.

SQL

SELECT
    name AS DatabaseUserName,
    sid AS UserSID
FROM sys.database_principals
WHERE type_desc IN ('SQL_USER', 'WINDOWS_USER', 'WINDOWS_GROUP')
  AND authentication_type_desc != 'NONE'; -- Exclude roles and schema-only users

Look for a user name in the results that should correspond to your server login.

Re-link the User to the Login

Once you've identified the existing database user name (e.g., SomeUser), run the following command to fix the mapping. This is the modern and preferred method.

SQL

-- Syntax: ALTER USER [database_user_name] WITH LOGIN = [server_login_name];
ALTER USER [SomeUser] WITH LOGIN = [YourLoginName];

This command updates the security identifier (SID) of the database user to match the SID of the server login, fixing the broken link. After running this, your login should work correctly without needing to create a new user.

If the above doesn't work, here are other things to check:

Incorrect Syntax: Double-check that your command is correct. The FROM LOGIN clause is required to link the new user to an existing server login.

SQL

CREATE USER [SomeUser] FROM LOGIN [YourLoginName];

Insufficient Permissions: To create or alter a user, you need the ALTER ANY USER permission or membership in the db_owner or db_accessadmin database roles.

To get to the right solution, the best next step is for you to share the exact error message you're seeing.

Share via

Error on Create User - Server identity does not have Azure Active Directory Readers permission.

1 answer

Your answer