I have an active directory user LDomain\LUser and I want that user to be able to connect to Azure-Sql-DB. The syntax MS uses is throwing an error.
CREATE USER [LDomain\LUser] FROM EXTERNAL PROVIDER
Principal 'LDomain\LUser' could not be found or this principal type is not supported.
I'm only looking for the script to add an AD user - no interface. I know that the AD user exists in Azure and have confirmed, but the Azure-Sql-DB isn't recognizing it, or this T-SQL is invalid - though this is from their documentation.
Try force starting the the active directory sync, Start-ADSyncSyncCycle -PolicyType Initial. Users created in your AD have to be sync with tha Azure AD.
When provisioning users from external Azure Active Directory instances that are federated with your Azure subscription, you need to use the underlying "guest" email address created for the Azure subscription, not the "actual" email address.
i.e. The Microsoft scenario mentioned here as "Imported members from other Azure AD’s who are native or federated domain members".
So, instead of:
CREATE USER [[email protected]] FROM EXTERNAL PROVIDER
One needs to use the following convention. This is Microsoft's way of storing a guest / federated user from another Azure active Directory.
CREATE USER [your.user_example.com#EXT#@<yourAzureSubscriptionPrefix>.onmicrosoft.com] FROM EXTERNAL PROVIDER
Alternatively, using groups makes this far more intuitive and manageable.
SqlUsersFromExternalDirectory) in the Azure subscription's default Azure Active Directory.
CREATE USER [SqlUsersFromExternalDirectory] FROM EXTERNAL PROVIDER
This works fine, the external users can then sign in, admins can GRANT permissions etc, etc.