I’m deploying a Bicep template using a service principal with Contributor role on the subscription.

The template creates a user-assigned identity that needs to access the database from an Azure Function app to create tables and perform CRUD operations.

The service principal (SP) doesn’t have permission to create or modify Entra ID groups.

I want both members of my team and the user-assigned identity to be able to access the database, with this setup performed as part of the CI/CD pipeline. Currently, I don’t see how this is possible, as the only way of assignment multiple admins is through an Entra ID group (and the SP can’t include the user-assigned identity in it)?

Is there any way to grant both team members and the user-assigned identity access to the database via Entra ID authentication, without being able to modify groups?

resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = {
  name: userAssignedIdentityName
}

resource databaseServer 'Microsoft.Sql/servers@2023-05-01-preview' = {
  name: '${toLower(databaseServerName)}-${resourceNameSuffix}'
  location: location
  properties: {
    // administratorLogin: sqlAdministratorLogin
    administratorLoginPassword: sqlAdministratorPassword
    version: '12.0'
    minimalTlsVersion: '1.2'
    publicNetworkAccess: 'Enabled'
    administrators: {
      administratorType: 'ActiveDirectory'
      principalType: 'Application'
      login: userAssignedIdentity.name
      sid: userAssignedIdentity.properties.principalId
      tenantId: tenant().tenantId
      azureADOnlyAuthentication: true
    }
    restrictOutboundNetworkAccess: 'Disabled'
  }
}