Logged in as a member of an Azure AD Group Error while Deploying DACPAC

Quite a long title for a short blog post 🙂
While deploying a DACPAC (from a SQL Server Data Tools Database Project) through Azure Devops, I got the following error message:

The user attempting to perform this operation does not have permission as it is currently logged in as a member of an Azure Active Directory (AAD) group but does not have an associated database user account. A user account is necessary when creating an object to assign ownership of that object. To resolve this error, either create an Azure AD user from external provider, or alter the AAD group to assign the DEFAULT_SCHEMA as dbo, then rerun the statement.

Guess the SQL Server team didn’t get the memo that Azure AD has been renamed to Entra ID. Anyway, the Azure Devops pipeline uses a service connection defined in Devops, and in that service connection a user-defined managed identity is configured that has contributor access on the resource group that contains the Azure SQL DB. Furthermore, that managed identity is an actual user in the database, so the error message is completely misleading. The error was thrown when the following SQL script was executed:

CREATE SCHEMA myschema AUTHORIZATION dbo;

Turns out, the managed identity didn’t have the CREATE SCHEMA permissions, and it’s not part of the dbo role, so the CREATE SCHEMA script fails with the error above. I created the necessary schemas with a more privileged user and then the deployment pipeline ran without issues.