This message was deleted.

I have never found a good way to do this. So we built a separate pipeline which does this:

trigger:
  branches:
    include:
    - master
  paths:
    include:
      - infrastructure/sql/*
stages:
- stage: Alpha
  jobs:
  - job: CreateSqlUsersAlpha
    pool:
      vmImage: 'windows-2019'
    variables:
    - group: sqlvariables
    steps:
    - task: SqlAzureDacpacDeployment@1
      displayName: Create SQL users AUE Primary
      env:
        aadSqlPassword: $(aadSqlPassword)
      inputs:
        azureSubscription: 'prod'
        AuthenticationType: aadAuthenticationPassword
        aadSqlUsername: $(aadSqlUserName)
        aadSqlPassword: $(aadSqlPassword)
        ServerName: <http://sqlsvrprimary.database.windows.net|sqlsvrprimary.database.windows.net>
        DatabaseName: 'dbname'
        deployType: SqlTask
        SqlFile: ./infrastructure/sql/sqlusers.sql
        IpDetectionMethod: 'AutoDetect'

This is an Azure DevOps pipeline.

I thought I'd have to revert back to an outside-of-Pulumi solution, which is frustrating. Given that it is only an AD SQL login that can create the other users, do you have a dedicated administrator "user" in your AD that is either a) set directly as the Azure AD Administrator, or is part of a group set as the AD administrator? I may actually still be able to use this method within the Pulumi script if I could just log in using AD username/password to execute the commands, mimicking the SqlAzureDacpacDeployment@1 task

Yeah, we have an AAD user (without MFA obviously) that is a member of that group which we use to execute those tasks

It's a little rough but I've put the provider for creating the users in SQL Azure @ https://gist.github.com/barclayadam/4b0eaca1c292584efe30e63b0c1cc0bb