Create Azure SQL DB with ONLY AD Administrator

Question

I'm in the process of converting my Azure SQL DB to use Active Directory authentication.

I've added this snippet to my ARM template which correctly sets up the Administrator as the AD Group. So far, so good!

{
  "type": "administrators",
  "name": "activeDirectory",
  "apiVersion": "2014-04-01-preview",
  "location": "[resourceGroup().location]",
  "properties": {
    "administratorType": "ActiveDirectory",
    "login": "[parameters('sql_ad_admin_username')]",
    "sid": "[parameters('sql_ad_admin_objectid')]",
    "tenantId": "[parameters('azure_ad_directory_id')]"
  },
  "dependsOn": [
    "[parameters('sql_db_name')]"
  ]
},

Now that I've got it working, I want to get rid of the old SQL Server Auth Administrator details from the ARM Template (and I want to store the template in source control, so obviously no credentials should be in it).

So, I tried deleting these administratorLogin and administratorLoginPassword entries from the file (after all they're not needed any more, I have an AD Administrator instead):

  "properties": {
    "administratorLogin": "admin",
    "administratorLoginPassword": "XXXXXX",
    "version": "12.0"
  },

However, after deleting those, I get the following error running the template:

Invalid value given for parameter Login. Specify a valid parameter value.

Now I'm a bit confused. Why can't I get rid of these? I am now using AD Authentication which is more secure than SQL Authentication, yet it seems to be forcing me to have a less secure username/password administrator login set up? How can I disable this?

Answer 1

Ivan's suggestion seems to work now.
ARM template reference: https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers?tabs=json

I've tested it with this basic template and the deployment succeeded.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.1",
    "resources": [
        {
            "type": "Microsoft.Sql/servers",
            "apiVersion": "2020-11-01-preview",
            "name": "<insertResourceGroupName>",
            "location": "<insertLocation>",
            "properties": {
                "administrators": {
                    "login": "<insertLogin>",
                    "sid": "<insertSID>",
                    "tenantId": "[subscription().tenantId]",
                    "principalType": "<Group/User/Application>",
                    "azureADOnlyAuthentication": true
                }
            }
        }
    ]
}