Support AD Logins for Azure SQL Servers not just Databases. Logins to the servers only support SQL Authentication.
Result from a recent support ticket: "Currently there is no direct procedure to set up an AD Group as an Azure SQL User that only has rights on a geo-replicated read-only secondary but not the primary. " On-prem, this is relatively simple. A Login is needed so the role granted to it does not replicate to the secondary.
To do what we need would involve managing SQL Auth for about two users in each of 150 countries, each with its own geo-replicated Azure SQL Database. A problem with SQL Auth is that any user given the User name and password that we would set up for their database (or for them individually in that database) could give it out to anyone else they want. And then there are the inevitable password reset issue requests that will have to be handled by our service desk, as well as our having to remember to delete those database Users when someone changes jobs or leaves the company. We already use AD for everything else and want to be able to use it here also.