Azure SQL Database copy operations shouldn't require write access to the source database
When performing a database copy operation between two different servers it appears that write access is required to both the destination server and the source database.
See the following error from the Az CLI:
$ az sql db copy \
--resource-group source --server source --name source \
--dest-resource-group dest --dest-server dest --elastic-pool dest --dest-name dest
ERROR: The client '<client>' with object id '<object id>' has permission to perform action 'Microsoft.Sql/servers/databases/write' on scope '/subscriptions/<subscription>/resourceGroups/dest/providers/Microsoft.Sql/servers/dest/databases/dest'; however, it does not have permission to perform action 'Microsoft.Sql/servers/databases/write' on the linked scope(s) '/subscriptions/<subscription>/resourceGroups/source/providers/Microsoft.Sql/servers/source/databases/source'.
This isn't ideal in use cases where you're automating the copy of a database from a production environment to a UAT environment and want to follow the principle of least privilege when assigning permissions.
See SR 119052826003464 for further details about our use case.