Can't add Azure AD Admins to Azure Database for PostgreSQL flexible server with Private access (VNet Integration)
I have created in my Azure subscription two instances of Azure Database for PostgreSQL flexible server.Let me call them server01-psql and server02-psql They both
- are in the same Resource group, let me call it app-rg
- run POstgreSQL version 14
- are created with Authentication method: PostgreSQL and Azure Active Directory authentication
The difference is only
- server01-psql | Networking > Connectivity method: Private access (VNet Integration) to a VNet and Subnet from the same Azure subscription
- server02-psql | Networking > Connectivity method: Public access (allowed IP addresses)
I want to add chosen Azure AD group, let me call it all-app-dbadm, as Azure Active Directory Administrators (Azure AD Admins) for both instances of Azure Database for PostgreSQL flexible server.
My account is Owner of the subscription and my account is also Global Administrator of the related Azure Active Directory.
I can successfully add group from related Tenant to server02-psql in section Authentication > Azure Active Directory Administrators (Azure AD Admins)
However if I try to use
- portal.azure.com
- or az-cli
az postgres flexible-server ad-admin create -g app-rg -s server01-psql -u mysupergroup -i mysupergroupguid -t GroupI allways get an error.Deployment to resource group 'app-rg' failed. Additional details from the underlying API that might be helpful: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'. (Code: ResourceDeploymentFailure, Target: /subscriptions/mysupersubscriptionid/resourceGroups/app-rg/providers/Microsoft.Resources/deployments/addAdmins-0-XXXXXX)
Could you recommend what needs to be changed on any of the related resources, or perhaps at the subscription level, or in the process of the change to add successfully Azure Active Directory Administrators (Azure AD Admins) to server01-psql?
I encountered the same error while setting the AD group as the AD admin in the Azure database for PostgreSQL flexible server, as mentioned below:
To resolve the issue, I added an outbound network security group (NSG) rule to allow virtual network traffic to only reach the AzureActiveDirectory service tag, as mentioned below:
I attempted to set the admin using the following command in Azure CLI:
az postgres flexible-server ad-admin create -g <resourceGroupName> -s <serverName> -u <AD Group> -i <AD groupId> -t Group
It executed successfully without any errors, as mentioned below:
The admin was added successfully to the server, as mentioned below:
For more information, you can refer to this.
- How to check Debug.Writeline() output in VS code?
- C# API - Provide download of files from Azure Blobstorage
- localhost:300/api is not working : "This page isn’t working"
- Creating an Azure Linux VM with Ubuntu 20.04 with Terraform
- Failed to deploy path that does not exist
- Using Azure WAF for my server(not in Azure)
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Azure Machine Learning - Online Endpoint Schedule/Cost management
- Is it possible to read File from same folder where Azure function exists
- Make WAF policy to only allow Azure Load Testing or Azure Services