pgaadauth.enable_group_sync parameter cannot be enabled on one Flexible Server (France Central)

Question

Hello,

I am experiencing an issue with the parameter pgaadauth.enable_group_sync on one Azure Database for PostgreSQL Flexible Server.

I have three Flexible Servers in the France Central region. On two of them, the following Azure CLI command works as expected and the parameter value is correctly set to on:

az postgres flexible-server parameter set \

--subscription b3a1c1c0-7b0c-48be-83c8-xxxxxxxx \

--resource-group <RG_NAME> \

--server-name <SERVER_NAME> \

--name pgaadauth.enable_group_sync \

--value on

On those two servers:

az postgres flexible-server parameter show --name pgaadauth.enable_group_sync returns source: "user-override" and the server‑side SHOW pgaadauth.enable_group_sync; in PostgreSQL returns on

However, on server parameters show returns

{

"name": "pgaadauth.enable_group_sync",

"dataType": "Boolean",

"allowedValues": "on,off",

"defaultValue": "off",

"source": "user-override",

"isDynamicConfig": true,

"isConfigPendingRestart": false,

"value": "false"

}

Answer 1

Hi Soviene KHAMAR

Thank you for reaching out and providing details about the challenges you're facing with Entra ID group synchronization in your Azure PostgreSQL Flexible Server. I appreciate your patience as we've investigated this, and I wanted to provide a clear update based on our findings.

We had recently some limitations in the public preview version of this feature, and we've seen similar reports from other customers. A fix is under development, and we still have no ETA for that, which may resolve some of the sync and login issues. That said, since this is still in preview and under active development, we recommend not relying on it as a core part of your production workflow for now.

In the meantime, here is a workaround to help you move forward:

Alternative for User Information: Instead of depending on group sync, we suggest querying user details from audit logs. This is a more stable approach—for example, you can enable pgaudit logging . If helpful, you can refer to this blog Audit Logging and Azure Active Directory in Azure Database for PostgreSQL Flexible servers .

Answer 2

It seems you are encountering an issue with the pgaadauth.enable_group_sync parameter on one of your Azure Database for PostgreSQL Flexible Servers in the France Central region. Since the command works on two of your servers but not on the third, there could be a few potential reasons for this behavior:

1. Parameter Restrictions: The pgaadauth.enable_group_sync parameter may have specific restrictions or dependencies that are not met on the problematic server. Check if there are any other parameters that need to be configured or if there are limitations specific to that server.
2. Server Configuration: Ensure that the server configuration is consistent across all three servers. Differences in versions, configurations, or resource allocations could affect the ability to set certain parameters.
3. Pending Changes: Sometimes, changes to parameters may require a server restart to take effect. Verify if there are any pending changes that need to be applied on the server where the parameter is not being set correctly.
4. Azure Support: If the issue persists, consider reaching out to Azure Support for assistance. They can provide insights specific to your server's configuration and help troubleshoot the issue further.

Make sure to review the server logs for any errors or warnings that might give more context about the failure to set the parameter.

---

References:

• az postgres flexible-server parameter set
• az postgres flexible-server parameter show