Automating Session Termination for Expired Access Tokens in Azure PostgreSQL Flexible Server

Question

Automating Session Termination for Expired Access Tokens in Azure PostgreSQL Flexible Server

Sai Praneeth Eranti 190

Managing an Azure PostgreSQL Flexible Server, an issue has arisen where user sessions in tools like Azure Data Studio (ADS) and pgAdmin are not automatically terminated upon access token expiration. The goal is to find a way to automate the termination of these sessions for enhanced security and compliance, rather than creating a custom script and utilizing Automation Accounts.

Are there any default server parameters available that can be configured to achieve this?

Errors in the logs include:

FATAL | The access token has expired. Please acquire a new token and retry

FATAL | no pg_hba.conf entry for host "<IP>", user "<AAD Group>", database "postgres", no encryption | <ServerName>

Vijayalaxmi Kattimani 2,220 Reputation points Microsoft External Staff

2025-03-31T14:25:50.5466667+00:00
Hi Sai Praneeth Eranti,

Greetings!

As we understand that, you are looking for a way to automatically terminate user sessions in Azure PostgreSQL Flexible Server when their access tokens expire, without relying on custom scripts or Automation Accounts. Unfortunately, Azure PostgreSQL Flexible Server does not currently offer a built-in server parameter specifically for this purpose.

While there are several server parameters you can configure in PostgreSQL, none of them directly address the automatic termination of sessions based on access token expiration. Here are some relevant parameters that you might consider adjusting for session management:

idle_in_transaction_session_timeout: This parameter can be set to automatically terminate sessions that are idle in a transaction for a specified duration. However, this does not directly relate to access token expiration.

statement_timeout: This parameter can be set to limit the duration of any statement execution. Again, this does not directly address token expiration.

tcp_keepalives_idle, tcp_keepalives_interval, tcp_keepalives_count: These parameters can help manage TCP connections but do not directly terminate sessions based on token expiration.

Please refer to the below mentioned link for more information.

https://www.postgresql.org/docs/current/runtime-config-client.html

https://www.postgresql.org/docs/17/runtime-config-connection.html#RUNTIME-CONFIG-TCP-SETTINGS

Since there are no default server parameters to automatically terminate sessions upon access token expiration, here are some alternative approaches you might consider:

Token Lifetime Policies: You can configure Azure AD token lifetime policies to control the duration of access tokens. While this doesn't directly terminate sessions, it can help manage token expiration more effectively.

Connection Pooling: Use a connection pooler like PgBouncer. It can manage connections more effectively and can be configured to close idle connections after a certain timeout.

Session Management: Implementing session management at the application level can help. For instance, you can periodically check the validity of the access token and terminate the session if the token has expired.

User Education: Educate users about the importance of logging out of their sessions when they are done, especially in environments where security is a concern.

Configuring pg_terminate_backend for Stale Sessions: You could use a database cron job (pg_cron extension) to periodically check for expired sessions and terminate them. While you mentioned avoiding Automation Accounts, this method stays within PostgreSQL itself and the interval should be adjusted to match your token expiration policy.

SELECT pg_terminate_backend(pid) FROM pg_stat_activity WHERE backend_start < NOW() - INTERVAL '1 hour';

Here are links to several parallel threads that may be helpful to you:

https://stackoverflow.com/questions/76109854/azure-postgresql-flexible-server-enabled-with-azure-ad-how-to-give-application

I hope this information helps. Please do let us know if you have any further queries.
Vijayalaxmi Kattimani 2,220 Reputation points Microsoft External Staff

2025-04-01T08:25:10.2166667+00:00

Hi @Sai Praneeth Eranti,

We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.
Sai Praneeth Eranti 190 Reputation points

2025-04-01T08:29:27.41+00:00
Hi @Vijayalaxmi Kattimani ,

Thanks for the quick response . I would like to try below options if it helps in our envi. but could see there is no direct solution . Also , is there way that I could exclude to log this info in the server logs for specific AD group ?

idle_in_transaction_session_timeout: This parameter can be set to automatically terminate sessions that are idle in a transaction for a specified duration. However, this does not directly relate to access token expiration.

statement_timeout: This parameter can be set to limit the duration of any statement execution. Again, this does not directly address token expiration.

tcp_keepalives_idle, tcp_keepalives_interval, tcp_keepalives_count: These parameters can help manage TCP connections but do not directly terminate sessions based on token expiration.
Vijayalaxmi Kattimani 2,220 Reputation points Microsoft External Staff

2025-04-01T09:31:53.2566667+00:00
Hi Sai Praneeth Eranti,

Greetings!

As we understand that, you are looking for ways to manage session timeouts and logging in a PostgreSQL environment, particularly in relation to Active Directory (AD) groups.

To exclude logging information for a specific Active Directory (AD) group, you can use Group Policy Objects (GPO) security filtering. Here's a general approach:

Create a Security Group: In Active Directory, create a security group and add the users or computers you want to exclude from logging.

Modify GPO Settings: Open the Group Policy Management Console (GPMC) and select the GPO you want to modify.

Security Filtering: In the GPO, go to the "Scope" tab and use the "Security Filtering" section to add the security group you created. Then, set the "Deny" permission for "Apply Group Policy" for this group.

This method ensures that the GPO settings, including logging configurations, do not apply to the specified AD group.

Please refer to the below mentioned links for more information.

https://woshub.com/exclude-user-computer-from-group-policy/

https://community.spiceworks.com/t/how-do-i-exclude-servers-from-a-gpo/440385/2

I hope this information helps. Please do let us know if you have any further queries.
Sai Praneeth Eranti 190 Reputation points

2025-04-01T09:55:09.0566667+00:00
Hi @Vijayalaxmi Kattimani ,

Think , My ask was redirected. Let me clarify. I have an AAD group named "Microsoft Admins" that I added as an Entra Admin to a Postgres Flexible Server. Now , I connect to the Postgres Flexible Server using PgAdmin\ADS with AAD authentication, where the token expires in 1 hour. After the token expires, the server logs of the Postgres Flexible Server start showing errors due to the expired token. I want to exclude these specific errors from being logged in the server logs of the Postgres Flexible Server without excluding all FATAL messages.

Does above answer still valid to exclude from server logs ?

FATAL | The access token has expired. Please acquire a new token and retry

FATAL | no pg_hba.conf entry for host "<IP>", user "<AAD Group>", database "postgres", no encrypti
PratikLad 720 Reputation points Microsoft External Staff

2025-04-01T12:12:23.2566667+00:00

Hi Sai Praneeth Eranti,

Are there any default server parameters available that can be configured to terminate the session once access token expiration.

Currently, Azure Database for PostgreSQL Flexible Server does not offer a built-in server parameter to automatically terminate user sessions upon access token expiration.

Does above answer still valid to exclude from server logs ?

AFAIK Currently, Azure Database for PostgreSQL Flexible Server does not provide a built-in mechanism to exclude specific Azure Active Directory (AD) groups from server logs. However, you can manage and filter logs after they have been collected.

It's important to note that while this method enables you to filter logs during analysis, it doesn't prevent the initial logging of events related to specific AD groups. As of now, there isn't a feature within Azure Database for PostgreSQL Flexible Server to exclude logging for specific AD groups at the source.
Sai Praneeth Eranti 190 Reputation points

2025-04-01T12:40:23.1166667+00:00

Hi @PratikLad ,

Thankyou . The reason I asked was, we are monitoring the logs and our mechanism sends an alert if there are any such errors but wanted to avoid alerts for expired token messages.
PratikLad 720 Reputation points Microsoft External Staff

2025-04-01T13:19:53.0033333+00:00

Hi Sai Praneeth Eranti, For that case you can filter the logs during analysis and avoid logs created for such errors and then createalert on it
Sai Praneeth Eranti 190 Reputation points

2025-04-02T04:54:47.7933333+00:00

Hi @PratikLad ,

There will be no manual intervention to filter logs and ask monitoring to check only filtered logs . Its like , it reads all the logs and trigger as soon as it sees any error .
PratikLad 720 Reputation points Microsoft External Staff

2025-04-03T04:17:03.19+00:00

Hi @Sai Praneeth Eranti,

We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.
Sai Praneeth Eranti 190 Reputation points

2025-04-03T05:31:58.12+00:00

Hi @PratikLad ,

Currently , We are using 3rd party tool to monitor where we don't have this option to exclude but yeah question was answered . Thankyou for the quick response .

Accepted answer

0 additional answers

Your answer

Vijayalaxmi Kattimani 2,220 Reputation points Microsoft External Staff

2025-04-01T08:25:10.2166667+00:00

Hi @Sai Praneeth Eranti,

We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.
Sai Praneeth Eranti 190 Reputation points

2025-04-01T08:29:27.41+00:00

Hi @Vijayalaxmi Kattimani ,

Thanks for the quick response . I would like to try below options if it helps in our envi. but could see there is no direct solution . Also , is there way that I could exclude to log this info in the server logs for specific AD group ?

idle_in_transaction_session_timeout: This parameter can be set to automatically terminate sessions that are idle in a transaction for a specified duration. However, this does not directly relate to access token expiration.

statement_timeout: This parameter can be set to limit the duration of any statement execution. Again, this does not directly address token expiration.

tcp_keepalives_idle, tcp_keepalives_interval, tcp_keepalives_count: These parameters can help manage TCP connections but do not directly terminate sessions based on token expiration.
Vijayalaxmi Kattimani 2,220 Reputation points Microsoft External Staff

2025-04-01T09:31:53.2566667+00:00

Hi Sai Praneeth Eranti,

Greetings!

As we understand that, you are looking for ways to manage session timeouts and logging in a PostgreSQL environment, particularly in relation to Active Directory (AD) groups.

To exclude logging information for a specific Active Directory (AD) group, you can use Group Policy Objects (GPO) security filtering. Here's a general approach:

Create a Security Group: In Active Directory, create a security group and add the users or computers you want to exclude from logging.

Modify GPO Settings: Open the Group Policy Management Console (GPMC) and select the GPO you want to modify.

Security Filtering: In the GPO, go to the "Scope" tab and use the "Security Filtering" section to add the security group you created. Then, set the "Deny" permission for "Apply Group Policy" for this group.

This method ensures that the GPO settings, including logging configurations, do not apply to the specified AD group.

Please refer to the below mentioned links for more information.

https://woshub.com/exclude-user-computer-from-group-policy/

https://community.spiceworks.com/t/how-do-i-exclude-servers-from-a-gpo/440385/2

I hope this information helps. Please do let us know if you have any further queries.
Sai Praneeth Eranti 190 Reputation points

2025-04-01T09:55:09.0566667+00:00

Hi @Vijayalaxmi Kattimani ,

Think , My ask was redirected. Let me clarify. I have an AAD group named "Microsoft Admins" that I added as an Entra Admin to a Postgres Flexible Server. Now , I connect to the Postgres Flexible Server using PgAdmin\ADS with AAD authentication, where the token expires in 1 hour. After the token expires, the server logs of the Postgres Flexible Server start showing errors due to the expired token. I want to exclude these specific errors from being logged in the server logs of the Postgres Flexible Server without excluding all FATAL messages.

Does above answer still valid to exclude from server logs ?

FATAL | The access token has expired. Please acquire a new token and retry

FATAL | no pg_hba.conf entry for host "<IP>", user "<AAD Group>", database "postgres", no encrypti
PratikLad 720 Reputation points Microsoft External Staff

2025-04-01T12:12:23.2566667+00:00

Hi Sai Praneeth Eranti,

Are there any default server parameters available that can be configured to terminate the session once access token expiration.

Currently, Azure Database for PostgreSQL Flexible Server does not offer a built-in server parameter to automatically terminate user sessions upon access token expiration.

Does above answer still valid to exclude from server logs ?

AFAIK Currently, Azure Database for PostgreSQL Flexible Server does not provide a built-in mechanism to exclude specific Azure Active Directory (AD) groups from server logs. However, you can manage and filter logs after they have been collected.

It's important to note that while this method enables you to filter logs during analysis, it doesn't prevent the initial logging of events related to specific AD groups. As of now, there isn't a feature within Azure Database for PostgreSQL Flexible Server to exclude logging for specific AD groups at the source.
Sai Praneeth Eranti 190 Reputation points

2025-04-01T12:40:23.1166667+00:00

Hi @PratikLad ,

Thankyou . The reason I asked was, we are monitoring the logs and our mechanism sends an alert if there are any such errors but wanted to avoid alerts for expired token messages.
PratikLad 720 Reputation points Microsoft External Staff

2025-04-01T13:19:53.0033333+00:00

Hi Sai Praneeth Eranti, For that case you can filter the logs during analysis and avoid logs created for such errors and then createalert on it
Sai Praneeth Eranti 190 Reputation points

2025-04-02T04:54:47.7933333+00:00

Hi @PratikLad ,

There will be no manual intervention to filter logs and ask monitoring to check only filtered logs . Its like , it reads all the logs and trigger as soon as it sees any error .
PratikLad 720 Reputation points Microsoft External Staff

2025-04-03T04:17:03.19+00:00

Hi @Sai Praneeth Eranti,

We haven’t heard from you on the last response and wanted to follow up to check if your issue has been resolved.

If you have found a solution, we would appreciate it if you could share it with the community, as it may be helpful to others. Otherwise, please provide more details, and we will do our best to assist you further.
Sai Praneeth Eranti 190 Reputation points

2025-04-03T05:31:58.12+00:00

Hi @PratikLad ,

Currently , We are using 3rd party tool to monitor where we don't have this option to exclude but yeah question was answered . Thankyou for the quick response .

Answer 1

Hi Sai Praneeth Eranti

Are there any default server parameters available that can be configured to terminate the session once access token expiration.

Currently, Azure Database for PostgreSQL Flexible Server does not offer a built-in server parameter to automatically terminate user sessions upon access token expiration.

Does above answer still valid to exclude from server logs ?

AFAIK Currently, Azure Database for PostgreSQL Flexible Server does not provide a built-in mechanism to exclude specific Azure Active Directory (AD) groups from server logs. However, you can manage and filter logs after they have been collected.

It's important to note that while this method enables you to filter logs during analysis, it doesn't prevent the initial logging of events related to specific AD groups. As of now, there isn't a feature within Azure Database for PostgreSQL Flexible Server to exclude logging for specific AD groups at the source.

In Azure Postgres SQL you can create alert based on custom log queries as below, and use it for your requirement to avoid getting alerts for particular error message

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And,

if you have any further query do let us know.

Share via

Automating Session Termination for Expired Access Tokens in Azure PostgreSQL Flexible Server

0 additional answers

Your answer