PostgreSQL Flexible Server - Recover from deleted Managed Identity (followed documented steps, need validation)

Question

PostgreSQL Flexible Server - Recover from deleted Managed Identity (followed documented steps, need validation)

Aizha Akmat 0

Hello ,

We are facing an issue related to managed identity deletion for our Azure Database for PostgreSQL Flexible Server.

As per the documentation:
https://learn.microsoft.com/en-gb/azure/postgresql/flexible-server/security-data-encryption?WT.mc_id=Portal-Microsoft_Azure_OSSDatabases#recovering-from-managed-identity-deletion

We have recreated the managed identity with the same name and reassigned access to the Customer Managed Key in Key Vault.

Because all other configuration options were blocked due to inaccessible state, the only update we could apply to the server was changing the “Locks” setting (as recommended by Azure docs to trigger revalidation).

Please confirm:

Whether the lock update is sufficient to revalidate the new identity.
If any additional action is required to rebind the new managed identity to the CMK key.
How long we should expect the revalidation to take.

Flexible Server: [server name, e.g. ds-stage-postgres-eastus2]

Thank you,

Aizha

Sina Salam 26,661 Reputation points Volunteer Moderator

2025-10-31T22:35:59.99+00:00

Hello Aizha Akmat,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you would like to recover your Azure PostgreSQL Flexible Server from deleted Managed Identity.

To resolve the issue, begin by verifying whether the identity still exists using az identity show or az identity list https://learn.microsoft.com/en-us/cli/azure/identity?view=azure-cli-latest. If the identity is missing, recreate it with the exact original name using az identity create, and retrieve its new principal ID.

Next, restore access to the Key Vault by assigning the necessary permissions using get, wrapKey, and optionally unwrapKey via az keyvault set-policy https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-cli. Ensure the PostgreSQL server is correctly bound to the new identity and CMK using az postgres flexible-server update, and confirm encryption status with az postgres flexible-server show https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-data-encryption-portal.

Critically, you have to update the server’s resource lock (e.g., applying a CanNotDelete lock) triggers revalidation of the managed identity Lock Revalidation Confirmation. Access policies typically propagate within 10–60 seconds, while CMK revalidation by the server occurs every 5–10 minutes. If revalidation does not occur automatically, restart the server using az postgres flexible-server restart and monitor the identity and encryption status again. For full recovery assurance, validate identity existence, Key Vault access policies, CMK bindings, and database connectivity using psql and pg_stat_ssl.

In case of persistent issues such as identity not found, access denied, or CMK validation failure recreate the identity, reassign it to the server, and reapply Key Vault policies. Prevent future disruptions by locking the identity resource with az lock create and enabling Key Vault soft delete and purge protection via az keyvault update - https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview. Finally, implement monitoring alerts for identity deletion using az monitor activity-log alert create to proactively detect and respond to administrative changes.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
Swapnesh Panchal 1,380 Reputation points Microsoft External Staff Moderator

2025-11-03T18:24:45.1333333+00:00

Hi Aizha Akmat,
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Aizha Akmat 0 Reputation points

2025-11-05T17:43:09.2666667+00:00

Hi, Swapnesh Panchal,
Thank you so much, we deleted this test stack so I can not provide details in a private messages.
Swapnesh Panchal 1,380 Reputation points Microsoft External Staff Moderator

2025-11-06T00:04:10.8633333+00:00

Do you need any additional assistance or have any questions? We’ll be happy to help.

1 answer

Your answer

Swapnesh Panchal 1,380 Reputation points Microsoft External Staff Moderator

2025-11-03T18:24:45.1333333+00:00

Hi Aizha Akmat,
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Aizha Akmat 0 Reputation points

2025-11-05T17:43:09.2666667+00:00

Hi, Swapnesh Panchal,
Thank you so much, we deleted this test stack so I can not provide details in a private messages.
Swapnesh Panchal 1,380 Reputation points Microsoft External Staff Moderator

2025-11-06T00:04:10.8633333+00:00

Do you need any additional assistance or have any questions? We’ll be happy to help.

Answer 1

Hi Aizha Akmat,
Welcome to the Microsoft Q&A and thank you for posting your query here.
When a managed identity used by your PostgreSQL Flexible Server to access the Customer Managed Key (CMK) gets deleted, just recreating the identity with the same name isn’t enough to fix everything.

You need to update the PostgreSQL server itself to use the new or recovered managed identity explicitly. This means going to the server’s data encryption settings in the Azure portal and selecting the new identity there, then saving the changes.

Also, make sure the new managed identity has the right permissions on the Key Vault where the CMK is stored. It should at least have the “Key Vault Crypto Service Encryption User” role, which allows it to access the key securely.

You mentioned updating the server locks, which is one way to trigger the system to re-check and revalidate the identity and key connections. This step is useful and part of the process, but it won’t work unless the new identity is properly linked to the server as mentioned.

After making those updates, it might take up to an hour for the server to finish validating everything and return to a healthy state where your database is accessible again.

To be precise:

Recreate or recover the managed identity
Update the PostgreSQL server configuration to use this new identity
Assign correct key permissions in Key Vault to that identity
Use the lock update or a server update to trigger revalidation
Wait up to 60 minutes for revalidation to complete

If all these steps are done, the server should come back to a ready state, and your access through the CMK should be restored.

If still you issue has persisted, please share required details in private message

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

References:

Share via

PostgreSQL Flexible Server - Recover from deleted Managed Identity (followed documented steps, need validation)

1 answer

Your answer