Connection failed: FATAL: cannot read pg_class without having selected a database

Question

Connection failed: FATAL: cannot read pg_class without having selected a database

Application Admin 0

I cannot connect to my postgres db with my Entra authentication and receive the below error:

connection to server at <server_name> <ip address>, port 5432 failed: FATAL: cannot read pg_class without having selected a database

I have confirmed that I am added as a Entra administrator for the database and confirmed the server name is correct private endpoint that I have set up. Also note I am able to connect via PostgresQl Authenication but not via Entra authenication.

I have confirmed that the database does exist and is being requested properly.

Any assistance would be much appreciated.

Swapnesh Panchal 1,540 Reputation points Microsoft External Staff Moderator

2025-11-10T19:41:39.87+00:00
Hi Application Admin
Welcome to Microsoft Q&A and thank you for posting your question.

The error FATAL: cannot read pg_class without having selected a database occurs when the session starts without a valid database name. With Microsoft Entra (Azure AD) authentication, this usually happens because:

The client doesn’t send a dbname.

The token audience is incorrect.

The Entra principal doesn’t exist in the target database.

Follow this checklist:

Confirm host and token audience

Flexible Server → FQDN ends with .postgres.database.azure.com

Cosmos DB for PostgreSQL → FQDN ends with .postgres.cosmos.azure.com (use the coordinator endpoint from the portal)

Token audience must be https://ossrdbms-aad.database.windows.net
Generate token:

export PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --query accessToken -o tsv)

Ensure a non-empty database name is sent

Leaving the “Database” field blank triggers this error.

Examples:

psql:

psql "host=<FQDN> port=5432 dbname=<your_db> user=<UPN>@<tenant> sslmode=require"

Npgsql:

Host=<FQDN>;Database=<your_db>;Username=<UPN>;Password=<token>;SSL Mode=Require; * **JDBC**:

jdbc:postgresql://<FQDN>:5432/<your_db>?sslmode=require * **pgAdmin / ADS**: Fill the “Database” box and paste the token as the password.

Use FQDN, not IP (especially with Private Endpoints)

Do not use hostaddr= or raw IP. Verify DNS:

bash nslookup <FQDN>

Ensure outbound connectivity to Azure AD endpoints for token validation.

Create the Entra principal inside the target database

Being “Entra admin” at the server level does not auto-create DB roles. Connect as Entra Admin and run:

SELECT * FROM pg_catalog.pgaadauth_create_principal('<UPN or Group Display Name>', false, false); GRANT CONNECT ON DATABASE "<your_db>" TO "<UPN or Group Display Name>"; GRANT USAGE ON SCHEMA public TO "<UPN or Group Display Name>"; SELECT * FROM pg_catalog.pgaadauth_list_principals(false);

If using a group, the display name is case-sensitive.

Validate the token

Decode and confirm:

aud = https://ossrdbms-aad.database.windows.net

upn or oid matches the identity created in step 4

exp is valid (tokens expire quickly)

Cosmos DB for PostgreSQL specifics

Use the coordinator endpoint from the portal.

Create the Entra principal in the coordinator database.

Flush DNS caches after PE/DNS changes.

If psql works but your GUI/driver fails, the issue is almost always a missing dbname.
If psql also fails, check the token audience and DNS first.

References

Use Microsoft Entra ID Authentication
(How to enable Entra authentication during or after provisioning.)

Microsoft Entra Authentication Concepts
(Network requirements for token validation.)

Manage Microsoft Entra Users
(Creating Entra principals and managing roles via SQL)

Introduction to Azure Cosmos DB for PostgreSQL
(Service overview and architecture ,Citus-based distributed PostgreSQL)

Full Cosmos DB for PostgreSQL Documentation
(Networking, security, and scaling guidance)
Swapnesh Panchal 1,540 Reputation points Microsoft External Staff Moderator

2025-11-11T18:06:44.48+00:00

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Application Admin 0 Reputation points

2025-11-12T19:29:10.7766667+00:00
I confirmed the below:

FQDN ends with .postgres.database.azure.com

Token Audience

Database none empty name

I'm using FQDN not IP

Validated Token

But I'm having issues with Step 4. as the pgaadauth is not available to me to add as a azure.extension.

Note that it seems that I may have been able to assign as a principal as rolcanlogin is set to true but am I'm getting the same error when trying to connect using Entra. "connection to server at <server_name> <ip address>, port 5432 failed: FATAL: cannot read pg_class without having selected a database"

Any further assistance would be much appreciated Swapnesh.
Swapnesh Panchal 1,540 Reputation points Microsoft External Staff Moderator

2025-11-12T19:52:50.8766667+00:00
The core problem is the error FATAL: cannot read pg_class without having selected a database when connecting to Azure Database for PostgreSQL using Entra (formerly Azure AD) authentication, even though:

The same database is reachable with standard PostgreSQL (username/password) auth, and

The database itself definitely exists.

This error usually means the Entra-based connection never successfully “lands” on a specific database before PostgreSQL tries to read system catalogs (pg_class). In the context of Azure PostgreSQL with Entra auth, this can happen if the database name isn’t sent, the mapped database user doesn’t exist, or the Entra integration isn’t fully set up.

Key points to verify:

Confirm that the connection string explicitly includes the database name and that the client is not connecting only to the server (host) without a database parameter.

Make sure the Entra identity (user/service principal/managed identity) has been created as a user inside the target database and granted the required privileges.

Check that the correct Entra/PG integration components are in place for your server version (for example, pgaadauth or the currently recommended extension/mechanism) and that roles are correctly mapped.

Ensure the Entra login and token are valid for this database:

Token audience is correct for Azure PostgreSQL.

Token claims (UPN/object ID) match the database user you created.

If the issue persists after these checks, please share your feedback in the comments.
Application Admin 0 Reputation points

2025-11-13T21:09:22.34+00:00
I confirmed the connection string please see the commands I executed in the cloud shell.

az account get-access-token --resource-type oss-rdbms

export PGPASSWORD=<TOKEN generated from previous command>

psql "host=<my_host> user=<my_user> dbname=<confirmed_dbname> sslmode=require"

I confirmed My Entra identity has privileges for rolcreatedb, rolcreaterole and rolcanlogin

I don’t see pgaadauth as an azure.extension being listed as an option. in my server parameters. How can I get this added or what would be the recommended extension? Also note my using version 18.

Token audience confirmed: https://ossrdbms-aad.database.windows.net and I confirmed my token claim UPN matches my database user. I Still get the same error psql: error: connection to server at <host> (IP), port 5432 failed: FATAL: cannot read pg_class without having selected a database

Any other suggestions would be greatly appreciated. Thank you
Swapnesh Panchal 1,540 Reputation points Microsoft External Staff Moderator

2025-11-17T20:52:19.7866667+00:00
Thanks a lot for the extra details and for confirming the host, dbname, token audience, and role flags – that rules out most of the usual connection-string issues.

At this point the error usually means that the Entra auth extension (pgaadauth) isn’t fully enabled or created on the server, so the auth hook fails before PostgreSQL has actually “landed” on a specific database, which gives the cannot read pg_class without having selected a database message.

Below is a step-by-step path to check and fix that.

#1. Double-check that Entra authentication is actually enabled on the server

In the Azure portal for your Flexible Server:

Go to Authentication.

Make sure one of these modes is selected:

PostgreSQL and Microsoft Entra authentication, or

Microsoft Entra authentication only

Confirm that your Entra account (or group) is listed as a Microsoft Entra administrator and click Save if you changed anything.

When you enable Entra auth at the server level, the platform enables the PGAadAuth / pgaadauth extension and restarts the server behind the scenes.

If this blade still shows “PostgreSQL authentication only”, Entra auth isn’t active and the extension won’t be wired up.

#2. Check whether pgaadauth is available and allow-listed

Connect using your local PostgreSQL admin / azure_pg_admin with normal password auth (not Entra) and run:

SELECT name, default_version, installed_version FROM pg_available_extensions WHERE name = 'pgaadauth';

If you get a row back, the extension is supported on this server.

If no row is returned, the extension isn’t available on this build/region yet – for PostgreSQL 12–18 it should be available on Flexible Server, so in that case I’d recommend opening an Azure support ticket so the product team can check your instance.

If pgaadauth is available but not allow-listed:

In the portal, go to Server parameters.

Search for azure.extensions.

Add pgaadauth to the comma-separated list of extensions (for example: pg_stat_statements,pgaudit,pgaadauth).

Save the change (the server may need a restart).

This is the standard way to allow extensions such as pgaadauth on Flexible Server.

#3. Create the pgaadauth extension (once allow-listed)

Still connected as azure_pg_admin (or equivalent), usually in the postgres database:

CREATE EXTENSION IF NOT EXISTS pgaadauth;

If this fails, note the exact error text – that will tell us whether it is a permissions problem or an allow-listing problem.
#4. Create the Entra principal inside the database

Once the extension exists, you can use the helper function to create the database role that matches your Entra identity or group:

-- Replace with your UPN or group display name SELECT * FROM pg_catalog.pgaadauth_create_principal( '<UPN or Group Display Name>', false, -- is_group false -- create_if_not_exists_only ); GRANT CONNECT ON DATABASE "<confirmed_dbname>" TO "<UPN or Group Display Name>"; GRANT USAGE ON SCHEMA public TO "<UPN or Group Display Name>";

You can verify the principal with:

SELECT * FROM pg_catalog.pgaadauth_list_principals(false); :contentReference[oaicite:3]{index=3}

This step is required because being an Entra administrator at the server level doesn’t automatically create per-database roles.

#5. Re-test the psql connection with the token

From Cloud Shell (your commands look correct, but just to have the full pattern in one place):

# 1. Get token az account get-access-token --resource-type oss-rdbms --query accessToken -o tsv > token.txt # 2. Use that token as PGPASSWORD export PGPASSWORD=$(cat token.txt) # 3. Connect using FQDN, exact UPN, and database name psql "host=<your_server>.postgres.database.azure.com \ port=5432 \ user=<your_upn_or_group_name> \ dbname=<confirmed_dbname> \ sslmode=require"

Key points:

The user value must exactly match the UPN (or group display name) you passed to pgaadauth_create_principal.

The token’s aud should remain https://ossrdbms-aad.database.windows.net and upn/oid should map to that principal, which you’ve already confirmed.

If it still fails If after:

Enabling Entra auth on the server,

Allow-listing and creating pgaadauth,

Creating the principal via pgaadauth_create_principal, and

Connecting with the exact UPN + dbname,

If you still encounter FATAL: cannot read pg_class without having selected a database, it’s very likely a platform-side issue related to the Entra authentication hook on this specific server build—especially since you’re on the PostgreSQL 18 preview. We’ll escalate this to the next level of support.
Swapnesh Panchal 1,540 Reputation points Microsoft External Staff Moderator

2025-11-18T15:52:50.99+00:00

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

2 answers

Your answer

Swapnesh Panchal 1,540 Reputation points Microsoft External Staff Moderator

2025-11-11T18:06:44.48+00:00

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Application Admin 0 Reputation points

2025-11-12T19:29:10.7766667+00:00

I confirmed the below:

FQDN ends with .postgres.database.azure.com

Token Audience

Database none empty name

I'm using FQDN not IP

Validated Token

But I'm having issues with Step 4. as the pgaadauth is not available to me to add as a azure.extension.

Note that it seems that I may have been able to assign as a principal as rolcanlogin is set to true but am I'm getting the same error when trying to connect using Entra. "connection to server at <server_name> <ip address>, port 5432 failed: FATAL: cannot read pg_class without having selected a database"

Any further assistance would be much appreciated Swapnesh.
Swapnesh Panchal 1,540 Reputation points Microsoft External Staff Moderator

2025-11-12T19:52:50.8766667+00:00

The core problem is the error FATAL: cannot read pg_class without having selected a database when connecting to Azure Database for PostgreSQL using Entra (formerly Azure AD) authentication, even though:

The same database is reachable with standard PostgreSQL (username/password) auth, and

The database itself definitely exists.

This error usually means the Entra-based connection never successfully “lands” on a specific database before PostgreSQL tries to read system catalogs (pg_class). In the context of Azure PostgreSQL with Entra auth, this can happen if the database name isn’t sent, the mapped database user doesn’t exist, or the Entra integration isn’t fully set up.

Key points to verify:

Confirm that the connection string explicitly includes the database name and that the client is not connecting only to the server (host) without a database parameter.

Make sure the Entra identity (user/service principal/managed identity) has been created as a user inside the target database and granted the required privileges.

Check that the correct Entra/PG integration components are in place for your server version (for example, pgaadauth or the currently recommended extension/mechanism) and that roles are correctly mapped.

Ensure the Entra login and token are valid for this database:

Token audience is correct for Azure PostgreSQL.

Token claims (UPN/object ID) match the database user you created.

If the issue persists after these checks, please share your feedback in the comments.
Application Admin 0 Reputation points

2025-11-13T21:09:22.34+00:00

I confirmed the connection string please see the commands I executed in the cloud shell.

az account get-access-token --resource-type oss-rdbms

export PGPASSWORD=<TOKEN generated from previous command>

psql "host=<my_host> user=<my_user> dbname=<confirmed_dbname> sslmode=require"

I confirmed My Entra identity has privileges for rolcreatedb, rolcreaterole and rolcanlogin

I don’t see pgaadauth as an azure.extension being listed as an option. in my server parameters. How can I get this added or what would be the recommended extension? Also note my using version 18.

Token audience confirmed: https://ossrdbms-aad.database.windows.net and I confirmed my token claim UPN matches my database user. I Still get the same error psql: error: connection to server at <host> (IP), port 5432 failed: FATAL: cannot read pg_class without having selected a database

Any other suggestions would be greatly appreciated. Thank you
Swapnesh Panchal 1,540 Reputation points Microsoft External Staff Moderator

2025-11-18T15:52:50.99+00:00

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Answer 1

The error message you're encountering, "FATAL: cannot read pg_class without having selected a database," typically indicates that a database needs to be specified when connecting to PostgreSQL. Since you mentioned that you are able to connect via PostgreSQL authentication but not through Microsoft Entra authentication, it suggests that the connection string or command you are using for Entra authentication may not be specifying the database correctly.

Here are a few steps to troubleshoot and resolve the issue:

Check Connection String: Ensure that your connection string includes the dbname parameter. For example:
```
   psql "host=mycluster.[uniqueID].postgres.cosmos.azure.com user=******@tenant.onmicrosoft.com dbname=[db_name] sslmode=require"
```
Make sure to replace [db_name] with the actual name of your database.
Token Validity: Ensure that the Microsoft Entra ID token you are using is valid and has not expired. Tokens typically have a validity of 5-60 minutes.
Database Role: Verify that the database role you are trying to connect with exists and has the necessary permissions. You can check this by connecting with PostgreSQL authentication and running the command \du to list roles.
Group Membership: If you are connecting as a group member, ensure that the group name matches exactly with the Microsoft Entra group display name and that the pgaadauth.enable_group_sync setting is confirmed.

If you continue to face issues after these checks, consider reviewing the logs for more detailed error messages or consult the Azure support documentation for further assistance.

References:

Answer 2

Application Admin 0

FYI the issue was that I was using Postgresql version 18 which doesn't support Microsoft Entra ID authentication as this time. I switched to version 17 and I was able to connect.

Kalyani Kondavaradala 4,600 Reputation points Microsoft External Staff Moderator

2025-11-25T11:54:36.8533333+00:00

Hi Application Admin, thank you for taking time and response glad to that you have workaround for the issue, Since PostgreSQL 18 is the newest version, it's possible that this authentication method is not supported.

Share via

Connection failed: FATAL: cannot read pg_class without having selected a database

Confirm host and token audience

Ensure a non-empty database name is sent

Use FQDN, not IP (especially with Private Endpoints)

Create the Entra principal inside the target database

Validate the token

Cosmos DB for PostgreSQL specifics

2 answers

Your answer