Entra ID only authentication with PostgreSQL databases

March 21, 2025 ยท View on GitHub

SYNOPSIS

Ensure Entra ID only authentication is enabled with Azure Database for PostgreSQL databases.

DESCRIPTION

Azure Database for PostgreSQL supports authentication with PostgreSQL logins and Entra ID authentication.

By default, authentication with PostgreSQL logins is enabled. PostgreSQL logins are unable to provide sufficient protection for identities. Entra ID authentication provides strong protection controls including conditional access, identity governance, and privileged identity management.

Once you decide to use Entra ID authentication, you can disable authentication with PostgreSQL logins.

Entra ID only authentication is only supported for the flexible server deployment model.

RECOMMENDATION

Consider using Entra ID only authentication. Also consider using Azure Policy for Entra ID only authentication with Azure Database for PostgreSQL.

EXAMPLES

Configure with Azure template

To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

  • Set the properties.authConfig.activeDirectoryAuth property to Enabled.
  • Set the properties.authConfig.passwordAuth property to Disabled.

For example:

{
  "type": "Microsoft.DBforPostgreSQL/flexibleServers",
  "apiVersion": "2022-12-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "sku": {
    "name": "Standard_D2ds_v4",
    "tier": "GeneralPurpose"
  },
  "properties": {
    "createMode": "Default",
    "authConfig": {
      "activeDirectoryAuth": "Enabled",
      "passwordAuth": "Disabled",
      "tenantId": "[tenant().tenantId]"
    },
    "version": "14",
    "storage": {
      "storageSizeGB": 32
    },
    "backup": {
      "backupRetentionDays": 7,
      "geoRedundantBackup": "Enabled"
    },
    "highAvailability": {
      "mode": "ZoneRedundant"
    }
  }
}

Configure with Bicep

To deploy Azure Database for PostgreSQL flexible servers that pass this rule:

  • Set the properties.authConfig.activeDirectoryAuth property to Enabled.
  • Set the properties.authConfig.passwordAuth property to Disabled.

For example:

resource flexible 'Microsoft.DBforPostgreSQL/flexibleServers@2022-12-01' = {
  name: name
  location: location
  sku: {
    name: 'Standard_D2ds_v4'
    tier: 'GeneralPurpose'
  }
  properties: {
    createMode: 'Default'
    authConfig: {
      activeDirectoryAuth: 'Enabled'
      passwordAuth: 'Disabled'
      tenantId: tenant().tenantId
    }
    version: '14'
    storage: {
      storageSizeGB: 32
    }
    backup: {
      backupRetentionDays: 7
      geoRedundantBackup: 'Enabled'
    }
    highAvailability: {
      mode: 'ZoneRedundant'
    }
  }
}

NOTES

The Entra ID admin must be set before enabling Entra ID only authentication. Entra ID only authentication is only supported for the flexible server deployment model.