System assigned managed identity

APPLIES TO: Azure Database for PostgreSQL - Flexible Server

This article provides step-by-step instructions to enable or disable a system assigned managed identity for an Azure Database for PostgreSQL flexible server.

Steps to enable for existing servers

Portal

Using the Azure portal:

1. Locate your server in the portal, if you don't have it open. One way to do it is by typing the name of the server in the search bar. When the resource with the matching name is shown, select that resource.

   

2. In the resource menu, under Security, select Identity.

   

3. In the System assigned managed identity section, select On.

   

4. Select Save.

   

5. When the process completes, a notification informs you that the system assigned managed identity is enabled.

   

CLI

The az postgres flexible-server update command doesn't provide built-in support to enable and disable the system assigned managed identity yet. As a workaround, you can use the az rest command to directly invoke the Servers - Update REST API.

# Enable system assigned managed identity
subscriptionId=<subscription-id>
resourceGroup=<resource-group>
server=<server>
result=$(az postgres flexible-server show --resource-group $resourceGroup --name $server --query "identity.type" --output tsv)
if [ -z "$result" ]; then
    az rest --method patch --url https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/$server?api-version=2024-08-01 --body '{"identity":{"type":"SystemAssigned"}}'
elif [ "$result" == "UserAssigned" ]; then
    az rest --method patch --url https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/$server?api-version=2024-08-01 --body '{"identity":{"type":"SystemAssigned,UserAssigned"}}'
else
    echo "System Assigned Managed identity is already enabled."
fi

Steps to disable for existing servers

Portal

Using the Azure portal:

1. Locate your server in the portal, if you don't have it open. One way to do it is by typing the name of the server in the search bar. When the resource with the matching name is shown, select that resource.

   

2. In the resource menu, under Security, select Identity.

   

3. In the System assigned managed identity section, select Off.

   

4. Select Save.

   

5. When the process completes, a notification informs you that the system assigned managed identity is disabled.

   

CLI

The az postgres flexible-server update command doesn't provide built-in support to enable and disable the system assigned managed identity yet. As a workaround, you can use the az rest command to directly invoke the Servers - Update REST API.

# Disable system assigned managed identity
subscriptionId=<subscription-id>
resourceGroup=<resource-group>
server=<server>
result=$(az postgres flexible-server show --resource-group $resourceGroup --name $server --query "identity.type" --output tsv)
if [ "$result" == "SystemAssigned" ]; then
    az rest --method patch --url https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroup/providers/Microsoft.DBforPostgreSQL/flexibleServers/$server?api-version=2024-08-01 --body '{"identity":{"type":"None"}}'
elif [ "$result" == "SystemAssigned,UserAssigned" ]; then
    echo "System Assigned Managed identity cannot be disabled as the instance has User Assigned Managed identities assigned."
else
    echo "System Assigned Managed identity is already disabled."
fi

Steps to show currently assigned

Portal

Using the Azure portal:

1. Locate your server in the portal, if you don't have it open. One way to do it is by typing the name of the server in the search bar. When the resource with the matching name is shown, select that resource.

   

2. In the resource menu, select Overview

   

3. Select JSON View.

   

4. In the Resource JSON panel that opens, find the identity property and, inside it, you can find the principalId and tenantId for the system assigned managed identity.

   

CLI

# Show the system assigned managed identity
resourceGroup=<resource-group>
server=<server>
az postgres flexible-server identity list --resource-group $resourceGroup --server-name $server --query "{principalId:principalId, tenantId:tenantId}" --output table

Steps to verify in Microsoft Entra ID

Portal

Using the Azure portal:

1. Locate the Enterprise Applications service in the portal, if you don't have it open. One way to do it is by typing its name in the search bar. When the service with the matching name is shown, select it.

   

2. Choose Application Type == Managed Identity.

3. Provide the name of your instance of Azure Database for PostgreSQL flexible server in the Search by application name or object ID text box.

   

CLI

# Verify the system assigned managed identity
server=<server>
az ad sp list --display-name $server

Related content

• User assigned managed identity.