The 'parameters.properties' segment in the url is invalid when running Set-AzSqlServerActiveDirectoryAdministrator

[ecdemomaniaKay]

Description

When running Set-AzSqlServerActiveDirectoryAdministrator command, I am getting error The 'parameters.properties' segment in the url is invalid when using Az.Sql 4.11.0.

Running the command with exact same parameters using Az.Sql 4.10.0 is fine. No errors and works as expected.

Issue script & Debug output

Script: Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName SQL-SERVER-RG-NAME -ServerName SQL-SERVER-NAME -DisplayName APP-NAME -ObjectId APP-ID

Output:

DEBUG: 3:48:55 PM - SetAzureSqlServerActiveDirectoryAdministrator begin processing with ParameterSet
'__AllParameterSets'.
DEBUG: 3:48:55 PM - using account id '<MY-USER-ACCOUNT>'...
DEBUG: 3:48:55 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
Returning default value [True].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/ed36e373-13fc-42ec-93f4-38a6e84754f0/resourceGroups/
<SQL-SERVER-RG-NAME>/providers/Microsoft.Sql/servers/<SQL-SERVER-NAME>/administrators/Ac
tiveDirectory?api-version=2020-11-01-preview

Headers:
x-ms-client-request-id        : 128e160e-efef-4d0a-99d7-71a3f8a62f21
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Pragma                        : no-cache
x-ms-request-id               : 51ed09bc-d9be-45a9-b46b-cbd230381c8b
x-ms-ratelimit-remaining-subscription-reads: 11992
x-ms-correlation-request-id   : bb388d91-6a40-49a8-a5ab-66b0c689f346
x-ms-routing-request-id       : AUSTRALIACENTRAL2:20231121T044855Z:bb388d91-6a40-49a8-a5ab-66b0c689f346
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
X-Cache                       : CONFIG_NOCACHE
X-MSEdge-Ref                  : Ref A: FF365C273FEC4A209D8AD929C3EEEE36 Ref B: SYD03EDGE2008 Ref C:
2023-11-21T04:48:55Z
Cache-Control                 : no-cache
Date                          : Tue, 21 Nov 2023 04:48:54 GMT

Body:
{
  "properties": {
    "administratorType": "ActiveDirectory",
    "login": "<APP-NAME>",
    "sid": "<APP-SID>",
    "tenantId": "<TENANT-ID>",
    "azureADOnlyAuthentication": true
  },
  "id":
"/subscriptions/ed36e373-13fc-42ec-93f4-38a6e84754f0/resourceGroups/<SQL-SERVER-RG-NAME>/prov
iders/Microsoft.Sql/servers/<SQL-SERVER-NAME>/administrators/ActiveDirectory",
  "name": "ActiveDirectory",
  "type": "Microsoft.Sql/servers"
}

DEBUG: [Common.Authentication]: Authenticating using Account: '<MY-USER-ACCOUNT>', environment: 'AzureCloud',
tenant: '<TENANT-ID>'
DEBUG: 3:48:55 PM - [ConfigManager] Got nothing from [EnableLoginByWam], Module = [], Cmdlet = []. Returning default
value [False].
DEBUG: 3:48:55 PM - [SilentAuthenticator] Calling SharedTokenCacheCredential.GetTokenAsync -
TenantId:'<TENANT-ID>', Scopes:'https://graph.microsoft.com//.default',
AuthorityHost:'https://login.microsoftonline.com/', UserId:'<MY-USER-ACCOUNT>'
DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://graph.microsoft.com//.default ] ParentRequestId:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
079eadc0-70ea-4938-be9c-8627dcfa23fa] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
079eadc0-70ea-4938-be9c-8627dcfa23fa] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
079eadc0-70ea-4938-be9c-8627dcfa23fa] [Region discovery] Not using a regional authority.
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
079eadc0-70ea-4938-be9c-8627dcfa23fa] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
079eadc0-70ea-4938-be9c-8627dcfa23fa] IsLegacyAdalCacheEnabled: yes
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z] Found 1
cache accounts and 0 broker accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z] Returning 1
accounts
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
ae41c45b-6fec-4f8c-8899-0d152055f6f2] MSAL MSAL.Desktop with assembly version '4.49.1.0'.
CorrelationId(ae41c45b-6fec-4f8c-8899-0d152055f6f2)
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
ae41c45b-6fec-4f8c-8899-0d152055f6f2] === AcquireTokenSilent Parameters ===
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
ae41c45b-6fec-4f8c-8899-0d152055f6f2] LoginHint provided: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
ae41c45b-6fec-4f8c-8899-0d152055f6f2] Account provided: True
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
ae41c45b-6fec-4f8c-8899-0d152055f6f2] ForceRefresh: False
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
ae41c45b-6fec-4f8c-8899-0d152055f6f2]
=== Request Data ===
Authority Provided? - True
Scopes - https://graph.microsoft.com//.default
Extra Query Params Keys (space separated) -
ApiId - AcquireTokenSilent
IsConfidentialClient - False
SendX5C - False
LoginHint ? False
IsBrokerConfigured - False
HomeAccountId - False
CorrelationId - ae41c45b-6fec-4f8c-8899-0d152055f6f2
UserAssertion set: False
LongRunningOboCacheKey set: False
Region configured:
DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
    ae41c45b-6fec-4f8c-8899-0d152055f6f2] === Token Acquisition (SilentRequest) started:
      Scopes: https://graph.microsoft.com//.default
     Authority Host: login.microsoftonline.com
    DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
    ae41c45b-6fec-4f8c-8899-0d152055f6f2] [Region discovery] Not using a regional authority.
    DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
    ae41c45b-6fec-4f8c-8899-0d152055f6f2] Access token is not expired. Returning the found cache entry. [Current time
    (11/21/2023 04:48:55) - Expiration Time (11/21/2023 06:02:37 +00:00) - Extended Expiration Time (11/21/2023 06:02:37
    +00:00)]
    DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
    ae41c45b-6fec-4f8c-8899-0d152055f6f2] Returning access token found in cache. RefreshOn exists ? False
    DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
    ae41c45b-6fec-4f8c-8899-0d152055f6f2] [Region discovery] Not using a regional authority.
    DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
    ae41c45b-6fec-4f8c-8899-0d152055f6f2]
     === Token Acquisition finished successfully:
    DEBUG: False MSAL 4.49.1.0 MSAL.Desktop 4.8 or later Windows Server 2022 Datacenter [2023-11-21 04:48:55Z -
    ae41c45b-6fec-4f8c-8899-0d152055f6f2]  AT expiration time: 21/11/2023 6:02:37 AM +00:00, scopes: email openid profile
    https://graph.microsoft.com//AuditLog.Read.All https://graph.microsoft.com//Directory.AccessAsUser.All
    https://graph.microsoft.com//.default. source: Cache
    DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://graph.microsoft.com//.default ]
    ParentRequestId:  ExpiresOn: 2023-11-21T06:02:37.0000000+00:00
    DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '<TENANT-ID>',
    UserId: '<MY-USER-ACCOUNT>'
    DEBUG: ============================ HTTP REQUEST ============================

    HTTP Method:
    GET

    Absolute Uri:
    https://graph.microsoft.com/v1.0/groups/<APP-SID>

    Headers:
    x-ms-client-request-id        : 128e160e-efef-4d0a-99d7-71a3f8a62f21
    accept-language               : en-US

    Body:

    DEBUG: ============================ HTTP RESPONSE ============================

    Status Code:
NotFound

Headers:
Transfer-Encoding             : chunked
Strict-Transport-Security     : max-age=31536000
request-id                    : 486d4b6e-4b6a-4e8f-b7f3-0b66d8c37d34
client-request-id             : 486d4b6e-4b6a-4e8f-b7f3-0b66d8c37d34
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia
Southeast","Slice":"E","Ring":"4","ScaleUnit":"000","RoleInstance":"ML1PEPF0000E49B"}}
x-ms-resource-unit            : 1
Cache-Control                 : no-cache
Date                          : Tue, 21 Nov 2023 04:48:55 GMT

Body:
{
  "error": {
    "code": "Request_ResourceNotFound",
    "message": "Resource '<APP-SID>' does not exist or one of its queried reference-property
 objects are not present.",
    "innerError": {
      "date": "2023-11-21T04:48:55",
      "request-id": "486d4b6e-4b6a-4e8f-b7f3-0b66d8c37d34",
      "client-request-id": "486d4b6e-4b6a-4e8f-b7f3-0b66d8c37d34"
    }
  }
}

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '<APP-SID>'

Headers:
x-ms-client-request-id        : 128e160e-efef-4d0a-99d7-71a3f8a62f21
accept-language               : en-US

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Transfer-Encoding             : chunked
Strict-Transport-Security     : max-age=31536000
request-id                    : 47d2f81a-f0d0-4ef8-9bb6-0e1861ae339d
client-request-id             : 47d2f81a-f0d0-4ef8-9bb6-0e1861ae339d
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"Australia
Southeast","Slice":"E","Ring":"4","ScaleUnit":"000","RoleInstance":"ML1PEPF0000E49B"}}
x-ms-resource-unit            : 1
OData-Version                 : 4.0
Cache-Control                 : no-cache
Date                          : Tue, 21 Nov 2023 04:48:55 GMT

Body:
{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals",
  "value": [
    {
      "id": "xxxxxxxxxxxxxx",
      "deletedDateTime": null,
      "accountEnabled": true,
      "alternativeNames": [],
      "appDisplayName": "<APP-NAME>",
      "appDescription": null,
      "appId": "<APP-SID>",
      "applicationTemplateId": null,
      "appOwnerOrganizationId": "<TENANT-ID>",
      "appRoleAssignmentRequired": false,
      "createdDateTime": "2018-12-13T01:43:15Z",
      "description": null,
      "disabledByMicrosoftStatus": null,
      "displayName": "<APP-NAME>",
      "homepage": "http://<APP-NAME>",
      "loginUrl": null,
      "logoutUrl": null,
      "notes": null,
      "notificationEmailAddresses": [],
      "preferredSingleSignOnMode": null,
      "preferredTokenSigningKeyThumbprint": null,
      "replyUrls": [],
      "servicePrincipalNames": [
        "<APP-SID>",
        "http://<APP-NAME>"
      ],
      "servicePrincipalType": "Application",
      "signInAudience": "AzureADMyOrg",
      "tags": [],
      "tokenEncryptionKeyId": null,
      "samlSingleSignOnSettings": null,
      "addIns": [],
      "appRoles": [],
      "info": {
        "logoUrl": null,
        "marketingUrl": null,
        "privacyStatementUrl": null,
        "supportUrl": null,
        "termsOfServiceUrl": null
      },
      "keyCredentials": [],
      "oauth2PermissionScopes": [
        {
            "adminConsentDescription": "Allow the application to access
  <APP-NAME> on behalf of the signed-in user.",
            "adminConsentDisplayName": "Access <APP-NAME>",
            "id": "7f695a25-6e04-42cb-abd5-7628f13608d0",
            "isEnabled": true,
            "type": "User",
            "userConsentDescription": "Allow the application to access
  <APP-NAME> on your behalf.",
            "userConsentDisplayName": "Access <APP-NAME>",
            "value": "user_impersonation"
          }
        ],
        "passwordCredentials": [
          {
            "customKeyIdentifier": null,
            "displayName": null,
            "endDateTime": "2019-12-13T01:43:13.8861127Z",
            "hint": null,
            "keyId": "xxxxxxxxxxxxxx",
            "secretText": null,
            "startDateTime": "2018-12-13T01:43:13.8861127Z"
          }
        ],
        "resourceSpecificApplicationPermissions": [],
        "verifiedPublisher": {
          "displayName": null,
          "verifiedPublisherId": null,
          "addedDateTime": null
        }
      }
    ]
  }

  DEBUG: ============================ HTTP REQUEST ============================

  HTTP Method:
  PUT

  Absolute Uri:
  https://management.azure.com/subscriptions/ed36e373-13fc-42ec-93f4-38a6e84754f0/resourceGroups/
  <SQL-SERVER-RG-NAME>/providers/Microsoft.Sql/servers/<SQL-SERVER-NAME>/administrators/Ac
  tiveDirectory?api-version=2020-11-01-preview

  Headers:
  x-ms-client-request-id        : 128e160e-efef-4d0a-99d7-71a3f8a62f21
  accept-language               : en-US

  Body:
  {
    "properties": {
      "login": "<APP-NAME>",
      "sid": "<APP-SID>",
      "tenantId": "<TENANT-ID>"
    }
  }

  DEBUG: ============================ HTTP RESPONSE ============================

  Status Code:
  BadRequest

  Headers:
  Pragma                        : no-cache
  x-ms-request-id               : 4677bad1-d5d4-442c-9d00-9ba89565cefd
  x-ms-ratelimit-remaining-subscription-writes: 1199
  x-ms-correlation-request-id   : 816ffee0-b5ff-4683-9572-0f682787b5e9
  x-ms-routing-request-id       : AUSTRALIAEAST:20231121T044855Z:816ffee0-b5ff-4683-9572-0f682787b5e9
  Strict-Transport-Security     : max-age=31536000; includeSubDomains
  X-Content-Type-Options        : nosniff
  X-Cache                       : CONFIG_NOCACHE
  X-MSEdge-Ref                  : Ref A: 78090EC21C684F4EB318C87D28A29F28 Ref B: SYD03EDGE2008 Ref C:
  2023-11-21T04:48:55Z
  Cache-Control                 : no-cache
  Date                          : Tue, 21 Nov 2023 04:48:55 GMT

  Body:
  {
    "error": {
      "details": [
        {
          "code": "InvalidResourceIdSegment",
          "message": "",
          "target": "parameters.properties"
        }
      ],
      "code": "InvalidResourceIdSegment",
      "message": "The 'parameters.properties' segment in the url is invalid."
    }
  }

  DEBUG: 3:48:56 PM - [ConfigManager] Got nothing from [DisableErrorRecordsPersistence], Module = [], Cmdlet = [].
  Returning default value [False].
  DEBUG: 3:48:56 PM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning
  default value [True].
  Set-AzSqlServerActiveDirectoryAdministrator : The 'parameters.properties' segment in the url is invalid.
  At line:1 char:1
  + Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName <SQL-SERVER-RG-NAME> ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo          : CloseError: (:) [Set-AzSqlServer...ryAdministrator], CloudException
      + FullyQualifiedErrorId : Microsoft.Azure.Commands.Sql.ServerActiveDirectoryAdministrator.Cmdlet.SetAzureSqlServer
     ActiveDirectoryAdministrator

     DEBUG: 3:48:56 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = [].
     Returning default value [True].
     DEBUG: 3:48:56 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning
     default value [True].
     DEBUG: 3:48:56 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default
     value [True].
     DEBUG: AzureQoSEvent:  Module: Az.Sql:4.11.0; CommandName: Set-AzSqlServerActiveDirectoryAdministrator; PSVersion:
     5.1.20348.2110; IsSuccess: False; Duration: 00:00:00.9314588; Exception: The 'parameters.properties' segment in the url
      is invalid.;
     DEBUG: 3:48:56 PM - SetAzureSqlServerActiveDirectoryAdministrator end processing.

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.20348.2110
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.2110
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     2.13.2     Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault...}
Script     4.11.0     Az.Sql                              {Add-AzSqlDatabaseToFailoverGroup, Add-AzSqlElasticJobStep, Add-AzSqlEl...

Error output

RequestId      : 61373d43-d262-4c72-bb23-b6b92e55320f
Message        : The 'parameters.properties' segment in the url is invalid.
ServerMessage  : InvalidResourceIdSegment: The 'parameters.properties' segment in the url is invalid.
                 (System.Collections.Generic.List`1[Microsoft.Rest.Azure.CloudError])
ServerResponse : {BadRequest}
RequestMessage : {PUT https://management.azure.com/subscriptions/ed36e373-13fc-42ec-93f4-38a6e84754f0/resourceGroups/
                  <SQL-SERVER-RG-NAME>/providers/Microsoft.Sql/servers/<SQL-SERVER-NAME>/admi
                 nistrators/ActiveDirectory?api-version=2020-11-01-preview}
InvocationInfo : {Set-AzSqlServerActiveDirectoryAdministrator}
Line           : Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName <SQL-SERVER-RG-NAME>
                 -ServerName <SQL-SERVER-NAME> -DisplayName
                 <APP-NAME> -ObjectId <APP-ID>
Position       : At line:1 char:1
                 + Set-AzSqlServerActiveDirectoryAdministrator -ResourceGroupName <SQL-SERVER-RG-NAME> ...
                 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
StackTrace     :    at Microsoft.Azure.Management.Sql.ServerAzureAdAdministratorsOperations.<BeginCreateOrUpdateWithHttpMessagesAsyn
                 c>d__9.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.Management.Sql.ServerAzureAdAdministratorsOperations.<CreateOrUpdateWithHttpMessagesAsync>d__
                 6.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at
                 Microsoft.Azure.Management.Sql.ServerAzureAdAdministratorsOperationsExtensions.<CreateOrUpdateAsync>d__3.MoveNext()
                 --- End of stack trace from previous location where exception was thrown ---
                    at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
                    at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
                    at Microsoft.Azure.Management.Sql.ServerAzureAdAdministratorsOperationsExtensions.CreateOrUpdate(IServerAzureAdA
                 dministratorsOperations operations, String resourceGroupName, String serverName, ServerAzureADAdministrator
                 parameters)
                    at Microsoft.Azure.Commands.Sql.ServerActiveDirectoryAdministrator.Services.AzureSqlServerActiveDirectoryAdminis
                 tratorAdapter.UpsertServerActiveDirectoryAdministrator(String resourceGroup, String serverName,
                 AzureSqlServerActiveDirectoryAdministratorModel model)
                    at Microsoft.Azure.Commands.Sql.ServerActiveDirectoryAdministrator.Cmdlet.SetAzureSqlServerActiveDirectoryAdmini
                 strator.PersistChanges(IEnumerable`1 entity)
                    at Microsoft.Azure.Commands.Sql.Common.AzureSqlCmdletBase`2.<>c__DisplayClass16_0.<ExecuteCmdlet>b__0()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ConfirmAction(String processMessage, String
                 target, Action action)
                    at Microsoft.Azure.Commands.Sql.Common.AzureSqlCmdletBase`2.ExecuteCmdlet()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.ProcessRecord()

[binaryent]

I have found exactly the same issue, only started happening recently. However, I can successfully set the SQL Administrator via the Azure Portal.

In case it is relevant, the user I'm trying to set is a Managed Identity. Please let me know if this gets resolved.

[jordi2k]

Seems the new API call does not send the property "administratorType": "ActiveDirectory" which the old version did. You can use the REST API to do this, or wait until a fix. Issue persists in Az.Sql 4.12.0 which is what I tested with locally. Luckily the Windows-2022 DevOps Agent uses older 4.2.0 for now.

[wmboyles]

This issue still seems to be happening in Az.Sql 4.13.0. I can get around it by calling az sql server ad-admin create

[aavdberg]

Have the same problem with version 4.12.0

[jabeci]

4.14.0 same problem. Is there no resolution?

[shahidsayyed89]

Use az module version 9.3.0 in azure powershell task which uses az.sql 4.12.0

[DanielOverdevest]

With the upgrade of Az module in windows-2022 image this problem becomes more urgent. See release: [Ubuntu, Windows] Az Powershell module will be updated to v11.3.1 on March 18 #9445 @azureSQLGitHub can you give this issue more priority to fix? It seems an easy fix mentioned by @jordi2k .

[nofield]

Thank you, folks, for reporting this issue! The SQL Identity and Authentication team has identified the problem and solution. We're working to deploy the fix as soon as possible; will keep you posted when that goes live.

[habibhammy]

Hi all, Any updates on the subject ? I have the same issue using the 4.14.1 version of the Az.SQL module (V11.6.0 of the Az module). Many Thanks.

[mvvsubbu]

@nofield this issue is hitting our team as well, do you have any ETA on when the fix is going to be deployed?

[fast-it-solutions]

@nofield any ETA?

[nofield]

Folks, this fix has now been fully deployed worldwide! The fix should not require any library changes; the command should just now work. If anyone is still experiencing this issue, please let us know, thanks!

[DanielOverdevest]

Dear @nofield, thanks for the update and the fix. Will test it this week if now all runs smooth.

[AlexNolasco]

Folks, this fix has now been fully deployed worldwide! The fix should not require any library changes; the command should just now work. If anyone is still experiencing this issue, please let us know, thanks!

Odd, I just tried it and it still ails

(InvalidResourceIdSegment) The 'parameters.properties.sid' segment in the url is invalid.
Code: InvalidResourceIdSegment
Message: The 'parameters.properties.sid' segment in the url is invalid.
Exception Details:      (InvalidResourceIdSegment)
        Code: InvalidResourceIdSegment
        Message:
        Target: parameters.properties.sid

core                              2.61.0
telemetry                          1.1.0

Dependencies:
msal                              1.28.0
azure-mgmt-resource               23.1.1

Steps suggested from https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-sql-database?tabs=windowsclient%2Cefcore%2Cdotnet

[nofield]

Hi @AlexNolasco, the error message you shared has a different signature than the original one on this issue- it's the SID (Security Identifier) that is not being properly assigned in your request. Our change removed a previous requirement of including the AdministratorType in the request, which is not necessary. The SID, however, is very necessary. You must provide the correct object ID / client ID for the Microsoft Entra identity you're trying to assign as the admin.

Also, I'm not seeing where in the tutorial you linked it talks about powershell, could you share more details?

[jabeci]

I would say it's fixed even though I now have a new error.

[nofield]

@jabeci what's the error you're getting now?

[jabeci]

@jabeci what's the error you're getting now?

Set-AzSqlServerActiveDirectoryAdministrator : Operation returned an invalid status code 'Forbidden'

[ecdemomaniaKay]

I just tested with Ac 12.2.0 & Az.SQL 5.2.0 and no more errors. Thanks!

[jabeci]

@jabeci what's the error you're getting now?

Could this be why?
Microsoft Entra authentication only Only Microsoft Entra ID will be used to authenticate to the server. SQL authentication will be disabled, including SQL Server administrators and users. Learn more Support only Microsoft Entra authentication for this server

[devdeer-alex]

@jabeci Probably not. I've got the same problem in BICEP deployments. If I pass in a valid SID but leave azureADOnlyAuthentication set to false it'll bring the segment error. This does not change when I set the option to true.

I think this is the same issue and is related to MS Graph. So only the portal can do this currently.

BTW the Bicep error message is the same:

The 'parameters.properties.administrators.sid' segment in the url is invalid. (Code: InvalidResourceIdSegment)

Whats also interesting to me is the fact that when you look into the JSON View in Azure portal you'll see something like this after the settingg is applied manually (e.g. in the portal):

"kind": "v12.0",
    "properties": {
        "administrators": {
            "administratorType": "ActiveDirectory",
            "principalType": "Group",
            "login": "MyGroupName",
            "sid": "[OBJECTID_AS_GUID_AND_NOT_THE_SID]",
            "tenantId": "[GUID_OF_TENANT]"
        },
  }

So after the setting is applied correctly it will NOT show the SID but the Object ID (GUID) of the Entra object (a group in my case). This is inconclusive IMHO. I've tried to pass the object id in my BICEP which also fails with another error:

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'

This is the BICEP version of "I don't know what happened but its bad".

Both error messages (the one with the segments and the last one with terminal state) will disappear in BICEP if the setting was previously made in the portal! So no idempotency here as well.

After one applied the setting in the portal it will nowhere show you the SID at any stage of the process. I'm guessing that this points to the issue that SID is a relict from Windows-times and they broke something in Graph during the latest switches and clearings towards "Entra". But I could be totally wrong as I already often was 😒

Hope this helps somehow.

[nofield]

Hey @devdeer-alex , @jabeci ,

After one applied the setting in the portal it will nowhere show you the SID at any stage of the process.

The GUID shown next to the Admin name in the Azure portal is the "sid" as defined by the APIs:

The Administrators API allow you to use either the object ID of your identity, or the client ID in the case of an application (or managed identity), to specify which identity in the tenant you are selecting for your admin.

The error you are getting is different than the original error message, the segment is important: The 'parameters.properties.administrators.sid' segment in the url is invalid. (Code: InvalidResourceIdSegment)

I'd request that you ensure the GUID you're passing in your bicep / ARM templates is exactly the Microsoft Entra object ID or client ID of the identity you're attempting to set as the admin.

Both error messages (the one with the segments and the last one with terminal state) will disappear in BICEP if the setting was previously made in the portal! So no idempotency here as well.

I'm curious to look into this, we may not be executing/validating the entirety of the Administrators segment of the request if we have some indication the administrator hasn't been changed (e.g., the name hasn't changed).