az sql server update --assign_identity fails with unrelated "Invalid value given for parameter RetentionDays" error

[JezNorton]

Describe the bug

Title

az sql server update --assign_identity fails with unrelated "Invalid value given for parameter RetentionDays" error

Azure CLI Version

azure-cli                         2.82.0

Describe the bug

When running az sql server update --assign_identity to enable system-assigned managed identity on an Azure SQL Server, the command fails with an error about RetentionDays, which is an auditing parameter unrelated to identity assignment.

Command name

az sql server update

Steps to reproduce

# Create a new SQL Server (or use existing)
az sql server create \
  --name my-sql-server \
  --resource-group my-rg \
  --location eastus \
  --admin-user sqladmin \
  --admin-password "SecurePassword123!"

# Attempt to enable managed identity
az sql server update \
  --name my-sql-server \
  --resource-group my-rg \
  --assign_identity

Expected behavior

The command should enable system-assigned managed identity on the SQL Server and return the updated server details including the identity.principalId.

Actual behavior

The command fails with:

ERROR: (InvalidParameterValue) Invalid value given for parameter RetentionDays.

The RetentionDays parameter is for auditing configuration, not identity assignment. This appears to be internal validation leaking an unrelated error.

Workaround

Using --identity-type SystemAssigned instead sometimes works:

az sql server update \
  --name my-sql-server \
  --resource-group my-rg \
  --identity-type SystemAssigned

Environment

• OS: Ubuntu 22.04 (Azure DevOps hosted agent) / Windows 11
• Shell: Bash / PowerShell
• Azure CLI: 2.82.0
• Region: UK South

Additional context

This issue occurs both when creating a new SQL Server and when updating an existing one. The workaround with --identity-type is inconsistent - it works in some cases but not others.

The managed identity is required for enabling Azure AD authentication on SQL Server, specifically for CREATE USER ... FROM EXTERNAL PROVIDER to resolve App Service managed identities.

---

Related command

az sql server update

Errors

The command fails with:

ERROR: (InvalidParameterValue) Invalid value given for parameter RetentionDays.

Using `--identity-type SystemAssigned` instead sometimes works:
```bash
az sql server update \
  --name my-sql-server \
  --resource-group my-rg \
  --identity-type SystemAssigned

### Issue script & Debug output

      Write-Host "[OK] SQL Server created with Azure AD authentication" -ForegroundColor Green
        
        # Enable Managed Identity on new SQL Server (REQUIRED for CREATE USER FROM EXTERNAL PROVIDER)
        Write-Host "[INFO] Enabling SQL Server Managed Identity..." -ForegroundColor Cyan
        
        # Try multiple approaches to enable MI (Azure CLI can be inconsistent)
        $miEnabled = $false
        
        # Approach 1: Use --assign_identity flag
        az sql server update --name $SqlServer --resource-group $ResourceGroup --assign_identity 2>&1 | Out-Null
        Start-Sleep -Seconds 5  # Give Azure time to propagate
        
        $sqlServerIdentity = az sql server show --name $SqlServer --resource-group $ResourceGroup --query "identity.principalId" -o tsv 2>$null
        if ($sqlServerIdentity) {
            $miEnabled = $true
            Write-Host "[OK] SQL Server MI enabled: $sqlServerIdentity" -ForegroundColor Green
        } else {
            Write-Host "[WARNING] First MI enable attempt returned no identity, retrying..." -ForegroundColor Yellow
            
            # Approach 2: Retry with explicit identity type
            az sql server update --name $SqlServer --resource-group $ResourceGroup --identity-type SystemAssigned 2>&1 | Out-Null
            Start-Sleep -Seconds 5
            
            $sqlServerIdentity = az sql server show --name $SqlServer --resource-group $ResourceGroup --query "identity.principalId" -o tsv 2>$null
            if ($sqlServerIdentity) {
                $miEnabled = $true
                Write-Host "[OK] SQL Server MI enabled (retry): $sqlServerIdentity" -ForegroundColor Green
            }
        }
        
        if (-not $miEnabled) {
            Write-Host "[ERROR] Failed to enable SQL Server Managed Identity after retries" -ForegroundColor Red
            Write-Host "[ERROR] CREATE USER FROM EXTERNAL PROVIDER will fail without MI" -ForegroundColor Red
            Write-Host "[INFO] Manual fix: az sql server update --name $SqlServer --resource-group $ResourceGroup --assign_identity" -ForegroundColor Yellow
            # Don't exit - let the script continue so other resources are created
        }

### Expected behavior

The command should enable system-assigned managed identity on the SQL Server and return the updated server details including the `identity.principalId`.

### Environment Summary

## Environment
- OS: Ubuntu 22.04 (Azure DevOps hosted agent) / Windows 11
- Shell: Bash / PowerShell
- Azure CLI: 2.82.0
- Region: UK South

### Additional context

_No response_

[yonzhan]

sql related CLI commands are owned by SQL service team.

[faiq-portable]

The command

                          az sql server update \
                            --resource-group resourceGroup \
                            --name SQL_SERVER_NAME \
                            --enable-public-network true

The message

WARNING: Argument '--enable-public-network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
ERROR: (InvalidParameterValue) Invalid value given for parameter RetentionDays. Specify a valid parameter value.
Code: InvalidParameterValue

[maurergilles]

Hello,

We are facing a similar issue with this command :
az sql server update --name $sqlServer --resource-group $resourceGroup --set publicNetworkAccess="Enabled"

The error seems to be the same :
ERROR: (InvalidParameterValue) Invalid value given for parameter RetentionDays.

Did you find a way to fix it ?

Thanks !

[Zanzor029]

I was facing this issue as well in our yml pipelines where we update a sql administratorloginpassword. I was not able to find a working version of the az sql server update, so i instead went with the az rest way instead.

This version below started failing a few days ago:

            echo "Patching SQL admin password for server: ${{ parameters.sqlServerName }}..."
            az sql server update \
              --name ${{ parameters.sqlServerName }} \
              --resource-group ${{ parameters.resourceGroup }} \
              --set administratorLoginPassword="$password"

So i instead went with this version

 uri="https://management.azure.com/subscriptions/${subscriptionId}/resourceGroups/${{ parameters.resourceGroup }}/providers/Microsoft.Sql/servers/${{ parameters.sqlServerName }}?api-version=2023-08-01"

            az rest \
              --method put \
              --url "$uri" \
              --headers "Content-Type=application/json" \
              --body "{'location':'${location}','properties':{'administratorLogin':'${admin}','administratorLoginPassword':'${password}'}}"

Bit of a scuffed workaround, but got us up and running for now until issues with the az cli can be resolved. Perhaps it can be some help to people trying to find an alternative way.

[faiq-portable]

I do not know which release caused the issue, but v2.69.0 installed locally works fine. If you find a way to use an older version of az cli in your workflow, you can workaround this issue.

[hudaWafik]

I have the same issue

we are running these script through pipeline, is there is any way to update specific CLI version , currently i can see the cli version is 2.81.0

[maurergilles]

I'm still trying to understand what is causing this problem. Between Friday and today, I have two pipelines using the same azure-cli version (2.82). The one on Friday passed, but the one today didn’t.
Maybe it's not the azure-cli version that is causing the issue.

[Soeren-WBS]

I am facing the same issue. Version 2.8.1.0