Skip to content

Breaking change in SqlServer module 22.4.0+: AzureAuthenticationInformation constructor missing for Always Encrypted with Azure AD auth #110

@chris-ladiao

Description

@chris-ladiao

SqlServer Module Breaking Change - AzureAuthenticationInformation Constructor

Summary

The SqlServer PowerShell module versions 22.4.0+ contain a breaking change in the AzureAuthenticationInformation class constructor that causes Always Encrypted operations with Azure AD authentication to fail when running on Azure DevOps agents.

Environment

  • SqlServer Module Version: 22.4.0+ (issue present)
  • Working Version: 22.3.0 (last known working version)
  • Platform: Azure DevOps agents running on Azure Virtual Machine Scale Sets (VMSS)
  • Agent Configuration:
    • Agent Type: TeamServicesAgent (Microsoft.VisualStudio.Services)
    • Agent Version: 4.258.1
    • VM SKU: Standard_D4s_v5
    • Agent OS: Windows Server (custom build image)
  • PowerShell Version: Windows PowerShell 5.1 / PowerShell Core 7.x
  • Target SQL Server: Azure VM with Windows Server 2022 and SQL Server 2022 Enterprise

Issue Description

When using SqlServer module versions 22.4.0 or higher with Always Encrypted columns and Azure AD authentication, the following error occurs:

Method not found: 'Void Microsoft.SqlServer.Management.AlwaysEncrypted.Management.AzureAuthenticationInformation..ctor(Azure.Core.TokenCredential)'.
PowerShell exited with code '1'.

This error indicates that the constructor for AzureAuthenticationInformation that accepts an Azure.Core.TokenCredential parameter has been removed or changed in versions 22.4.0+.

The specific cmdlet that triggers this error is New-SqlColumnMasterKey when used with Azure AD authentication and Azure Key Vault integration.

Steps to Reproduce

  1. Set up an Azure DevOps pipeline using Azure Virtual Machine Scale Sets (VMSS) agents

  2. Use agents with TeamServicesAgent extension version 4.258.1 on Standard_D4s_v5 VMs

  3. Install SqlServer module version 22.4.0 or higher on the agent during pipeline execution

  4. Execute the following PowerShell command sequence:

    # Create SMO connection with Azure AD authentication
    $smoRenewableToken = [SmoRenewableToken]::new($resourceUrl)
    $connectionInfo = [Microsoft.SqlServer.Management.Common.SqlConnectionInfo]::new($serverName)
    $connectionInfo.AccessToken = $smoRenewableToken
    $serverInstance = [Microsoft.SqlServer.Management.Smo.Server]::new($connectionInfo)
    $smoDatabase = $serverInstance.Databases[$databaseName]
    
    # Get key from Azure Key Vault
    $key = Get-AzKeyVaultKey -VaultName $keyVaultName -Name $masterKeyName
    $cmkSettings = New-SqlAzureKeyVaultColumnMasterKeySettings -KeyURL $key.Id
    
    # This command fails with the constructor error
    New-SqlColumnMasterKey -Name $masterKeyName -InputObject $smoDatabase -ColumnMasterKeySettings $cmkSettings -AccessToken $smoRenewableToken
  5. Observe the constructor error during the New-SqlColumnMasterKey execution

Expected Behavior

The New-SqlColumnMasterKey cmdlet should successfully create a column master key in the database using Azure AD authentication, as it did in SqlServer module version 22.3.0.

Actual Behavior

The New-SqlColumnMasterKey cmdlet fails immediately with a "Method not found" error for the AzureAuthenticationInformation constructor when it attempts to authenticate to Azure Key Vault using the provided token credential.

Workaround

Currently, the only workaround is to force the use of SqlServer module version 22.3.0:

# Force installation and use of working version
$workingVersion = Get-Module -ListAvailable -Name SqlServer |
                  Where-Object { $_.Version -eq [Version]"22.3.0" }

if (-not $workingVersion) {
    Install-Module -Name SqlServer -RequiredVersion 22.3.0 -Force -AllowClobber
}

# Remove any loaded version and import specific version
Remove-Module -Name SqlServer -Force -ErrorAction SilentlyContinue
Import-Module -ModuleInfo $workingVersion -Force

Impact

This breaking change affects:

  • Azure DevOps CI/CD pipelines using VMSS-hosted agents with Always Encrypted operations
  • Build and deployment processes targeting SQL Server 2022 Enterprise with Azure AD authentication
  • Scale set agents that automatically update to the latest SqlServer module version during pipeline runs
  • Production deployments and database operations executed through Azure DevOps against Azure VM-hosted SQL Server instances
  • Any automation running on Standard_D4s_v5 or similar VMSS agents that relies on the previous AzureAuthenticationInformation constructor signature
  • Specifically impacts the New-SqlColumnMasterKey and potentially New-SqlColumnEncryptionKey cmdlets when used with Azure Key Vault and Azure AD authentication

Additional Context

This issue was discovered while troubleshooting what initially appeared to be Az.Accounts module compatibility issues on Azure DevOps VMSS agents. The SqlServer module breaking change was being masked by authentication errors from Az.Accounts 5.1.0, making it difficult to identify the root cause.

The issue specifically manifests during automated pipeline executions where:

  • The latest module versions are often automatically installed on fresh VMSS agent instances
  • Agents are running TeamServicesAgent extension version 4.258.1
  • Operations target SQL Server 2022 Enterprise instances hosted on Azure VMs
  • Both Windows PowerShell 5.1 and PowerShell Core 7.x environments are affected
  • The error occurs immediately when New-SqlColumnMasterKey attempts to create internal authentication objects

Technical Details

The New-SqlColumnMasterKey cmdlet internally creates an instance of Microsoft.SqlServer.Management.AlwaysEncrypted.Management.AzureAuthenticationInformation to handle Azure Key Vault authentication. In SqlServer module 22.4.0+, this class's constructor signature has changed, expecting a different type or implementation of the token credential parameter than what the cmdlet is providing.

Requested Action

  1. Investigation: Please investigate the breaking change in the AzureAuthenticationInformation class constructor between versions 22.3.0 and 22.4.0
  2. Documentation: If this was an intentional breaking change, please provide migration guidance for the New-SqlColumnMasterKey cmdlet
  3. Fix: If this was unintentional, please restore backward compatibility or provide an alternative constructor overload
  4. Release Notes: Please ensure breaking changes affecting public cmdlets like New-SqlColumnMasterKey are clearly documented in future releases

Related Issues

This issue may be related to broader compatibility concerns with Azure authentication libraries and should be considered alongside any Az.Accounts module integration work.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions