-
Notifications
You must be signed in to change notification settings - Fork 1
Description
SqlServer Module Breaking Change - AzureAuthenticationInformation Constructor
Summary
The SqlServer PowerShell module versions 22.4.0+ contain a breaking change in the AzureAuthenticationInformation
class constructor that causes Always Encrypted operations with Azure AD authentication to fail when running on Azure DevOps agents.
Environment
- SqlServer Module Version: 22.4.0+ (issue present)
- Working Version: 22.3.0 (last known working version)
- Platform: Azure DevOps agents running on Azure Virtual Machine Scale Sets (VMSS)
- Agent Configuration:
- Agent Type: TeamServicesAgent (Microsoft.VisualStudio.Services)
- Agent Version: 4.258.1
- VM SKU: Standard_D4s_v5
- Agent OS: Windows Server (custom build image)
- PowerShell Version: Windows PowerShell 5.1 / PowerShell Core 7.x
- Target SQL Server: Azure VM with Windows Server 2022 and SQL Server 2022 Enterprise
Issue Description
When using SqlServer module versions 22.4.0 or higher with Always Encrypted columns and Azure AD authentication, the following error occurs:
Method not found: 'Void Microsoft.SqlServer.Management.AlwaysEncrypted.Management.AzureAuthenticationInformation..ctor(Azure.Core.TokenCredential)'.
PowerShell exited with code '1'.
This error indicates that the constructor for AzureAuthenticationInformation
that accepts an Azure.Core.TokenCredential
parameter has been removed or changed in versions 22.4.0+.
The specific cmdlet that triggers this error is New-SqlColumnMasterKey
when used with Azure AD authentication and Azure Key Vault integration.
Steps to Reproduce
-
Set up an Azure DevOps pipeline using Azure Virtual Machine Scale Sets (VMSS) agents
-
Use agents with TeamServicesAgent extension version 4.258.1 on Standard_D4s_v5 VMs
-
Install SqlServer module version 22.4.0 or higher on the agent during pipeline execution
-
Execute the following PowerShell command sequence:
# Create SMO connection with Azure AD authentication $smoRenewableToken = [SmoRenewableToken]::new($resourceUrl) $connectionInfo = [Microsoft.SqlServer.Management.Common.SqlConnectionInfo]::new($serverName) $connectionInfo.AccessToken = $smoRenewableToken $serverInstance = [Microsoft.SqlServer.Management.Smo.Server]::new($connectionInfo) $smoDatabase = $serverInstance.Databases[$databaseName] # Get key from Azure Key Vault $key = Get-AzKeyVaultKey -VaultName $keyVaultName -Name $masterKeyName $cmkSettings = New-SqlAzureKeyVaultColumnMasterKeySettings -KeyURL $key.Id # This command fails with the constructor error New-SqlColumnMasterKey -Name $masterKeyName -InputObject $smoDatabase -ColumnMasterKeySettings $cmkSettings -AccessToken $smoRenewableToken
-
Observe the constructor error during the
New-SqlColumnMasterKey
execution
Expected Behavior
The New-SqlColumnMasterKey
cmdlet should successfully create a column master key in the database using Azure AD authentication, as it did in SqlServer module version 22.3.0.
Actual Behavior
The New-SqlColumnMasterKey
cmdlet fails immediately with a "Method not found" error for the AzureAuthenticationInformation
constructor when it attempts to authenticate to Azure Key Vault using the provided token credential.
Workaround
Currently, the only workaround is to force the use of SqlServer module version 22.3.0:
# Force installation and use of working version
$workingVersion = Get-Module -ListAvailable -Name SqlServer |
Where-Object { $_.Version -eq [Version]"22.3.0" }
if (-not $workingVersion) {
Install-Module -Name SqlServer -RequiredVersion 22.3.0 -Force -AllowClobber
}
# Remove any loaded version and import specific version
Remove-Module -Name SqlServer -Force -ErrorAction SilentlyContinue
Import-Module -ModuleInfo $workingVersion -Force
Impact
This breaking change affects:
- Azure DevOps CI/CD pipelines using VMSS-hosted agents with Always Encrypted operations
- Build and deployment processes targeting SQL Server 2022 Enterprise with Azure AD authentication
- Scale set agents that automatically update to the latest SqlServer module version during pipeline runs
- Production deployments and database operations executed through Azure DevOps against Azure VM-hosted SQL Server instances
- Any automation running on Standard_D4s_v5 or similar VMSS agents that relies on the previous
AzureAuthenticationInformation
constructor signature - Specifically impacts the
New-SqlColumnMasterKey
and potentiallyNew-SqlColumnEncryptionKey
cmdlets when used with Azure Key Vault and Azure AD authentication
Additional Context
This issue was discovered while troubleshooting what initially appeared to be Az.Accounts module compatibility issues on Azure DevOps VMSS agents. The SqlServer module breaking change was being masked by authentication errors from Az.Accounts 5.1.0, making it difficult to identify the root cause.
The issue specifically manifests during automated pipeline executions where:
- The latest module versions are often automatically installed on fresh VMSS agent instances
- Agents are running TeamServicesAgent extension version 4.258.1
- Operations target SQL Server 2022 Enterprise instances hosted on Azure VMs
- Both Windows PowerShell 5.1 and PowerShell Core 7.x environments are affected
- The error occurs immediately when
New-SqlColumnMasterKey
attempts to create internal authentication objects
Technical Details
The New-SqlColumnMasterKey
cmdlet internally creates an instance of Microsoft.SqlServer.Management.AlwaysEncrypted.Management.AzureAuthenticationInformation
to handle Azure Key Vault authentication. In SqlServer module 22.4.0+, this class's constructor signature has changed, expecting a different type or implementation of the token credential parameter than what the cmdlet is providing.
Requested Action
- Investigation: Please investigate the breaking change in the
AzureAuthenticationInformation
class constructor between versions 22.3.0 and 22.4.0 - Documentation: If this was an intentional breaking change, please provide migration guidance for the
New-SqlColumnMasterKey
cmdlet - Fix: If this was unintentional, please restore backward compatibility or provide an alternative constructor overload
- Release Notes: Please ensure breaking changes affecting public cmdlets like
New-SqlColumnMasterKey
are clearly documented in future releases
Related Issues
This issue may be related to broader compatibility concerns with Azure authentication libraries and should be considered alongside any Az.Accounts module integration work.