Azure
diff --git a/‎src/azure-cli/azure/cli/command_modules/rdbms/_breaking_change.py‎
Lines changed: 24 additions & 0 deletions b/‎src/azure-cli/azure/cli/command_modules/rdbms/_breaking_change.py‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎src/azure-cli/azure/cli/command_modules/rdbms/_helptext_pg.py‎
Lines changed: 50 additions & 3 deletions b/‎src/azure-cli/azure/cli/command_modules/rdbms/_helptext_pg.py‎
Lines changed: 50 additions & 3 deletions
diff --git a/‎src/azure-cli/azure/cli/command_modules/rdbms/_params.py‎
Lines changed: 22 additions & 1 deletion b/‎src/azure-cli/azure/cli/command_modules/rdbms/_params.py‎
Lines changed: 22 additions & 1 deletion
diff --git a/‎src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_commands.py‎
Lines changed: 10 additions & 1 deletion b/‎src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_commands.py‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py‎
Lines changed: 10 additions & 9 deletions b/‎src/azure-cli/azure/cli/command_modules/rdbms/flexible_server_custom_postgres.py‎
Lines changed: 10 additions & 9 deletions
@@ -0,0 +1,24 @@
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+from azure.cli.core.breaking_change import register_command_group_deprecate, register_default_value_breaking_change, \
+    register_argument_deprecate, register_other_breaking_change, register_logic_breaking_change, \
+    register_command_deprecate
+
+
+register_logic_breaking_change('postgres flexible-server create', 'Update default value of "--sku-name"',
+                               detail='The default value will be changed from "Standard_D2s_v3" to a '
+                               'supported sku based on regional capabilities.')
+register_default_value_breaking_change('postgres flexible-server create', '--version', '16', '17')
+register_default_value_breaking_change('postgres flexible-server create', '--create-default-database', 'Enabled',
+                                       'Disabled')
+register_argument_deprecate('postgres flexible-server create', '--active-directory-auth', '--microsoft-entra-auth')
+register_argument_deprecate('postgres flexible-server update', '--active-directory-auth', '--microsoft-entra-auth')
+register_command_group_deprecate('postgres flexible-server ad-admin', redirect='microsoft-entra-admin')
+register_command_deprecate('postgres flexible-server replica stop-replication',
+                           redirect='postgres flexible-server replica promote', hide=True)
+register_other_breaking_change('postgres flexible-server update',
+                               message='User confirmation will be needed for compute and storage updates '
+                               'that trigger a restart of the server.')
@@ -140,14 +140,14 @@
       # create flexible server with aad auth and password auth enabled
 
       az postgres flexible-server create -g testGroup -n testServer --location testLocation \\
-        --active-directory-auth Enabled
+        --microsoft-entra-auth Enabled
   - name: >
       Create a PostgreSQL flexible server with Microsoft Entra auth only and primary administrator specified.
     text: >
       # create flexible server with aad only auth and password auth disabled with primary administrator specified
 
       az postgres flexible-server create -g testGroup -n testServer --location testLocation \\
-        --active-directory-auth Enabled --password-auth Disabled \\
+        --microsoft-entra-auth Enabled --password-auth Disabled \\
         --admin-object-id 00000000-0000-0000-0000-000000000000 --admin-display-name john@contoso.com --admin-type User
   - name: >
       Create a PostgreSQL flexible server with public access, geo-redundant backup enabled and add the range of IP address to have access to this server.
@@ -258,7 +258,7 @@
   - name: Reset password
     text: az postgres flexible-server update --resource-group testGroup --name testserver -p password123
   - name: Update a flexible server to enable Microsoft Entra auth for password auth enabled server
-    text: az postgres flexible-server update --resource-group testGroup --name testserver --active-directory-auth Enabled
+    text: az postgres flexible-server update --resource-group testGroup --name testserver --microsoft-entra-auth Enabled
   - name: Change key/identity for data encryption. Data encryption cannot be enabled post server creation, this will only update the key/identity.
     text: >
       # get key identifier of the existing key
@@ -1005,6 +1005,53 @@
     text: az postgres flexible-server ad-admin wait -g testgroup -s testsvr -i 00000000-0000-0000-0000-000000000000 --deleted
 """
 
+helps['postgres flexible-server microsoft-entra-admin'] = """
+type: group
+short-summary: Manage server Microsoft Entra administrators.
+"""
+
+helps['postgres flexible-server microsoft-entra-admin create'] = """
+type: command
+short-summary: Create a Microsoft Entra administrator.
+examples:
+  - name: Create Microsoft Entra administrator with user 'john@contoso.com', administrator ID '00000000-0000-0000-0000-000000000000' and type User.
+    text: az postgres flexible-server microsoft-entra-admin create -g testgroup -s testsvr -u john@contoso.com -i 00000000-0000-0000-0000-000000000000 -t User
+"""
+
+helps['postgres flexible-server microsoft-entra-admin delete'] = """
+type: command
+short-summary: Delete a Microsoft Entra administrator.
+examples:
+  - name: Delete Microsoft Entra administrator with ID '00000000-0000-0000-0000-000000000000'.
+    text: az postgres flexible-server microsoft-entra-admin delete -g testgroup -s testsvr -i 00000000-0000-0000-0000-000000000000
+"""
+
+helps['postgres flexible-server microsoft-entra-admin list'] = """
+type: command
+short-summary: List all Microsoft Entra administrators.
+examples:
+  - name: List Microsoft Entra administrators.
+    text: az postgres flexible-server microsoft-entra-admin list -g testgroup -s testsvr
+"""
+
+helps['postgres flexible-server microsoft-entra-admin show'] = """
+type: command
+short-summary: Get a Microsoft Entra administrator.
+examples:
+  - name: Get Microsoft Entra administrator with ID '00000000-0000-0000-0000-000000000000'.
+    text: az postgres flexible-server microsoft-entra-admin show -g testgroup -s testsvr -i 00000000-0000-0000-0000-000000000000
+"""
+
+helps['postgres flexible-server microsoft-entra-admin wait'] = """
+type: command
+short-summary: Wait for a Microsoft Entra administrator to satisfy certain conditions.
+examples:
+  - name: Wait until a Microsoft Entra administrator exists.
+    text: az postgres flexible-server microsoft-entra-admin wait -g testgroup -s testsvr -i 00000000-0000-0000-0000-000000000000 --exists
+  - name: Wait for a Microsoft Entra administrator to be deleted.
+    text: az postgres flexible-server microsoft-entra-admin wait -g testgroup -s testsvr -i 00000000-0000-0000-0000-000000000000 --deleted
+"""
+
 helps['postgres flexible-server advanced-threat-protection-setting'] = """
 type: group
 short-summary: Manage advanced threat protection setting for a PostgreSQL flexible server.
 
@@ -532,6 +532,12 @@ def _flexible_server_params(command_group):
             help='Whether Microsoft Entra authentication is enabled.'
         )
 
+        microsoft_entra_auth_arg_type = CLIArgumentType(
+            options_list=['--microsoft-entra-auth'],
+            arg_type=get_enum_type(['Enabled', 'Disabled']),
+            help='Whether Microsoft Entra authentication is enabled.'
+        )
+
         password_auth_arg_type = CLIArgumentType(
             options_list=['--password-auth'],
             arg_type=get_enum_type(['Enabled', 'Disabled']),
@@ -594,6 +600,7 @@ def _flexible_server_params(command_group):
                 c.argument('version', default='16', arg_type=version_arg_type)
                 c.argument('backup_retention', default=7, arg_type=pg_backup_retention_arg_type)
                 c.argument('active_directory_auth', default='Disabled', arg_type=active_directory_auth_arg_type)
+                c.argument('microsoft_entra_auth', default='Disabled', arg_type=microsoft_entra_auth_arg_type)
                 c.argument('admin_id', options_list=['--admin-object-id', '-i'], help='The unique ID of the Microsoft Entra administrator.')
                 c.argument('admin_name', options_list=['--admin-display-name', '-m'], help='Display name of the Microsoft Entra administrator user or group.')
                 c.argument('admin_type', options_list=['--admin-type', '-t'],
@@ -747,6 +754,7 @@ def _flexible_server_params(command_group):
                 c.argument('throughput', default=None, arg_type=throughput_arg_type)
                 c.argument('backup_retention', arg_type=pg_backup_retention_arg_type)
                 c.argument('active_directory_auth', arg_type=active_directory_auth_arg_type)
+                c.argument('microsoft_entra_auth', arg_type=microsoft_entra_auth_arg_type)
                 c.argument('password_auth', arg_type=password_auth_arg_type)
                 c.argument('private_dns_zone_arguments', private_dns_zone_arguments_arg_type)
                 c.argument('cluster_size', default=None, arg_type=update_node_count_arg_type)
@@ -975,7 +983,7 @@ def _flexible_server_params(command_group):
                     c.argument('database_names', options_list=['--database-names', '-d'], nargs='+',
                                help='Space-separated list of the database names to be mirrored. Required if --mirroring is enabled.')
 
-        # ad-admin
+        # ad-admin - Rename and deprecate group
         with self.argument_context('{} flexible-server ad-admin'.format(command_group)) as c:
             c.argument('server_name', id_part=None, options_list=['--server-name', '-s'], arg_type=server_name_arg_type)
 
@@ -988,6 +996,19 @@ def _flexible_server_params(command_group):
             c.argument('principal_type', options_list=['--type', '-t'], default='User', arg_type=get_enum_type(['User', 'Group', 'ServicePrincipal', 'Unknown']), help='Type of the Microsoft Entra administrator.')
             c.argument('identity', help='Name or ID of identity used for AAD Authentication.', validator=validate_identity)
 
+        # microsoft-entra-admin
+        with self.argument_context('{} flexible-server microsoft-entra-admin'.format(command_group)) as c:
+            c.argument('server_name', id_part=None, options_list=['--server-name', '-s'], arg_type=server_name_arg_type)
+
+        for scope in ['create', 'show', 'delete', 'wait']:
+            with self.argument_context('{} flexible-server microsoft-entra-admin {}'.format(command_group, scope)) as c:
+                c.argument('sid', options_list=['--object-id', '-i'], help='The unique ID of the Microsoft Entra administrator.')
+
+        with self.argument_context('{} flexible-server microsoft-entra-admin create'.format(command_group)) as c:
+            c.argument('login', options_list=['--display-name', '-u'], help='Display name of the Microsoft Entra administrator user or group.')
+            c.argument('principal_type', options_list=['--type', '-t'], default='User', arg_type=get_enum_type(['User', 'Group', 'ServicePrincipal', 'Unknown']), help='Type of the Microsoft Entra administrator.')
+            c.argument('identity', help='Name or ID of identity used for Microsoft Entra Authentication.', validator=validate_identity)
+
         # server advanced threat protection settings
         for scope in ['update', 'show']:
             argument_context_string = '{} flexible-server advanced-threat-protection-setting {}'.format(command_group, scope)
 
@@ -238,7 +238,7 @@ def load_flexibleserver_command_table(self, _):
                             custom_command_type=flexible_servers_custom_postgres,
                             client_factory=cf_postgres_flexible_servers) as g:
         g.custom_command('create', 'flexible_replica_create', supports_no_wait=True)
-        g.custom_command('stop-replication', 'flexible_replica_stop', confirmation=True, deprecate_info=g.deprecate(redirect='postgres flexible-server replica promote', hide=True))
+        g.custom_command('stop-replication', 'flexible_replica_stop', confirmation=True)
         g.custom_command('promote', 'flexible_replica_promote', confirmation=True)
 
     with self.command_group('postgres flexible-server identity', postgres_flexible_servers_sdk,
@@ -259,6 +259,15 @@ def load_flexibleserver_command_table(self, _):
         g.custom_show_command('show', 'flexible_server_ad_admin_show')
         g.custom_wait_command('wait', 'flexible_server_ad_admin_show')
 
+    with self.command_group('postgres flexible-server microsoft-entra-admin', postgres_flexible_adadmin_sdk,
+                            custom_command_type=flexible_servers_custom_postgres,
+                            client_factory=cf_postgres_flexible_adadmin) as g:
+        g.custom_command('create', 'flexible_server_ad_admin_set', supports_no_wait=True)
+        g.custom_command('delete', 'flexible_server_ad_admin_delete', supports_no_wait=True, confirmation=True)
+        g.custom_command('list', 'flexible_server_ad_admin_list')
+        g.custom_show_command('show', 'flexible_server_ad_admin_show')
+        g.custom_wait_command('wait', 'flexible_server_ad_admin_show')
+
     with self.command_group('postgres flexible-server advanced-threat-protection-setting', postgres_flexible_server_threat_protection_settings_sdk,
                             custom_command_type=flexible_servers_custom_postgres,
                             client_factory=cf_postgres_flexible_server_threat_protection_settings) as g:
 
@@ -58,7 +58,7 @@ def flexible_server_create(cmd, client,
                            resource_group_name=None, server_name=None,
                            location=None, backup_retention=None,
                            sku_name=None, tier=None,
-                           storage_gb=None, version=None, active_directory_auth=None,
+                           storage_gb=None, version=None, active_directory_auth=None, microsoft_entra_auth=None,
                            admin_name=None, admin_id=None, admin_type=None,
                            password_auth=None, administrator_login=None, administrator_login_password=None,
                            tags=None, database_name=None,
@@ -106,7 +106,7 @@ def flexible_server_create(cmd, client,
                            backup_byok_key=backup_byok_key,
                            performance_tier=performance_tier,
                            create_cluster=create_cluster,
-                           password_auth=password_auth, active_directory_auth=active_directory_auth,
+                           password_auth=password_auth, active_directory_auth=active_directory_auth, microsoft_entra_auth=microsoft_entra_auth,
                            admin_name=admin_name, admin_id=admin_id, admin_type=admin_type,)
 
     cluster = None
@@ -140,7 +140,8 @@ def flexible_server_create(cmd, client,
                                                                            standby_availability_zone=standby_availability_zone)
 
     is_password_auth_enabled = bool(password_auth is not None and password_auth.lower() == 'enabled')
-    is_microsoft_entra_auth_enabled = bool(active_directory_auth is not None and active_directory_auth.lower() == 'enabled')
+    is_microsoft_entra_auth_enabled = bool(active_directory_auth is not None and active_directory_auth.lower() == 'enabled') or \
+        bool(microsoft_entra_auth is not None and microsoft_entra_auth.lower() == 'enabled')
     if is_password_auth_enabled:
         administrator_login_password = generate_password(administrator_login_password)
 
@@ -150,7 +151,7 @@ def flexible_server_create(cmd, client,
                                                                    backup_byok_identity=backup_byok_identity,
                                                                    backup_byok_key=backup_byok_key)
 
-    auth_config = postgresql_flexibleservers.models.AuthConfig(active_directory_auth=active_directory_auth,
+    auth_config = postgresql_flexibleservers.models.AuthConfig(active_directory_auth='Enabled' if is_microsoft_entra_auth_enabled else 'Disabled',
                                                                password_auth=password_auth)
 
     # Create postgresql
@@ -191,7 +192,7 @@ def flexible_server_create(cmd, client,
 
     user = server_result.administrator_login if is_password_auth_enabled else '<user>'
     password = administrator_login_password if is_password_auth_enabled else '<password>'
-    admin = admin_name if admin_name else '<admin>'
+    admin = quote(admin_name) if admin_name else '<admin>'
     server_id = server_result.id
     loc = server_result.location
     version = server_result.version
@@ -310,7 +311,7 @@ def flexible_server_update_custom_func(cmd, client, instance,
                                        maintenance_window=None,
                                        byok_identity=None, byok_key=None,
                                        backup_byok_identity=None, backup_byok_key=None,
-                                       active_directory_auth=None, password_auth=None,
+                                       active_directory_auth=None, microsoft_entra_auth=None, password_auth=None,
                                        private_dns_zone_arguments=None,
                                        public_access=None,
                                        tags=None,
@@ -424,8 +425,8 @@ def flexible_server_update_custom_func(cmd, client, instance,
 
     auth_config = instance.auth_config
     administrator_login = instance.administrator_login if instance.administrator_login else None
-    if active_directory_auth:
-        auth_config.active_directory_auth = active_directory_auth
+    if active_directory_auth or microsoft_entra_auth:
+        auth_config.active_directory_auth = active_directory_auth if active_directory_auth else microsoft_entra_auth
     if password_auth:
         administrator_login, administrator_login_password = _update_login(server_name, resource_group_name, auth_config,
                                                                           password_auth, administrator_login, administrator_login_password)
@@ -1792,7 +1793,7 @@ def _create_postgresql_connection_string(host, user, password, database):
 
 def _create_microsoft_entra_connection_string(host, database, admin='<admin>'):
     connection_kwargs = {
-        'user': quote(admin),
+        'user': admin,
         'host': host,
         'database': database,
     }