Migrating from Azure Database for PostgreSQL Flexible Server to another Flexible Server fails with "Unsupported extension(s)"

Hi @Mette Bryde Frisk

The migration path being attempted (Azure Database for PostgreSQL Flexible Server to another Azure Database for PostgreSQL Flexible Server using the PostgreSQL Migration Service) is currently not supported.

As a result, validation may fail when it encounters Azure-managed extensions such as azure and pgaadauth, even though these extensions are present on both the source and target servers.

At this time, there is no supported workaround within the PostgreSQL Migration Service for Flexible Server-to-Flexible Server migrations.

We understand your goal is to move between Flexible Servers due to networking changes. Unfortunately, this migration scenario is not currently supported by the service.

We appreciate your feedback and recommend monitoring Azure Database for PostgreSQL documentation for future enhancements and support for additional migration scenarios.

Hello Mette Bryde Frisk,

Greetings! Thanks for raising this question in Q&A forum.

This is indeed a known limitation of the Azure PostgreSQL Migration Service. The root cause is that the azure and pgaadauth extensions are Azure-managed system extensions that get automatically installed on every Azure PostgreSQL Flexible Server. The Migration Service's validation engine flags these as "unsupported" and blocks the migration but since these extensions are owned by Azure itself, the azure_pg_admin role is not permitted to drop them. So you're stuck in a situation where you can neither remove the extensions to pass validation nor proceed with the migration as-is. This is not a misconfiguration on your end it is a current bug/gap in the Migration Service when doing Flexible Server to Flexible Server migrations.

Here are your best options to work around this:

Use pg_dump and pg_restore instead of the Migration Service. Since both your source and target are PostgreSQL 14 Flexible Servers, a dump/restore approach works cleanly and bypasses the extension validation check entirely. Run:

pg_dump -h <source-host> -U <admin-user> -Fc -d <database-name> -f backup.dump
pg_restore -h <target-host> -U <admin-user> -d <database-name> backup.dump

If you prefer to stay within Azure tooling, consider using Azure Database for PostgreSQL's built-in geo-restore or point-in-time restore to restore a copy of your source server, then update the networking configuration on the restored copy — this avoids a migration altogether.

If your schema and data volume is manageable, you can also use pgAdmin's backup/restore wizard for a GUI-based approach to accomplish the same as pg_dump/pg_restore.

For the Migration Service path specifically — raise a support ticket with Azure referencing Error 603405 and explain that the blocking extensions (azure, pgaadauth) are Azure-managed and cannot be dropped. This helps Microsoft track and prioritize a fix so the validation logic skips these system-level extensions in Flexible Server to Flexible Server scenarios.

While waiting for a fix, make sure to allowlist any other PostgreSQL extensions your databases use on the target server before doing the dump/restore, via the Azure Portal under Server Parameters → azure.extensions.

The pg_dump/pg_restore approach is the most reliable path for your scenario right now and gives you full control over the migration without the service's extension validation getting in the way.

If this answer helps you kindly accept the answer which will help others who have similar questions.

Best Regards,

Jerald Felix.