Create extension in Azure PostgreSQL

Hi there Cuong Tran

Thanks for much using QandA platform

You're right this does seem to contradict the official Azure PostgreSQL documentation. The doc states that the user must be in the azure_pg_admin role to create extensions, but your test shows a user with only CREATE ROLE privileges (not a member of azure_pg_admin) was able to successfully create the btree_gin extension. This might be an oversight in the documentation or a recent change in role behavior. and as Abiola mentioned go ahead and create a edit request.

Thanks much, if this helps kindly accept the answer thanks much,

Hi Cuong Tran

Greetings!

In addition to the response provided by @Abiola Akinbade, I would like to add the following information.

As we understand that, you are experiencing a discrepancy between the documentation and your experience while creating extensions in Azure PostgreSQL. The documentation states that the user needs to be a member of the azure_pg_admin role to create extensions, but you've successfully created an extension without this role.

You're absolutely right to call this out, and your observation is valid based on the evidence in your screenshot.

What You Observed:

You are logged in as user phong and phong is not a member of the azure_pg_admin role.

Yet, you successfully ran:

CREATE EXTENSION IF NOT EXISTS btree_gin;

The extension shows up in pg_extension, with owner 24813, which aligns with phong’s role (not azure_pg_admin).

According to the documentation https://learn.microsoft.com/en-us/azure/postgresql/extensions/how-to-create-extensions

“To create an extension in Azure Database for PostgreSQL, the user must be a member of the azure_pg_admin role.”

The documentation oversimplifies or generalizes the rule. Here's how it actually works:

1. Extension creation permission depends on the extension and database settings, not just the azure_pg_admin role.
2. Some extensions (like btree_gin, pg_trgm, plpgsql) are safe, preloaded, and allowed for non-superuser roles that have:
3. CREATE privilege on the database and proper role privileges (Create role in your case).
4. PostgreSQL's security model allows the owner of the database (or those with CREATE privileges) to install certain trusted extensions if extrelocatable is true.
5. The extension is marked extrelocatable = t (true) — this often allows it to be installed by non-superusers.
6. btree_gin is known to be one of the extensions allowed in Azure PostgreSQL Flexible Server without azure_pg_admin. I would like to refer this documentation for more information.

https://learn.microsoft.com/en-us/azure/postgresql/extensions/concepts-extensions-versions

https://learn.microsoft.com/en-us/azure/postgresql/extensions/concepts-extensions-by-engine?pivots=postgresql-17

You are correct to say that the documentation needs clarification. Microsoft should specify.

Your feedback is important so please take a moment to submit feedback to Microsoft by clicking the “Provide Product Feedback” link at the bottom of the document page. They often act on well-documented issues like this. If you still have questions, please let us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

If this answers your query, do click Accept Answer and Upvote for was this answer helpful.

Hello and Thanks for your post.

As a feature, you can directly submit this as an edit on the document page itself. This will be in the form of a GitHub changer and the team will review.

You can also use the feedback link at the bottom of the document to post this as well.

Engineers actively take a look and would be able to address this.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola