How to Resolve the Group ID PostgresqlServer Is Invalid for the Workspace Error

Issue

You receive the following error message:

Call to Microsoft.Databricks/workspaces failed. Error message: The group id 'postgresqlServer' is invalid for the workspace in api-version <api-version>.

Environment

All database connectors
Connection method: Private networking

Understanding the problem

The error message indicates that postgresqlServer isn’t a valid groupId (subresource_name in some contexts) for Microsoft.Databricks/workspaces. You’re trying to connect the workspace with the wrong groupId. Use postgresqlServer only when creating private endpoints to Azure Database for PostgreSQL Flexible Server. It doesn’t apply to Azure Databricks.

Resolution

Identify what component of your Azure Databricks workspace you're trying to privately connect to and then use the corresponding correct groupId.

Determine your Private Link for Databricks

Choose the right Databricks Private Endpoint target:

databricks_ui_api: This is for front-end private connectivity to the Azure Databricks control plane (e.g., for accessing the web UI, REST API, Databricks Connect). This is generally per-workspace.
browser_authentication: This is a specialized groupId used for browser-based authentication redirects with Microsoft Entra ID (formerly Azure AD) when your network doesn't have public internet connectivity. This is usually configured once per region, rather than per workspace.
workspace: While not explicitly listed as a groupId for direct private endpoint creation in the same way databricks_ui_api is, this often comes up in the context of backend connectivity for serverless compute. For connecting serverless compute to Azure resources, such as storage accounts, you define private endpoint rules within a Network Connectivity Configuration (NCC), and those rules use the target resource's groupId (e.g., blob, dfs for Storage, sqlServer for Azure SQL, etc.).

Use the correct group ID

The steps to apply the correct group ID differ depending on your use case. Follow the instructions below that are relevant to you.

Expand for instructions for connecting to the Databricks workspace's UI/APIs

When creating the Private Endpoint directly for a Databricks workspace (often done from the Databricks workspace's networking settings), the Target sub-resource or groupId should be databricks_ui_api.

Azure Portal

Go to your Azure Databricks workspace.
Under Settings, select Networking.
Go to the Private endpoint connections tab.
Click + Add.
On the Resource tab, ensure the Resource type is Microsoft.Databricks/workspaces and select your workspace as the Resource.
For Target sub-resource, select databricks_ui_api from the dropdown.

Azure CLI example

      az network private-endpoint create \
          --name my-databricks-pe \
          --resource-group <your-resource-group> \
          --vnet-name <your-vnet-name> \
          --subnet <your-subnet-name> \
          --private-connection-resource-id "/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Databricks/workspaces/<workspace-name>" \
          --group-ids "databricks_ui_api" \ # <--- CORRECT GROUP ID FOR UI/API
          --location <your-region> \
          --private-dns-zone "privatelink.azuredatabricks.net" # Standard DNS zone for Databricks

Expand for instructions for connecting serverless compute to other Azure data sources

If you are setting up Private Link for the Databricks serverless compute plane to access other Azure services, such as Storage or Azure SQL, this is done as follows:

Log in to the Azure Databricks account console.
Create a Network Connectivity Configuration (NCC).
- Within the NCC, you create Private Endpoint Rules. Each rule defines a connection to an external Azure resource.
- The groupId for these rules should be the group ID of the target Azure resource (e.g., blob for Storage, sqlServer for Azure SQL, postgresqlServer for Azure Database for PostgreSQL Flexible Server, etc.).
Then, you attach the NCC to your Databricks workspace.