How to recover Synapse Workspace provisioning state from Failed state

Yadav, Ankit 0 Reputation points
2026-07-06T12:13:02.7766667+00:00

Hello Q&A team,

we have a Synapse Workspace on which our team had performed an operation named "Create Or Update Azure AD only authentication for workspace and its sub resources." and that ended up in Failure with message "Create or Update Azure AD only authentication for workspace and its sub resources request validation failed, check error details for more information" and the error code was "ValidationFailed".

[I can share the synapse workspace details over Private Message if that helps to debug the details and provide the appropriate solution for the issue]

This was an event done 3 days earlier ie Fri Jul 03 2026 08:06:45 GMT+0530 (India Standard Time) however still the cluster seems to be in Failed state due to which we are blocked to perform any operations on the Workspace.

As part of Azure AI analysis, we have received some solutions like below but none of them applies to this situation, it'll be helpful if anyone could help to fix this issue.

Azure Synapse Analytics
Azure Synapse Analytics

An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.


2 answers

Sort by: Most helpful
  1. kagiyama yutaka 4,010 Reputation points
    2026-07-06T12:28:13.23+00:00

    I think Synapse workspace stuck in Failed after that AAD‑only auth update can only be handled by checking the Activity‑log error and fixing or reverting that auth setting, trying the same update once from the portal and sending the error to Azure support when it stays Failed.

    Was this answer helpful?


  2. AI answer

    2026-07-06T12:14:01.53+00:00

    The workspace is stuck in a Failed provisioning state after a control-plane operation, so only limited actions are possible until the state is corrected. For Synapse workspaces after tenant- or identity-related changes, the supported recovery pattern is to reset the workspace’s managed identity and then reapply access and identities.

    Use the following sequence (only if the subscription/tenant move or identity change is already complete):

    1. Disable and re-enable the system-assigned managed identity (SAMI) for the Synapse workspace
      • Build the workspace REST URL (Azure CLI example):
             $resourceGroupName="<resource-group>"
             $workspaceName="<workspace-name>"
             $subscriptionId="<subscription-id>"
             
             $url="https://management.azure.com/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Synapse/workspaces/$workspaceName?api-version=2021-06-01"
        
      • Disable the system-assigned identity:
             az rest --method patch --headers Content-Type=application/json \
               --url $url \
               --body '{ "identity": {"type": "None"}}'
        
      • Wait a few minutes, then check provisioning state and identity type:
             az rest --method GET --uri $url
        
        The provisioningState should become Succeeded and identity.type should be None. If it shows Provisioning, wait until it changes to Succeeded before continuing.
      • Re-enable the system-assigned identity:
             az rest --method patch --headers Content-Type=application/json \
               --url $url \
               --body '{ "identity": {"type": "SystemAssigned"}}'
        
      • Verify again:
             az rest --method GET --uri $url
        
        provisioningState should be Succeeded and identity type SystemAssigned.
      The same can be done with Azure PowerShell using Invoke-RestMethod with a PATCH body that sets identity.type to None and then back to SystemAssigned.
    2. Recreate and reassign user-assigned managed identities (if used)
      • After the workspace is back to Succeeded, recreate any user-assigned managed identities and assign them to the workspace as needed. See “Credentials in Azure Data Factory and Azure Synapse” from the referenced article.
    3. Reapply access and RBAC so operations in Synapse Studio work again Once the provisioning state is healthy:
      • Reassign Azure RBAC roles on the Synapse workspace and related resources (for example, ADLS Gen2) to Microsoft Entra users, groups, and managed identities.
      • Set the SQL Active Directory admin for the workspace’s SQL pools.
      • Recreate Microsoft Entra logins/users in dedicated and serverless SQL pools and add Synapse RBAC role assignments so Synapse Studio can be opened without 403/Unauthorized errors.

    If, after disabling and re-enabling the system-assigned managed identity, the workspace still remains in a Failed provisioning state or PATCH operations themselves fail, open an Azure support ticket and include the full error details from the failed operation, as control-plane recovery beyond these steps requires backend intervention.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.