After adding a origin to Azure Front Door, or adding a SQL server to a Azure Search indexer via Private link, the Private Endpoint Connection is left in a ‘Pending’ non functional state. Normally you approve these manually by locating the endpoint on the target resource and approve it. But, if you want to have your deployments fully automated, this script may help. (It can also be used to run manually from a prompt or in Visual Studio Code)
Save the script as ‘ApprovePrivateEndpointConnections.ps1’
<#
.SYNOPSIS
Approves all pending private endpoint connections for a given Azure resource.
Thomas Odell Balkeståhl 2026-03-10
.PARAMETER ResourceGroup
The resource group of the target resource.
.PARAMETER ResourceName
The name of the target resource.
.PARAMETER ResourceType
The Azure resource type, e.g. ‘Microsoft.Sql/servers’, ‘Microsoft.Storage/storageAccounts’, ‘Microsoft.Web/sites’, etc.
.PARAMETER Description
Optional approval description. Defaults to ‘Approved via automation script’.
.PARAMETER Simulation
When set to $true, lists pending connections but does not approve them.
.EXAMPLE
.\ApprovePrivateEndpointConnections.ps1 `
-ResourceGroup ‘rg-team-product-prd’ `
-ResourceName ‘asql-team-product-prd-sc’ `
-ResourceType ‘Microsoft.Sql/servers’ `
-Simulation $true
#>
param (
[Parameter(Mandatory = $true)]
[string] $ResourceGroup,
[Parameter(Mandatory = $true)]
[string] $ResourceName,
[Parameter(Mandatory = $true)]
[string] $ResourceType,
[Parameter(Mandatory = $false)]
[string] $Description = ‘Approved via automation script’,
[Parameter(Mandatory = $false)]
[bool] $Simulation = $false
)
function Get-PendingConnections {
az network private-endpoint-connection list `
–resource-group $ResourceGroup `
–name $ResourceName `
–type $ResourceType `
–query “[?properties.privateLinkServiceConnectionState.status == ‘Pending’].id” `
–output tsv
}
# List all private endpoint connections and filter those with status ‘Pending’
Write-Host “Listing private endpoint connections for ‘$ResourceName’…”
$pendingConnections = Get-PendingConnections
if (-not $pendingConnections) {
Write-Host “No pending connections found on first attempt. Waiting 2 minutes before retrying…”
Start-Sleep -Seconds 120
Write-Host “Retrying…”
$pendingConnections = Get-PendingConnections
}
if (-not $pendingConnections) {
Write-Host “No pending private endpoint connections found after retry. Exiting.”
} else {
foreach ($connectionId in $pendingConnections) {
if ($Simulation) {
Write-Host ” -> (Simulation) Would approve: $connectionId”
} else {
Write-Host “Approving connection: $connectionId”
$result = az network private-endpoint-connection approve `
–id $connectionId `
–description $Description 2>&1
if ($LASTEXITCODE -eq 0) {
Write-Host ” -> Approved: $connectionId”
} else {
Write-Host ” -> FAILED to approve: $connectionId”
Write-Host ” Error: $result”
}
}
}
}
To use in Pipeline (YML):
(The AzureCLI@2 task will execute the script using the named Service Connection in Azure DevOps)
– task: AzureCLI@2
displayName: ‘Approve Private Endpoint Connections’
inputs:
azureSubscription: ${{ variables.serviceConnection }}
scriptType: ‘ps’
scriptLocation: ‘scriptPath’
scriptPath: ‘deployment/iac/scripts/ApprovePrivateEndpointConnections.ps1’
arguments: >-
-ResourceGroup “${{ variables.ResourceGroupName }}”
-ResourceName “${{ variables.ResourceName }}”
-ResourceType “Microsoft.Sql/servers”
az network private-endpoint-connection approve on Learn
https://learn.microsoft.com/en-us/cli/azure/network/private-endpoint-connection?view=azure-cli-latest#az-network-private-endpoint-connection-approve
___________________________________________________________________________________________________
Enjoy!
Regards
Thomas Odell Balkeståhl on LinkedIn
blksthl 