Events
Mar 31, 11 PM - Apr 2, 11 PM
The biggest SQL, Fabric and Power BI learning event. March 31 – April 2. Use code FABINSIDER to save $400.
Register todayThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Applies to:
SQL Server
The information security principle of least privilege asserts that accounts and applications only have access to the data and operations they require. With SQL Server enabled by Azure Arc, you can run the agent extension service with least privilege. This article explains how to run the agent extension service with least privilege.
To optionally configure the service to run with least privilege, follow the steps in this article. Currently, the service does not automatically run with least privilege.
Configure Windows service accounts and permissions for Azure Extension for SQL Server describes the least privilege permissions for the agent extension service.
Note
Existing servers with the extension from the November 2024 release or later will automatically have least privileged configuration applied. This application will happen gradually.
To prevent automatic application of least privilege, block extension upgrades to the November 2024 release.
After you configure the agent extension service to run with least privilege, it uses the NT Service\SQLServerExtension
service account.
The NT Service\SQLServerExtension
account is a local Windows service account:
This section identifies the system requirements and tools you need to complete the example in this article.
The configuration with least privilege requires:
sysadmin
fixed server roleThe configuration with least privilege is not currently supported on Linux.
Other requirements, as listed in Prerequisites - SQL Server enabled by Azure Arc still apply.
By default, the SQL Server service account is a member of the sysadmin
fixed server role.
As listed in prerequisites, the SQL Server service account must be a member of the sysadmin
fixed server role on each SQL Server instance. The Azure extension for SQL Server has a process called Deployer.exe
that temporarily runs as NT AUTHORITY\SYSTEM
when:
Deployer.exe
impersonates the SQL Server service account to connect to SQL Server and add or remove permissions in server and database roles depending on which features are enabled or disabled to ensure that the Azure extension for SQL Server uses the least privileges required. To modify these permissions, the SQL Server service account must be a member of the sysadmin
server role.
If you want to manage this process with more control, such that the SQL Server service account is not a member of the sysadmin server role all the time, follow these steps:
Deployer.exe
to run at least once so that the permissions are set.Repeat this procedure anytime features are enabled or disabled or SQL Server instances are added to allow Deployer.exe
to grant the least privileges required.
To complete the steps in this article, you need the following tools:
arcdata
Azure CLI extension version 1.5.9
or later1.1.2504.99
or laterLog in with Azure CLI.
az login
Verify the arcdata
extension version.
az extension list -o table
If the results include a supported version of arcdata
, skip to the next step.
If necessary, install or update the arcdata
Azure CLI extension.
To install the extension:
az extension add --name arcdata
To update the extension:
az extension update --name arcdata
Enable least privilege with Azure CLI.
To enable least privilege, set the LeastPrivilege
feature flag to true
. To complete this task, run the following command with updated values for the <resource-group>
and <machine-name>
.
az sql server-arc extension feature-flag set --name LeastPrivilege --enable true --resource-group <resource-group> --machine-name <machine-name>
For example, the following command enables least privilege for a server named myserver
in a resource group named myrg
:
az sql server-arc extension feature-flag set --name LeastPrivilege --enable true --resource-group myrg --machine-name myserver
To verify that your SQL Server enabled by Azure Arc is configured to run with least privilege:
In the Windows services, locate Microsoft SQL Server Extension Service service. Verify that the service is running as the service account NT Service\SqlServerExtension
.
Open task scheduler in the server and check that an event driven task with name SqlServerExtensionPermissionProvider
is created under Microsoft\SqlServerExtension
.
Note
Prior to the July, 2024 release, SqlServerExtensionPermissionProvider
is a scheduled task. It runs hourly.
Open task scheduler in the server and check that a scheduled task with name SqlServerExtensionPermissionProvider
is created under Microsoft\SqlServerExtension
.
Open SQL Server Management Studio and check the login named NT Service\SqlServerExtension
. Verify that the account is assigned these permissions:
Validate the permissions with the following queries:
To verify server level permissions, run the following query:
EXECUTE AS LOGIN = 'NT Service\SqlServerExtension'
SELECT * FROM fn_my_permissions (NULL, 'SERVER');
To verify database level permissions, replace <database name>
with the name of one of your databases, and run the following query:
EXECUTE AS LOGIN = 'NT Service\SqlServerExtension'
USE <database name>;
SELECT * FROM fn_my_permissions (NULL, 'database');
Events
Mar 31, 11 PM - Apr 2, 11 PM
The biggest SQL, Fabric and Power BI learning event. March 31 – April 2. Use code FABINSIDER to save $400.
Register todayTraining
Module
Perform Windows Server secure administration - Training
Perform Windows Server secure administration
Certification
Microsoft Certified: Azure Database Administrator Associate - Certifications
Administer an SQL Server database infrastructure for cloud, on-premises and hybrid relational databases using the Microsoft PaaS relational database offerings.