Configure Windows service accounts and permissions for Azure extension for SQL Server
Applies to: 
SQL Server
This article lists the permissions Azure extension for SQL Server sets for the NT Service\SQLServerExtension account. This account is used when you Operate SQL Server enabled by Azure Arc with least privilege.
Note
Existing servers with the extension from the November 2024 release or later will automatically have least privileged configuration applied. This application will happen gradually.
To prevent automatic application of least privilege, block extension upgrades to the November 2024 release.
Manually setting the permissions for the agent account is not supported.
The extension sets permissions when you enable features on the Azure portal. If you don't enable a feature, the extension does not set the permissions for that feature. If you disable a feature, the extension removes the permissions.
SQL permissions lists the permissions tied to features that the extension grants when features are enabled.
Note
NT Authority\System must have access to modify permissions on listed directories and registry keys. This is needed so that NT Authority\System can grant required access to NT Service\SqlServerExtension account for least privileges mode.
Directory permissions
| Directory path | Required permissions | Details | Feature |
|---|---|---|---|
<SystemDrive>\Packages\Plugins\Microsoft.AzureData.WindowsAgent.SQLServer |
Full control | Extension related dlls and exe files. | Default |
C:\Packages\Plugins\Microsoft.AzureData.WindowsAgent.SqlServer\<extension_version>\RuntimeSettings |
Full control | Extension settings file. | Default |
C:\Packages\Plugins\Microsoft.AzureData.WindowsAgent.SqlServer\<extension_version>\status |
Full control | Extension status file. | Default |
C:\ProgramData\GuestConfig\extension_logs\Microsoft.AzureData.WindowsAgent.SqlServer |
Full control | Extension log files. | Default |
C:\Packages\Plugins\Microsoft.AzureData.WindowsAgent.SqlServer\<extension_version>\status\HeartBeat.Json |
Full control | Extension heartbeat file. | Default |
%ProgramFiles%\Sql Server Extension |
Full control | Extension service files. | Default |
<SystemDrive>\Windows\system32\extensionUpload |
Full control | Required to write usage file needed for billing. | Default |
<SystemDrive>\Windows\system32\ExtensionHandler.log |
Full control | Pre-log folder created by extension. | Default |
<ProgramData>\AzureConnectedMachineAgent\Config |
Read | Arc config files directory. | Default |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft SQL Server Extension Agent |
Full control | Required to write assessment reports and status. | Default |
SQL log directory (as set in registry) 1:C:\Program Files\Microsoft SQL Server\MSSQL<base_version>.<instance_name>\MSSQL\log |
Read | Required to extract SQL vCores info from SQL logs. | Default |
SQL backup directory (as set in registry) 1:C:\Program Files\Microsoft SQL Server\MSSQL<base_version>.<instance_name>\MSSQL\Backup |
ReadAndExecute/Write /Delete | Required for Backups | Backup |
1 For more information, see File Locations and Registry Mapping.
Registry permissions
Base key: HKEY_LOCAL_MACHINE
| Registry key | Permission required | Details | Feature |
|---|---|---|---|
SOFTWARE\Microsoft\Microsoft SQL Server |
Read | Read SQL Server properties like installedInstances. |
Default |
SOFTWARE\Microsoft\Microsoft SQL Server\<InstanceRegistryName>\MSSQLSERVER |
Full control | Microsoft Entra ID and Purview. | Microsoft Entra ID Purview |
SOFTWARE\Microsoft\SystemCertificates |
Full control | Required for Microsoft Entra ID. | Microsoft Entra ID |
SYSTEM\CurrentControlSet\Services |
Read | SQL Server account name. | Default |
SOFTWARE\Microsoft\AzureDefender\SQL |
Read | Azure Defender status and last update time. | Default |
SOFTWARE\Microsoft\SqlServerExtension |
Full control | Extension related values. | Default |
SOFTWARE\Policies\Microsoft\Windows |
Read and Write | Enabling automatic windows update via extension. | Automatic updates |
Group permissions
NT Service\SQLServerExtension is added to Hybrid agent extension applications. Supports Azure Instance Metadata Service (IMDS) Handshake.
SQL permissions
NT Service\SQLServerExtension is added:
- As a SQL login to all the instances present currently on machine
- As a user in each database
The extension also grants permissions to instance and database objects as features are enabled. The table below provides details.
| Feature | Permission | Level | Requirement |
|---|---|---|---|
| Default | VIEW DATABASE STATE |
Server level | Essential |
VIEW SERVER STATE |
Server level | Essential | |
CONNECT SQL |
Server level | Essential | |
| Database as a resource | Default public role | Server level (This is granted by default to newly added logins) | Essential |
| Best practices assessment | VIEW ANY DEFINITION |
Server level | Feature dependent |
VIEW ANY DATABASE |
Server level | Feature dependent | |
SELECT |
master |
Feature dependent | |
SELECT |
msdb |
Feature dependent | |
EXECUTE ON sys.xp_enumerrorlogs |
master |
Feature dependent | |
EXECUTE ON sys.xp_readerrorlog |
master |
Feature dependent | |
| Backup | CREATE ANY DATABASE |
Server level | Feature dependent |
| db_backupoperator role | All databases | Feature dependent | |
| dbcreator | Server role | Feature dependent | |
| Azure Control Plane | CREATE TABLE |
msdb |
Essential |
ALTER ANY SCHEMA |
msdb |
Essential | |
CREATE TYPE |
msdb |
Essential | |
EXECUTE |
msdb |
Essential | |
| db_datawriter role | msdb |
Feature dependent | |
| db_datareader role | msdb |
Feature dependent | |
| Availability group discovery | VIEW ANY DEFINITION |
Server level | Essential |
| Purview | SELECT |
All databases | Feature dependent |
EXECUTE |
All databases | Feature dependent | |
CONNECT ANY DATABASE |
Server level | Feature dependent | |
VIEW ANY DATABASE |
Server level | Feature dependent | |
| Monitoring | SELECT dbo.sysjobactivity |
msdb |
Essential |
SELECT dbo.sysjobs |
msdb |
Essential | |
SELECT dbo.syssessions |
msdb |
Essential | |
SELECT dbo.sysjobHistory |
msdb |
Essential | |
SELECT dbo.sysjobSteps |
msdb |
Essential | |
SELECT dbo.syscategories |
msdb |
Essential | |
SELECT dbo.sysoperators |
msdb |
Essential | |
SELECT dbo.suspectpages |
msdb |
Essential | |
SELECT dbo.backupset |
msdb |
Essential | |
SELECT dbo.backupmediaset |
msdb |
Essential | |
SELECT dbo.backupmediafamily |
msdb |
Essential | |
SELECT dbo.backupfile |
msdb |
Essential | |
CONNECT ANY DATABASE |
Server level | Essential | |
VIEW ANY DATABASE |
Server level | Essential | |
VIEW ANY DEFINITION |
Server level | Essential | |
| Migration Assessment | EXECUTE dbo.agent_datetime |
msdb |
Essential |
SELECT dbo.syscategories |
msdb |
Essential | |
SELECT dbo.sysjobHistory |
msdb |
Essential | |
SELECT dbo.sysjobs |
msdb |
Essential | |
SELECT dbo.sysjobSteps |
msdb |
Essential | |
SELECT dbo.sysmail_account |
msdb |
Essential | |
SELECT dbo.sysmail_profile |
msdb |
Essential | |
SELECT dbo.sysmail_profileaccount |
msdb |
Essential | |
SELECT dbo.syssubsystems |
msdb |
Essential | |
SELECT sys.sql_expression_dependencies |
All databases | Essential |
Note
Minimum permissions depend on enabled features. Permissions are updated when they are no longer necessary. Necessary permissions are granted when features are enabled.
Additional permissions
- Permissions to service account to access extension service and configure autorecovery.
- Log-on-as-service rights to service account.