Loading...

Increasing Security for SQL Server Enabled by Azure Arc

Increasing Security for SQL Server Enabled by Azure Arc

Back in November 2023, the least privileges deployment model was introduced as a public preview. After thorough testing, we are excited to announce that the least privileges deployment mode for SQL Server enabled by Azure Arc will be become automatically available in the coming months if your Azure Extension for SQL Server is on the June, 2024 release (1.1.2717.190) or later. Starting in the August release, if there are any new Azure Arc-enabled SQL Servers which are automatically onboarded, they it will come with least privileges enabled as the default. This blog covers the details about the least privilege mode and describes details of the configuration changes to the SQL Servers that will be Arc-enabled. 

 

What is least privileges? 

The least privilege principle states that accounts and applications should only have access to the data and operations required. Now, with SQL Server enabled by Azure Arc, you can run the agent extension service with least privileges to perform the required tasks as per your Arc configuration, thus satisfying any requirements you may have to run the Azure Extension for SQL Server in the most secure manner. 

 

The Current Default State 

For releases prior to the February 2024 release of the Arc extension for SQL Server, when you install the Azure Arc extension for SQL Server, the installation creates a server-level role in SQL Server called SQLArcExtensionServerRole and a database-level role called SQLArcExtensionUserRole. It then adds NT_AUTHORITY\SYSTEM to each role while granting permissions to enable features required by Azure Arc.  

In some enterprises, it is against policy to add NT AUTHORITY\SYSTEM account to SQL Server roles even if it is scoped down to specific roles and permissions. If you are installing Azure Arc, you should make sure it abides by your organization’s IT policies. The least privilege mode has been designed to meet the permissions restrictions of such environments. 

 

The Least Privilege Mode 

This section describes the configuration changes made to Arc-enabled SQL Server when least privileges mode is deployed. In least privileges mode, SQL Server enabled by Azure Arc creates a new local Windows virtual account: NT Service\SQLServerExtension. 

This account is granted the minimum required privileges to run the Azure extension for SQL Server service on the Windows operating system and it only has access to folders and directories used for reading and storing configuration or writing logs. Additionally, it is granted permission to connect and query in SQL Server with a new login for that service account with the minimum permissions required by assigning that login to the SQLArcExtensionUserRole server-level and database-level roles.  

 

Prerequisites for running least privilege 

  1. Windows Server 2012 or later 
  2. SQL Server 2012 or later 
  3. Linux is not supported today 

How to Validate if Least Privilege is Enabled in Your Environment 

Please reference the documentation to validate if least privileges is enabled for your SQL Server: https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/configure-least-privilege?view=sql-server-ver16. 

 

Where Can I Find Details on the Roles, Permissions and Files 

For details on the permissions granted for the NT Service\SQLServerExtension account, please reference this documentation link: https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/configure-windows-accounts-agent?view=sql-server-ver16. 

 

How will the Public Preview of Least Privileges Mode impact your current environment 

We are automatically rolling out least privilege mode to all customers in the coming months. There is no action that you need to take to enable least privileges as it will be automatically enabled in the environment when deployed. 

 

If you would like to see the log file for the changes that are occurring when least privileges is enabled,this is the deployer log file where least privileges logs are present: C:\ProgramData\GuestConfig\extension_logs\Microsoft.AzureData.WindowsAgent.SqlServer<extension_version>\deployer.log 

 

Can Least Privileges mode be disabled? How can I control deployment of least privileges mode? 

If you would like to control when least privileges rolls out, you can block the extension upgrade to version 1.1.2717.190 or newer. If you do not block the extension upgrade, then least privileges will roll out automatically in your environment. Once least privileges is rolled out, it cannot be disabled. We are doing this to enhance security for all customers and do not recommend disabling the mode.  

 

Nikita Takru

Product Manager at Microsoft, Azure Data

 

Published on:

Learn more
Azure Arc Blog articles
Azure Arc Blog articles

Azure Arc Blog articles

Share post:

Related posts

Important Update: Server Name Indication (SNI) Now Mandatory for Azure DevOps Services

Earlier this year, we announced an upgrade to our network infrastructure and the new IP addresses you need to allow list in your firewall R...

10 hours ago

Azure Function | Publish | ‘attempt to publish the ZIP file failed’ error

While publishing a C# Azure Function from Visual Studio, I encountered the following error: The attempt to publish the ZIP file through XXXXX ...

1 day ago

Azure SDK Release (March 2025)

Azure SDK releases every month. In this post, you find this month's highlights and release notes. The post Azure SDK Release (March 2025) appe...

5 days ago

New Overlapping Secrets on Azure DevOps OAuth

As you may have read, Azure DevOps OAuth apps are due for deprecation in 2026. All developers are encouraged to migrate their applications to ...

6 days ago

Azure Cosmos DB Conf 2025: Learn, Build, and Connect with the Community

Join us for the 5th annual Azure Cosmos DB Conf, a free virtual developer event co-hosted by Microsoft and the Azure Cosmos DB community. This...

8 days ago

Summer 2025 Dynamics 365 Maps Release: Smarter Routing, Azure Maps, Canvas Apps & More!

Technology never stands still, and neither does Team Maplytics! With our latest March 2025 updates, your geo-mapping experience within Dynamic...

12 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy