Increasing Security for SQL Server Enabled by Azure Arc

Back in November 2023, the least privileges deployment model was introduced as a public preview. After thorough testing, we are excited to announce that the least privileges deployment mode for SQL Server enabled by Azure Arc will be become automatically available in the coming months if your Azure Extension for SQL Server is on the June, 2024 release (1.1.2717.190) or later. Starting in the August release, if there are any new Azure Arc-enabled SQL Servers which are automatically onboarded, they it will come with least privileges enabled as the default. This blog covers the details about the least privilege mode and describes details of the configuration changes to the SQL Servers that will be Arc-enabled. 

What is least privileges? 

The least privilege principle states that accounts and applications should only have access to the data and operations required. Now, with SQL Server enabled by Azure Arc, you can run the agent extension service with least privileges to perform the required tasks as per your Arc configuration, thus satisfying any requirements you may have to run the Azure Extension for SQL Server in the most secure manner. 

The Current Default State 

For releases prior to the February 2024 release of the Arc extension for SQL Server, when you install the Azure Arc extension for SQL Server, the installation creates a server-level role in SQL Server called SQLArcExtensionServerRole and a database-level role called SQLArcExtensionUserRole. It then adds NT_AUTHORITY\SYSTEM to each role while granting permissions to enable features required by Azure Arc.  

In some enterprises, it is against policy to add NT AUTHORITY\SYSTEM account to SQL Server roles even if it is scoped down to specific roles and permissions. If you are installing Azure Arc, you should make sure it abides by your organization’s IT policies. The least privilege mode has been designed to meet the permissions restrictions of such environments. 

The Least Privilege Mode 

This section describes the configuration changes made to Arc-enabled SQL Server when least privileges mode is deployed. In least privileges mode, SQL Server enabled by Azure Arc creates a new local Windows virtual account: NT Service\SQLServerExtension. 

This account is granted the minimum required privileges to run the Azure extension for SQL Server service on the Windows operating system and it only has access to folders and directories used for reading and storing configuration or writing logs. Additionally, it is granted permission to connect and query in SQL Server with a new login for that service account with the minimum permissions required by assigning that login to the SQLArcExtensionUserRole server-level and database-level roles.  

Prerequisites for running least privilege 

1. Windows Server 2012 or later 
2. SQL Server 2012 or later 
3. Linux is not supported today 

How to Validate if Least Privilege is Enabled in Your Environment 

Please reference the documentation to validate if least privileges is enabled for your SQL Server: https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/configure-least-privilege?view=sql-server-ver16. 

Where Can I Find Details on the Roles, Permissions and Files 

For details on the permissions granted for the NT Service\SQLServerExtension account, please reference this documentation link: https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/configure-windows-accounts-agent?view=sql-server-ver16. 

How will the Public Preview of Least Privileges Mode impact your current environment 

We are automatically rolling out least privilege mode to all customers in the coming months. There is no action that you need to take to enable least privileges as it will be automatically enabled in the environment when deployed. 

If you would like to see the log file for the changes that are occurring when least privileges is enabled,this is the deployer log file where least privileges logs are present: C:\ProgramData\GuestConfig\extension_logs\Microsoft.AzureData.WindowsAgent.SqlServer<extension_version>\deployer.log 

Can Least Privileges mode be disabled? How can I control deployment of least privileges mode? 

If you would like to control when least privileges rolls out, you can block the extension upgrade to version 1.1.2717.190 or newer. If you do not block the extension upgrade, then least privileges will roll out automatically in your environment. Once least privileges is rolled out, it cannot be disabled. We are doing this to enhance security for all customers and do not recommend disabling the mode.  

Nikita Takru

Product Manager at Microsoft, Azure Data