Loading...

Increasing Security for SQL Server Enabled by Azure Arc

Increasing Security for SQL Server Enabled by Azure Arc

Back in November 2023, the least privileges deployment model was introduced as a public preview. After thorough testing, we are excited to announce that the least privileges deployment mode for SQL Server enabled by Azure Arc will be become automatically available in the coming months if your Azure Extension for SQL Server is on the June, 2024 release (1.1.2717.190) or later. Starting in the August release, if there are any new Azure Arc-enabled SQL Servers which are automatically onboarded, they it will come with least privileges enabled as the default. This blog covers the details about the least privilege mode and describes details of the configuration changes to the SQL Servers that will be Arc-enabled. 

 

What is least privileges? 

The least privilege principle states that accounts and applications should only have access to the data and operations required. Now, with SQL Server enabled by Azure Arc, you can run the agent extension service with least privileges to perform the required tasks as per your Arc configuration, thus satisfying any requirements you may have to run the Azure Extension for SQL Server in the most secure manner. 

 

The Current Default State 

For releases prior to the February 2024 release of the Arc extension for SQL Server, when you install the Azure Arc extension for SQL Server, the installation creates a server-level role in SQL Server called SQLArcExtensionServerRole and a database-level role called SQLArcExtensionUserRole. It then adds NT_AUTHORITY\SYSTEM to each role while granting permissions to enable features required by Azure Arc.  

In some enterprises, it is against policy to add NT AUTHORITY\SYSTEM account to SQL Server roles even if it is scoped down to specific roles and permissions. If you are installing Azure Arc, you should make sure it abides by your organization’s IT policies. The least privilege mode has been designed to meet the permissions restrictions of such environments. 

 

The Least Privilege Mode 

This section describes the configuration changes made to Arc-enabled SQL Server when least privileges mode is deployed. In least privileges mode, SQL Server enabled by Azure Arc creates a new local Windows virtual account: NT Service\SQLServerExtension. 

This account is granted the minimum required privileges to run the Azure extension for SQL Server service on the Windows operating system and it only has access to folders and directories used for reading and storing configuration or writing logs. Additionally, it is granted permission to connect and query in SQL Server with a new login for that service account with the minimum permissions required by assigning that login to the SQLArcExtensionUserRole server-level and database-level roles.  

 

Prerequisites for running least privilege 

  1. Windows Server 2012 or later 
  2. SQL Server 2012 or later 
  3. Linux is not supported today 

How to Validate if Least Privilege is Enabled in Your Environment 

Please reference the documentation to validate if least privileges is enabled for your SQL Server: https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/configure-least-privilege?view=sql-server-ver16. 

 

Where Can I Find Details on the Roles, Permissions and Files 

For details on the permissions granted for the NT Service\SQLServerExtension account, please reference this documentation link: https://learn.microsoft.com/en-us/sql/sql-server/azure-arc/configure-windows-accounts-agent?view=sql-server-ver16. 

 

How will the Public Preview of Least Privileges Mode impact your current environment 

We are automatically rolling out least privilege mode to all customers in the coming months. There is no action that you need to take to enable least privileges as it will be automatically enabled in the environment when deployed. 

 

If you would like to see the log file for the changes that are occurring when least privileges is enabled,this is the deployer log file where least privileges logs are present: C:\ProgramData\GuestConfig\extension_logs\Microsoft.AzureData.WindowsAgent.SqlServer<extension_version>\deployer.log 

 

Can Least Privileges mode be disabled? How can I control deployment of least privileges mode? 

If you would like to control when least privileges rolls out, you can block the extension upgrade to version 1.1.2717.190 or newer. If you do not block the extension upgrade, then least privileges will roll out automatically in your environment. Once least privileges is rolled out, it cannot be disabled. We are doing this to enhance security for all customers and do not recommend disabling the mode.  

 

Nikita Takru

Product Manager at Microsoft, Azure Data

 

Published on:

Learn more
Azure Arc Blog articles
Azure Arc Blog articles

Azure Arc Blog articles

Share post:

Related posts

How to create Microsoft Azure 30 days trial?

Microsoft Azure is a comprehensive cloud computing platform developed by Microsoft. It provides a wide range of cloud services, including comp...

3 hours ago

Azure SDK Release (April 2025)

Azure SDK releases every month. In this post, you find this month's highlights and release notes. The post Azure SDK Release (April 2025) appe...

14 hours ago

Getting Started with Azure Cosmos DB Using the Python SDK

If you’re new to Azure Cosmos DB and looking to build applications with Python, you’re in the right place. I’ve created a four-par...

16 hours ago

Azure Developer CLI (azd) in a real-life scenario

This post shares some useful tips and lessons learned while using azd during a migration. The post Azure Developer CLI (azd) in a real-life sc...

1 day ago

Webinar: Translate Dynamics 365 Data in Real-Time using Azure AI Translator with our New App!

Is your business operating across multiple regions? Managing multilingual CRM data in Microsoft Dynamics 365 can lead to communication gaps, d...

1 day ago

Spring Cleaning: A CTA for Azure DevOps OAuth Apps with expired or long-living secrets

Today, we officially closed the doors on any new Azure DevOps OAuth app registrations. As we prepare for the end-of-life for Azure DevOps OAut...

2 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy