Update configure-least-privilege.md#10320
Update configure-least-privilege.md#10320hdharshana wants to merge 1 commit intoMicrosoftDocs:livefrom
Conversation
|
@hdharshana : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
|
@MikeRayMSFT , could you pls help add Sarah, Shiwani, and Madeline as reviewers to this PR? |
|
Learn Build status updates of commit d7cb850: ✅ Validation status: passed
For more details, please refer to the build report. |
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
prmerger-automator
bot
added
the
aq-pr-triaged
There was a problem hiding this comment.
Pull request overview
Updates the Azure Arc SQL Server “least privilege” documentation to clarify a deployment/runtime requirement for Deployer.exe, and fixes formatting in the Related content section.
Changes:
- Added an IMPORTANT note explaining that
Deployer.exeruns as LocalSystem and requiresNT AUTHORITY\SYSTEMconnectivity/permissions in both standard and least-privilege modes. - Fixed indentation/formatting for the “Known issues” link under Related content.
| > The Azure extension for SQL Server **Deployer** requires **NT AUTHORITY\SYSTEM** to be able to connect to SQL Server (with **CONNECT SQL** permission) in both **standard** and **least‑privilege** modes. This is because the Deployer always runs under the **LocalSystem** account, regardless of which service account is used by the extension after provisioning. | ||
| > | ||
| > If **NT AUTHORITY\SYSTEM** cannot connect to SQL Server, the Deployer cannot create the **NT SERVICE\SQLServerExtension** login or grant the required permissions. Before enabling least‑privilege mode, verify that **NT AUTHORITY\SYSTEM** has an active SQL Server login with **CONNECT SQL** permission. See **Prerequisites** for verification steps. |
There was a problem hiding this comment.
This IMPORTANT note introduces inconsistent formatting/terminology that makes copy/paste and searching harder (for example: bolding vs code style, Deployer vs Deployer.exe, NT SERVICE\\SQLServerExtension vs the existing NT Service\\SQLServerExtension, and the nonstandard hyphen in “least‑privilege”). Please align these identifiers/permission names with the rest of the article (use code formatting and consistent casing, and prefer “least privilege” consistently).
| > The Azure extension for SQL Server **Deployer** requires **NT AUTHORITY\SYSTEM** to be able to connect to SQL Server (with **CONNECT SQL** permission) in both **standard** and **least‑privilege** modes. This is because the Deployer always runs under the **LocalSystem** account, regardless of which service account is used by the extension after provisioning. | |
| > | |
| > If **NT AUTHORITY\SYSTEM** cannot connect to SQL Server, the Deployer cannot create the **NT SERVICE\SQLServerExtension** login or grant the required permissions. Before enabling least‑privilege mode, verify that **NT AUTHORITY\SYSTEM** has an active SQL Server login with **CONNECT SQL** permission. See **Prerequisites** for verification steps. | |
| > The Azure extension for SQL Server `Deployer.exe` requires `NT AUTHORITY\SYSTEM` to be able to connect to SQL Server, with `CONNECT SQL` permission, in both `standard` and `least privilege` modes. This requirement exists because `Deployer.exe` always runs under the `LocalSystem` account, regardless of which service account the extension uses after provisioning. | |
| > | |
| > If `NT AUTHORITY\SYSTEM` can't connect to SQL Server, `Deployer.exe` can't create the `NT Service\SQLServerExtension` login or grant the required permissions. Before you enable least privilege mode, verify that `NT AUTHORITY\SYSTEM` has an active SQL Server login with `CONNECT SQL` permission. See Prerequisites for verification steps. |
| > The Azure extension for SQL Server **Deployer** requires **NT AUTHORITY\SYSTEM** to be able to connect to SQL Server (with **CONNECT SQL** permission) in both **standard** and **least‑privilege** modes. This is because the Deployer always runs under the **LocalSystem** account, regardless of which service account is used by the extension after provisioning. | ||
| > | ||
| > If **NT AUTHORITY\SYSTEM** cannot connect to SQL Server, the Deployer cannot create the **NT SERVICE\SQLServerExtension** login or grant the required permissions. Before enabling least‑privilege mode, verify that **NT AUTHORITY\SYSTEM** has an active SQL Server login with **CONNECT SQL** permission. See **Prerequisites** for verification steps. |
There was a problem hiding this comment.
The note says “See Prerequisites for verification steps,” but the Prerequisites section in this article doesn’t include any steps for verifying that NT AUTHORITY\\SYSTEM can connect / has CONNECT SQL. Please either add the verification steps here or change the reference to point to the specific article/section that contains those steps.
| - [Configure advanced data security for your SQL Server instance](configure-advanced-data-security.md) | ||
| - [Configure best practices assessment on a [!INCLUDE [ssazurearc](../../includes/ssazurearc.md)] instance](assess.md) | ||
| - [Known issues: SQL Server enabled by Azure Arc](known-issues.md) No newline at end of file | ||
| - [Known issues: SQL Server enabled by Azure Arc](known-issues.md) |
There was a problem hiding this comment.
Markdown rendering is currently broken around this section because the SQL code block that starts above (the database-level permissions query) is missing a closing ``` fence. As a result, the “Related content” heading and bullets will be rendered as part of the code block. Please add the missing closing fence after the query before the Related content section.
| > [!IMPORTANT] | ||
| > The Azure extension for SQL Server **Deployer** requires **NT AUTHORITY\SYSTEM** to be able to connect to SQL Server (with **CONNECT SQL** permission) in both **standard** and **least‑privilege** modes. This is because the Deployer always runs under the **LocalSystem** account, regardless of which service account is used by the extension after provisioning. | ||
| > | ||
| > If **NT AUTHORITY\SYSTEM** cannot connect to SQL Server, the Deployer cannot create the **NT SERVICE\SQLServerExtension** login or grant the required permissions. Before enabling least‑privilege mode, verify that **NT AUTHORITY\SYSTEM** has an active SQL Server login with **CONNECT SQL** permission. See **Prerequisites** for verification steps. |
There was a problem hiding this comment.
The new content looks like a substantial AI-assisted addition, but the article’s YAML front matter doesn’t include the required ai-usage field. Please add ai-usage: ai-assisted (or the appropriate value) to the front matter so the article complies with the repo’s AI disclosure requirement.
No description provided.