diff --git a/docs/sql-server/azure-arc/configure-least-privilege.md b/docs/sql-server/azure-arc/configure-least-privilege.md index 0acc29670f0..25be58c2df7 100644 --- a/docs/sql-server/azure-arc/configure-least-privilege.md +++ b/docs/sql-server/azure-arc/configure-least-privilege.md @@ -6,6 +6,7 @@ ms.author: mikeray ms.reviewer: nikitatakru ms.topic: how-to ms.date: 07/11/2024 +ai-usage: ai-assisted # customer intent: As a system engineer, compliance mandates that I configure services to run with least privilege. @@ -69,6 +70,11 @@ If you want to manage this process with more control, such that the SQL Server s Repeat this procedure anytime features are enabled or disabled or SQL Server instances are added to allow `Deployer.exe` to grant the least privileges required. +> [!IMPORTANT] +> The Azure extension for SQL Server `Deployer.exe` requires `NT AUTHORITY\SYSTEM` to be able to connect to SQL Server, with `CONNECT SQL` permission, in both `standard` and `least privilege` modes. This requirement exists because `Deployer.exe` always runs under the `LocalSystem` account, regardless of which service account the extension uses after provisioning. +> +> If `NT AUTHORITY\SYSTEM` can't connect to SQL Server, `Deployer.exe` can't create the `NT Service\SQLServerExtension` login or grant the required permissions. Before you enable least privilege mode, verify that `NT AUTHORITY\SYSTEM` has an active SQL Server login with `CONNECT SQL` permission. See Prerequisites for verification steps. + ### Tools To complete the steps in this article, you need the following tools: @@ -160,4 +166,4 @@ To verify that your SQL Server enabled by Azure Arc is configured to run with le - [Configure advanced data security for your SQL Server instance](configure-advanced-data-security.md) - [Configure best practices assessment on a [!INCLUDE [ssazurearc](../../includes/ssazurearc.md)] instance](assess.md) -- [Known issues: SQL Server enabled by Azure Arc](known-issues.md) \ No newline at end of file +- [Known issues: SQL Server enabled by Azure Arc](known-issues.md)