Update configure-least-privilege.md

docs/sql-server/azure-arc/configure-least-privilege.md

@@ -6,6 +6,7 @@ ms.author: mikeray
 ms.reviewer: nikitatakru
 ms.topic: how-to
 ms.date: 07/11/2024
+ai-usage: ai-assisted
 
 # customer intent: As a system engineer, compliance mandates that I configure services to run with least privilege. 
 
@@ -69,6 +70,11 @@ If you want to manage this process with more control, such that the SQL Server s
 
 Repeat this procedure anytime features are enabled or disabled or SQL Server instances are added to allow `Deployer.exe` to grant the least privileges required.
 
+> [!IMPORTANT]
+> The Azure extension for SQL Server `Deployer.exe` requires `NT AUTHORITY\SYSTEM` to be able to connect to SQL Server, with `CONNECT SQL` permission, in both `standard` and `least privilege` modes. This requirement exists because `Deployer.exe` always runs under the `LocalSystem` account, regardless of which service account the extension uses after provisioning.
+>
+> If `NT AUTHORITY\SYSTEM` can't connect to SQL Server, `Deployer.exe` can't create the `NT Service\SQLServerExtension` login or grant the required permissions. Before you enable least privilege mode, verify that `NT AUTHORITY\SYSTEM` has an active SQL Server login with `CONNECT SQL` permission. See Prerequisites for verification steps.
+
 ### Tools
 
 To complete the steps in this article, you need the following tools:
@@ -160,4 +166,4 @@ To verify that your SQL Server enabled by Azure Arc is configured to run with le
 
 - [Configure advanced data security for your SQL Server instance](configure-advanced-data-security.md)
 - [Configure best practices assessment on a [!INCLUDE [ssazurearc](../../includes/ssazurearc.md)] instance](assess.md)
-- [Known issues: SQL Server enabled by Azure Arc](known-issues.md)
+- [Known issues: SQL Server enabled by Azure Arc](known-issues.md)