SQL Server IaaS Extension is installed by default on Azure virtual machines deployed from SQL Server based images on Azure Market Place. SQL Server IaaS extension manages SQL Server configurations on the VM including SQL server connectivity, storage configuration, automated backup, automated security patching and AKV integration. SQL IaaS Extension automates all these administrative tasks and enables monitoring and management through Azure Portal without any need to login to the VM.
Starting with SQL Server IaaS Extension version 2.0, two Windows services are created on VMs as
1- Microsoft SQL Server IaaS Agent: Main service for SQL Server IaaS Extension runs as Local System account.
2- Microsoft SQL Server IaaS Query Service: Helper service for Microsoft SQL Server IaaS Extension that runs SQL queries against SQL Server on IaaS Virtual Machine and runs as NT Service account.
The reason behind adding the new Query Service is to run the SQL IaaS Extension with the least privileged accounts on the VM. SQL Server IaaS Agent Service needs Local System rights to be able to install and configure SQL Server, attach disks and enable storage pool and manage automated security patching of Windows and SQL server.
SQL Server IaaS Query Service does not need Local System rights as it only executes T-SQL for the automated administrative tasks. SQL Server IaaS Query Service is started with an NT Service account which is a Sys Admin on the SQL Server. SQL server IaaS Extension is enabling the SQL Server configurations blade on Azure Portal. If you lower the SQL Server permissions for the NT ServiceSQLIaaSExtensionQuery account, then you will not be able to successfully use the SQL Server Configurations blade on the portal.