SQL Server IaaS Extension Query Service for SQL Server on Azure VM

SQL Server IaaS Extension is installed by default on Azure virtual machines deployed from SQL Server based images on Azure Market Place. SQL Server IaaS extension manages SQL Server configurations on the VM including SQL server connectivity, storage configuration, automated backup, automated security patching and AKV integration. SQL IaaS Extension automates all these administrative tasks and enables monitoring and management through Azure Portal without any need to login to the .

Starting with SQL Server IaaS Extension version 2.0, two Windows services are created on VMs as

1- Server IaaS Agent: Main service for SQL Server IaaS Extension runs as Local System account.

2- Server IaaS Query Service: Helper service for Server IaaS Extension that runs SQL queries against SQL Server on IaaS Virtual Machine and runs as NT Service account.

The reason behind adding the new Query Service is to run the SQL IaaS Extension with the least privileged accounts on the . SQL Server IaaS Agent Service needs Local System rights to be able to install and configure SQL Server, attach disks and enable pool and manage automated security patching of Windows and SQL server.

SQL Server IaaS Query Service does not need Local System rights as it only executes T-SQL for the automated administrative tasks. SQL Server IaaS Query Service is started with an NT Service account which is a Sys Admin on the SQL Server. SQL server IaaS Extension is enabling the SQL Server configurations blade on Azure Portal. If you lower the SQL Server permissions for the NT ServiceSQLIaaSExtensionQuery account,then you will not be able to successfully use the SQL Server Configurations blade on the portal.


This article was originally published by Microsoft's Secure Blog. You can find the original article here.