Merge pull request #30379 from MikeRayMSFT/240415-least-privilege-update

v-dirichards · web-flow · commit 1057c42f17d3 · 2024-04-17T15:12:01.000-05:00
Add note for least privilege to become default
diff --git a/docs/sql-server/azure-arc/agent-extension-files.md b/docs/sql-server/azure-arc/agent-extension-files.md
@@ -34,6 +34,9 @@ This article lists the files and the registry keys created by the installation o
 | `C:\Windows\ServiceProfiles\SqlServerExtension\AppData\Local\Microsoft SQL Server Extension Agent\*` | When configured for [least privilege](configure-least-privilege.md) <br/><br/> Feature application |
 | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft SQL Server Extension Agent\*`| When not configured for [least privilege](configure-least-privilege.md) <br/></br> Feature application |
 
+> [!NOTE]
+> [!INCLUDE [least-privilege-default](includes/least-privilege-default.md)]
+
 ## Registry keys
 
 Base key: `HKEY_LOCAL_MACHINE`
diff --git a/docs/sql-server/azure-arc/backup-local.md b/docs/sql-server/azure-arc/backup-local.md
@@ -62,6 +62,9 @@ If both database and instance level backup schedule is set, database level sched
 
 The backup service within the Azure extension for Arc-enabled SQL Server uses [NT AUTHORITY\SYSTEM] account to perform the backups. If you're [operating SQL Server enabled by Arc with least privilege](configure-least-privilege.md), A local Windows account - [NT Service\SQLServerExtension] - performs the backup.
 
+> [!NOTE]
+> [!INCLUDE [least-privilege-default](includes/least-privilege-default.md)]
+
 If you use Azure extension for SQL Server [version 1.1.2504.99](release-notes.md#november-14-2023) or later, the necessary permissions are granted to [NT AUTHORITY\SYSTEM] automatically. You don't need to assign permissions manually.
 
 **For earlier extensions only**, follow the below steps to assign permission to [NT AUTHORITY\SYSTEM] account.
diff --git a/docs/sql-server/azure-arc/configure-least-privilege.md b/docs/sql-server/azure-arc/configure-least-privilege.md
@@ -21,6 +21,9 @@ To optionally configure the service to run with least privilege, follow the step
 
 [Configure Windows service accounts and permissions for Azure Extension for SQL Server](configure-windows-accounts-agent.md) describes the least privilege permissions for the agent extension service.
 
+> [!NOTE]
+> [!INCLUDE [least-privilege-default](includes/least-privilege-default.md)]
+
 Support for this configuration is currently available for preview.
 
 [!INCLUDE [azure-arc-sql-preview](includes/azure-arc-sql-preview.md)]
diff --git a/docs/sql-server/azure-arc/configure-windows-accounts-agent.md b/docs/sql-server/azure-arc/configure-windows-accounts-agent.md
@@ -14,6 +14,9 @@ ms.topic: reference
 
 This article lists the permissions Azure extension for SQL Server sets on an instance of for the `NT Service\SQLServerExtension` account. This account is used when you [Operate SQL Server enabled by Azure Arc with least privilege (preview)](configure-least-privilege.md).
 
+> [!NOTE]
+> [!INCLUDE [least-privilege-default](includes/least-privilege-default.md)]
+
 Manually setting the permissions for the agent account is not supported.
 
 The extension sets permissions when you enable features on the Azure portal. If you don't enable a feature, the extension does not set the permissions for that feature. If you disable a feature, the extension removes the permissions.
diff --git a/docs/sql-server/azure-arc/includes/least-privilege-default.md b/docs/sql-server/azure-arc/includes/least-privilege-default.md
@@ -0,0 +1,9 @@
+---
+author: MikeRayMSFT
+ms.service: azure-arc
+ms.topic: include
+ms.date: 04/16/2024
+ms.author: mikeray
+---
+
+If the Azure Extension is version `1.1.2594.118` (February 2024 release) or later, then the least privileges mode will become the default mode in the coming months.
diff --git a/docs/sql-server/azure-arc/troubleshoot-assessment.md b/docs/sql-server/azure-arc/troubleshoot-assessment.md
@@ -80,7 +80,7 @@ The server principal isn't able to access the database under the current securit
 
 Ensure the SQL Server built-in login NT AUTHORITY\SYSTEM is a member of the SQL Server sysadmin server role for all the SQL Server instances running on the machine.
 
-If this isn't allowed, you can configure a least privilege account for the Azure extension for SQL Server service on your SQL Server machine. Least Privilege account is available for preview.
+If this isn't allowed, you can configure a least privilege account for the Azure extension for SQL Server service on your SQL Server machine. Least privilege account is available for preview.
 
 To configure your server, follow the steps in [Operate SQL Server enabled by Azure Arc with least privilege (preview)](configure-least-privilege.md).
 
