You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/sql-server/azure-arc/security-overview.md
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: "Introduces security architecture and implementation for SQL Server
4
4
author: MikeRayMSFT
5
5
ms.author: mikeray
6
6
ms.topic: concept-article
7
-
ms.date: 07/26/2024
7
+
ms.date: 04/01/2026
8
8
ms.custom: sfi-image-nochange
9
9
10
10
# ms.service: sql defined in docfx.json
@@ -235,9 +235,8 @@ SQL Server enabled by Azure Arc stores the certificate for Microsoft Entra ID in
235
235
236
236
*[Rotate certificates](rotate-certificates.md)
237
237
*[Microsoft Entra authentication for SQL Server](../../relational-databases/security/authentication-access/azure-ad-authentication-sql-server-overview.md).
238
-
*[Tutorial: Set up Microsoft Entra authentication for SQL Server](entra-authentication-setup-tutorial.md)
239
238
240
-
To set up Microsoft Entra ID, follow the instructions at [Tutorial: Set up Microsoft Entra authentication for SQL Server](entra-authentication-setup-tutorial.md).
239
+
To set up Microsoft Entra ID, follow the instructions at [Tutorial: Set up Microsoft Entra authentication for SQL Server](microsoft-entra-authentication-with-managed-identity.md).
241
240
242
241
### Microsoft Purview
243
242
@@ -249,6 +248,12 @@ Key requirements to use [Purview](/purview/register-scan-azure-arc-enabled-sql-s
249
248
* The latest [self-hosted integration runtime](https://go.microsoft.com/fwlink/?linkid=2246619). For more information, see [Create and manage a self-hosted integration runtime](/purview/manage-integration-runtimes).
250
249
* For Azure RBAC, you need to have both Microsoft Entra ID and Azure Key Vault enabled.
251
250
251
+
### Remote management and script execution
252
+
253
+
Azure Arc supports remote management scenarios that include script execution on Arc-enabled servers via [Run Command](/azure/azure-arc/servers/run-command?tabs=azure-powershell). Run Command lets you securely execute scripts on connected machines without direct RDP or SSH access, using the Connected Machine agent as the control plane pathway.
254
+
255
+
Scripts executed through Run Command run in a highly privileged context (**Local System** on Windows or **root** on Linux). Treat this capability as remote admin access, and tightly govern authorization to avoid unintended elevation of privilege.
256
+
252
257
## Best practices
253
258
254
259
Implement the following configurations to comply with current best practices to secure instances of SQL Server enabled by Azure Arc:
@@ -258,6 +263,7 @@ Implement the following configurations to comply with current best practices to
* Enable [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-sql-usage) and resolve the issues pointed out by Defender for SQL.
260
265
* Don't enable SQL authentication. It's disabled by default. Review [SQL Server security best practices](../../relational-databases/security/sql-server-security-best-practices.md).
266
+
* Restrict remote script execution using [Azure Run command with least-privileged Azure RBAC](/azure/azure-arc/servers/run-command?tabs=azure-powershell#limit-access-to-run-command-preview). Additionally, [block the Run command](/azure/azure-arc/servers/run-command?tabs=azure-powershell#block-run-commands-locally) in your Arc-enabled server, if you don't need it.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments