Automate management with the Windows SQL Server IaaS Agent extension

Applies to: SQL Server on Azure VM

The SQL Server IaaS Agent extension (SqlIaasExtension) runs on SQL Server on Azure Windows Virtual Machines (VMs) to automate management and administration tasks.

This article provides an overview of the extension. To install the SQL Server IaaS Agent extension to SQL Server on Azure VMs, see the articles for Automatic registration, Register single VMs, or Register VMs in bulk.

Warning

Placing tempdb on the local temp disk for Azure VM images with uninitialized ephemeral disks, such as the FXmdsv2, isn't supported. This issue only affects Azure Virtual Machines with the new NVMe interface that also has local ephemeral storage. These deployments through the Azure portal might fail, and SQL Server can fail to start. Either use a different VM series, or place tempdb on non-ephemeral storage both when you deploy the SQL Server image through the Azure portal, and when you install SQL Server manually. To learn more more about the issue and also see a list of impacted VMs, review VM deployment and SQL Server failures.

To learn more about the SQL Server on Azure VM deployment and management experience, watch the following Data Exposed videos:

Note

You can now view individual SQL Server on Azure VM instances and databases in the Azure portal by using the SQL Server instances resource. To learn more, see unified inventory (preview).

Overview

The SQL Server IaaS Agent extension integrates with the Azure portal and unlocks several benefits for SQL Server on Azure VMs:

Feature benefits: The extension unlocks automation feature benefits, such as portal management, license flexibility, automated backup, automated patching, and more. For details, see Feature benefits.
Compliance: The extension offers a simplified method to fulfill the requirement of notifying Microsoft that you enabled the Azure Hybrid Benefit, as specified in the product terms. This process negates the need to manage licensing registration forms for each resource.
Free: The extension is free. There's no additional cost associated with the extension.
Integration with centrally managed Azure Hybrid Benefit: SQL Server VMs registered with the extension can integrate with Centrally managed Azure Hybrid Benefit, so it's easy to manage the Azure Hybrid Benefit for your SQL Server VMs at scale.
Simplified license management: The extension simplifies SQL Server license management, and you can quickly identify SQL Server VMs with the Azure Hybrid Benefit enabled by using:
Use the SQL virtual machines resource in the Azure portal to quickly identify SQL Server VMs that use the Azure Hybrid Benefit.
```
Get-AzSqlVM | Where-Object {$_.LicenseType -eq 'AHUB'}
```
```
$ az sql vm list --query "[?sqlServerLicenseType=='AHUB']"
```

Enable auto upgrade to ensure you get the latest updates to the extension each month.

Feature benefits

The SQL Server IaaS Agent extension provides several feature benefits for managing your SQL Server VM. You can choose the benefits that best suit your business needs. When you first register with the extension, you get access to features that don't rely on the SQL IaaS Agent. When you enable a feature that requires the agent, the agent is installed on the SQL Server VM.

The following table lists the benefits you can get through the SQL IaaS Agent extension and whether the agent is required for each benefit:

Feature	Description
Azure portal management	Unlocks management in the portal, so that you can view all of your SQL Server VMs in one place, and enable or disable SQL specific features directly from the portal. Included with basic registration.
Automated backup	Automates the scheduling of backups for all databases for either the default instance or a properly installed named instance of SQL Server on the VM. For more information, see Automated backup for SQL Server in Azure virtual machines (Resource Manager). Requires SQL IaaS Agent extension.
Automatic patching	Automatically install Windows and SQL Server security updates (including Cumulative Updates for SQL Server) to your virtual machine during a configured maintenance window to avoid updating during peak times for your workload. For more information, see Automatic patching through Azure Update Manager. Requires SQL IaaS Agent extension.
Azure Key Vault integration	Enables you to automatically install and configure Azure Key Vault on your SQL Server VM. For more information, see Configure Azure Key Vault integration for SQL Server on Azure Virtual Machines (Resource Manager). Requires SQL IaaS Agent extension.
Configure tempdb	You can configure your tempdb directly from the Azure portal, such as specifying the number of files, their initial size, their location, and the autogrowth ratio. Restart your SQL Server service for the changes to take effect. Requires SQL IaaS Agent extension.
Defender for Cloud portal integration	If you've enabled Microsoft Defender for SQL, then you can view Defender for Cloud recommendations directly in the SQL virtual machines resource of the Azure portal. See Security best practices to learn more. Requires SQL IaaS Agent extension.
Extended security updates	Automatically receive security updates for your SQL Server on Azure VMs, up to three years after extended SQL Server lifecycle support ends.
Flexible licensing	Save on cost by seamlessly transitioning from the Azure Hybrid Benefit to the pay-as-you-go licensing model and back again. Included with basic registration.
Flexible version / edition	If you decide to change the version or edition of SQL Server, you can update the metadata within the Azure portal without having to redeploy the entire SQL Server VM. Included with basic registration.
I/O Analysis	View an analysis of your I/O performance in the Azure portal to find issues that result from exceeding virtual machines and data disks limits. This feature is currently in preview. Requires SQL IaaS Agent extension.
Microsoft Entra authentication	Enhance the security of your SQL Server VM by using Microsoft Entra ID for authentication to your SQL Server VM. Requires SQL IaaS Agent extension.
SQL best practices assessment	Enables you to assess the health of your SQL Server VMs by using configuration best practices. For more information, see SQL best practices assessment. Requires SQL IaaS Agent extension.
View disk utilization in portal	Allows you to view a graphical representation of the disk utilization of your SQL data files in the Azure portal. Requires SQL IaaS Agent extension.

Permission models

By default, the SQL IaaS Agent extension uses the least privilege mode permission model. The least privilege permission model grants the minimum permissions required for each feature that you enable. Each feature that you use is assigned a custom role in SQL Server, and the custom role only has permissions that are required to perform actions related to the feature.

The following table defines the SQL Server permissions and custom roles used by each feature of the extension:

Feature	Permissions	Custom role (Server / DB)
Automated backups	Server permission - CONTROL SERVER Database permission - `db_ddladmin` on `master`, `db_backupoperator` on `msdb`	`SqlIaaSExtension_AutoBackup`
Availability group portal management	`sysadmin`
Azure Backup Service	`sysadmin` to account `NT SERVICE\AzureWLBackupPluginSvc`
Credential management	Server permission - CONTROL SERVER	`SqlIaaSExtension_CredentialMgmt`
I/O related best practices	Server permission - CONTROL SERVER	`SqlIaaSExtension_ThrottlingAssessment`
SQL best practices assessment	Server permission - CONTROL SERVER	`SqlIaaSExtension_Assessment`
SQL Server instance settings	Server permission - ALTER ANY LOGIN, ALTER SETTINGS	`SqlIaaSExtension_SqlInstanceSetting`
Storage configuration	Server permission - ALTER ANY DATABASE	`SqlIaaSExtension_StorageConfig`
Status reporting	Server permission - VIEW ANY DEFINITION, VIEW SERVER STATE, ALTER ANY LOGIN, CONNECT SQL	`SqlIaaSExtension_StatusReporting`

SQL Server VMs deployed before October 2022 use the older sysadmin model where the SQL IaaS Agent extension takes sysadmin rights by default. For SQL Server VMs provisioned before October 2022, you can enable the least privilege permissions model manually.

Note

The option to enable least privilege mode is only available for SQL Server VMs provisioned before October 2022. If this option isn't visible in your environment, it's because your SQL Server VM already has least privilege mode enabled by default.

To enable the least privilege permissions model, go to your SQL virtual machines resource, choose Security Configuration under Security, and then select the Enable least privilege mode checkbox:

Installation

When you register your SQL Server VM with the SQL IaaS Agent extension, the process copies binaries to the virtual machine but doesn't install the agent by default. The agent installs only when you enable one of the SQL IaaS Agent extension features that require it. After installation, the following two services run on the virtual machine:

Microsoft SQL Server IaaS agent is the main service for the SQL IaaS Agent extension. It runs under the Local System account.
Microsoft SQL Server IaaS Query Service is a helper service that runs queries within SQL Server. It runs under the NT Service account NT Service\SqlIaaSExtensionQuery.

By default, the agent follows the principle of least privilege and only has permissions within SQL Server that are associated with the features you enable. However, if you manually install SQL Server on the VM yourself, or deploy a SQL Server image from the marketplace before October 2022, the agent has sysadmin rights within SQL Server.

When you deploy a SQL Server VM Azure Marketplace image through the Azure portal, it's automatically registered with the extension. However, if you choose to self-install SQL Server on an Azure virtual machine, or provision an Azure virtual machine from a custom VHD, you must register your SQL Server VM with the SQL IaaS Agent extension to unlock feature benefits. By default, self-installed Azure VMs with SQL Server 2016 or later automatically register with the SQL IaaS Agent extension when detected by the CEIP service. You should manually register SQL Server VMs that the CEIP doesn't detect.

You can register by using one of the following methods:

When you register your SQL Server VM with the SQL Server IaaS Agent extension, you create the SQL virtual machine resource within your subscription. This resource is separate from the virtual machine resource. If you delete the extension from your SQL Server VM, you remove the SQL virtual machine resource from your subscription but don't delete the underlying virtual machine.

Multiple instance support

The SQL IaaS Agent extension supports the following environments:

One default instance.
Multiple instances, but only the default instance is supported and managed by the extension in the Azure portal. The extension doesn't support environments with multiple named instances without a default instance.
One named instance, if it's the only installed instance.

Named instance support

To manage a single named instance in the Azure portal, install SQL Server with a non-default name on an Azure virtual machine and then register it with the SQL IaaS Agent extension.

To manage a single named instance in a SQL Server image from Azure Marketplace, uninstall the existing SQL Server instance, install SQL Server with a named instance, and then register it with the SQL IaaS Agent extension.

To use a single named instance with SQL Server on Azure VMs, follow these steps:

Deploy a SQL Server VM from Azure Marketplace.
Delete the SQL IaaS Agent extension from the SQL Server VM.
Connect to the virtual machine and uninstall SQL Server completely.
Restart the virtual machine.
Connect to the virtual machine and then use the setup media (typically located in C:\SQLServerFull) to install a named SQL Server instance.
Restart the virtual machine.
Register the VM with the SQL IaaS Agent Extension.

Failover Clustered Instance support

Registering your SQL Server Failover Clustered Instance (FCI) is supported with limited functionality. Due to the limited functionality, SQL Server FCIs registered with the extension don't support features that require the agent, such as automated backup, patching, Microsoft Entra authentication, and advanced portal management.

If you register your SQL Server VM with the SQL IaaS Agent extension and enable any features that require the agent, you need to delete the extension from the SQL Server VM. Then register it again after your FCI is installed.

Verify status of extension

Use the Azure portal, Azure PowerShell, or the Azure CLI to check the status of the extension.

Verify the extension is installed in the Azure portal.

Go to your Virtual machine resource in the Azure portal (not the SQL virtual machines resource, but the resource for your VM). Select Extensions under Settings. You should see the SqlIaasExtension extension listed, as in the following screenshot:

You can also use the Get-AzVMSqlServerExtension Azure PowerShell cmdlet:

Get-AzVMSqlServerExtension -VMName "vmname" -ResourceGroupName "resourcegroupname"

The previous command confirms that the agent is installed and provides general status information. You can get specific status information about automated backup and patching by using the following commands:

 $sqlext = Get-AzVMSqlServerExtension -VMName "vmname" -ResourceGroupName "resourcegroupname"
 $sqlext.AutoPatchingSettings
 $sqlext.AutoBackupSettings

Management modes

Before March 2023, the SQL IaaS Agent extension relied on management modes to define the security model, and unlock feature benefits. In March 2023, Microsoft updated the extension architecture to remove management modes entirely. Instead, it relies on the principle of least privilege to give you control over how you want to use the extension on a feature-by-feature basis.

Starting in March 2023, when you first register with the extension, it saves binaries to your virtual machine to provide basic functionality such as license management. When you enable any feature that relies on the agent, the extension uses the binaries to install the SQL IaaS Agent to your virtual machine. It also assigns permissions to the SQL IaaS Agent service as needed by each feature that you enable.

Supported regions

The SQL IaaS Agent extension is supported in a limited set of Azure regions. You can only install the SQL IaaS Agent extension if your SQL Server VM is in a supported region. You can use Azure PowerShell to list the supported regions for the SQL IaaS Agent extension.

The following Get-AzResourceProvider Azure PowerShell command lists the supported regions:

(Get-AzResourceProvider -ProviderNamespace Microsoft.SqlVirtualMachine).ResourceTypes |
      Where-Object { $_.ResourceTypeName -eq "SqlVirtualMachines" } |
      Select-Object -ExpandProperty Locations

Limitations

The SQL IaaS Agent extension only supports:

SQL Server VMs deployed through the Azure Resource Manager. It doesn't support SQL Server VMs deployed through the classic model.
SQL Server VMs deployed to the public cloud, Azure Government cloud, and 21Vianet (Azure in China). It doesn't support deployments to other private or government clouds.
A limited set of Azure regions. You can only install the SQL IaaS Agent extension if your SQL Server VM is in a supported region.
TCP/IP must be enabled in SQL Server Configuration Manager and for the VM for the extension to work with your SQL Server on Azure VMs.
SQL Server FCIs with limited functionality. SQL Server FCIs registered with the extension don't support features that require the agent, such as automated backup, patching, and advanced portal management.
VMs with a default instance, or a single named instance when no default instance is present.
If the VM has multiple named instances, then one of the instances must be the default instance to work with the SQL IaaS Agent extension.
SQL Server instance images only. The SQL IaaS Agent extension doesn't support Reporting Services or Analysis services, such as the following images: SQL Server Reporting Services, Power BI Report Server, SQL Server Analysis Services.

Privacy statements

When you use SQL Server on Azure VMs and the SQL IaaS Agent extension, consider the following privacy statements:

Automatic registration: By default, Azure VMs with SQL Server 2016 or later are automatically registered with the SQL IaaS Agent extension when detected by the CEIP service. Review the SQL Server privacy supplement for more information.
Data collection: The SQL IaaS Agent extension collects data for the express purpose of giving customers optional benefits when using SQL Server on Azure Virtual Machines. Microsoft will not use this data for licensing audits without the customer's advance consent. See the SQL Server privacy supplement for more information.
In-region data residency: SQL Server on Azure VMs and the SQL IaaS Agent extension don't move or store customer data outside of the region where you deployed the VMs.

To install the SQL Server IaaS extension to SQL Server on Azure VMs, see the articles for Automatic installation, Single VMs, or VMs in bulk. For problem resolution, see Troubleshoot known issues with the extension.

To learn more, see the following articles:

Feedback

Was this page helpful?

Last updated on 2026-04-01