Version: v1.2025.12 Last updated: 2025-12-16
This document provides answers to commonly asked questions about SQL Server enabled by Azure Arc.
- General FAQ
- Pay-as-you-go Billing
- Security
- Associated Services
- Extended Security Updates (ESU)
- Deployment and Configuration
- Features and Capabilities
- Troubleshooting
Yes, you can use the excludedInstances setting in the Azure Policy to indicate the SQL Server instances that you don't want to include in the onboarding process.
For example, if you have any standby instances, you might not want to view them in the portal. When you use Azure Policy to onboard, you can exclude such instances using pattern matching of the instance names.
Steps:
- Create a copy of the definition provided in Azure to create a custom definition
- Set the value for excluded instances in the custom definition
- Target the subscription and resource group
No. Microsoft only captures metadata and information about your SQL Server to help troubleshoot and inventory. The data sent doesn't include user data or information about your utilization of SQL Server.
The following types of data are collected:
- Inventory data: SQL Server version, edition, host OS, instance names, databases
- Configuration data: Settings and properties
- Usage metrics: For licensing and billing purposes only
- Performance data: Only when monitoring features are explicitly enabled
- Assessment data: For best practices and migration readiness assessments
SQL Server enabled by Azure Arc is available in 25+ regions including:
- Americas: East US, East US 2, West US, West US 2, West US 3, Central US, North Central US, South Central US, West Central US, Canada Central, Canada East, Brazil South
- Europe: West Europe, North Europe, UK South, UK West, France Central, Switzerland North, Norway East, Sweden Central
- Asia Pacific: Southeast Asia, Japan East, Korea Central, Australia East, Central India
- Government: US Government Virginia (limited features)
Important: For successful onboarding, assign the same region to both Arc-enabled Server and Arc-enabled SQL Server.
Yes, you can deploy SQL Server enabled by Azure Arc in VMware VMs running in Azure VMware Solution. However, you must follow the specific deployment steps outlined in Deploy Arc-enabled Azure VMware Solution to enable a fully integrated experience with Arc capabilities within the AVS private cloud.
Does pay-as-you-go billing stop charging when connectivity between the SQL Server resource and Azure is temporarily interrupted?
No, intermittent internet connectivity doesn't stop the pay-as-you-go billing. The usage is reported and accounted for by the billing logic when the connectivity is restored.
Built-in resilience: The system tolerates intermittent connectivity disruptions for up to 30 consecutive days without affecting billing accuracy. As long as connectivity is not interrupted for more than 30 days, your billing remains correct—even if there are short, intermittent disconnections. If the machine stays disconnected for more than 30 days, the pay-as-you-go subscription expires.
No. When the VM is stopped, the usage data isn't collected. Therefore, you won't be charged for the time the VM was stopped.
No. The usage data collection requires an active SQL Server instance. Therefore, you won't be charged for the time the SQL Server instance was stopped.
The billing granularity is one hour. If your instance was active for less than an hour, you are billed for the full hour.
Pay-as-you-go billing doesn't change the licensing terms of SQL Server. Therefore, it's subject to the four-core minimum as defined in the SQL Server licensing terms.
If the affinity mask is specified for my SQL Server to use a subset of virtual cores, will it reduce the pay-as-you-go charges?
No. When you run your SQL Server instance on a virtual or physical machine, you're required to license the full set of cores that the machine can access. Therefore, your pay-as-you-go charges are based on the full core count even if you use the affinity mask to limit your SQL Server's usage of these cores. See SQL Server licensing guide for details.
Yes, you can change your selection. To change, run SQL Server Setup again, and choose the Maintenance tab, then select Edition Upgrade. The mode is now changed to Enterprise license. To revert back to pay-as-you-go, you can use the same steps and change the setting.
I have an enterprise or a small business account with Microsoft, do I need to enable the recurring pay-as-you-go billing?
No. At this point, recurring billing is only enabled in the cloud solution provider (CSP) managed Azure subscriptions.
How do I ensure that my VM and SQL Server are not billed when disconnected or turned off intentionally?
If the machine is offline for less than 30 days and then reconnects, the uploaded SQL Server usage will reflect the offline period, and the monthly invoice will account for it. If you keep the machine offline for longer than 30 days, the pay-as-you-go billing will resume when the machine is back online and reconnects to Azure Arc.
Option 1: If you take your VM offline intentionally for a period longer than 30 days and stop using SQL Server, the pay-as-you-go billing will resume when the machine is back online and reconnects to Azure Arc.
Option 2: If your SQL Server instance is continuously running during the disconnected time period, you must restore the connectivity to stay compliant. Review Troubleshoot extension.
Recommended approach for extended offline periods: If you plan to keep the machine offline for longer than 30 days, disconnect the Arc-enabled SQL Server and then reconnect using one of the supported deployment options when you're ready to use it again.
How can I be notified when a given machine does not send usage data or when recurring billing has happened?
You can:
- See the billing mode of each machine in the Arc-enabled SQL Server Billing dashboard in the Azure portal
- Write your own Azure Resource Graph (ARG) query to get the billing mode and last billed data points
- Subscribe to Activity Log events for when usage records are not received when expected or when recurring billing starts. Review Use activity logs with SQL Server enabled by Azure Arc
Review and implement SQL Server enabled by Azure Arc best practices. Key recommendations include:
- Use least privilege mode: Minimize permissions granted to the Azure extension for SQL Server
- Implement network security: Control access through firewalls and network security groups
- Enable Microsoft Defender for Cloud: Discover and mitigate database vulnerabilities
- Use Microsoft Entra authentication: Leverage modern authentication with MFA and SSO (requires SQL Server 2022+)
- Keep agents updated: Regularly update Azure Arc agents to the latest versions
- Review security recommendations: Regularly check Microsoft Defender for Cloud recommendations
- Implement TDE: Use Transparent Data Encryption for data at rest
- Use Managed Identity: Authenticate to Azure resources without storing credentials
No. TDE with Azure Key Vault is not currently supported for SQL Server enabled by Azure Arc. You can manually set up TDE for your own instances using traditional methods.
Yes, there is Key Vault support for SQL Server enabled by Azure Arc for storing the Microsoft Entra ID certificate used for authentication.
Yes. SQL Server enabled by Azure Arc supports Private Link for most endpoints, but some endpoints don't require Private Link and some endpoints aren't supported. For specific information, see Connected Machine agent network requirements.
Note: Private Link connections to the Azure Arc data processing service at the <region>.arcdataservices.com endpoint (used for inventory and usage upload) are not currently supported.
You can find details on the roles created by the Azure extension for SQL Server at Roles created by Azure extension for SQL Server installation.
You need to open up the endpoint at *.<region>.arcdataservices.com. For specific information, review Prerequisites - Connect to Azure Arc data processing service.
If your organization uses TLS inspection, the Azure Extension for SQL Server does not use certificate pinning and will continue to work, as long as your machine trusts the certificate presented by the TLS inspection service. For information on TLS inspection with Azure Arc-enabled server extension, see Network Security.
Review Configure Windows service accounts and permissions for Azure extension for SQL Server.
- When least privilege mode is enabled: The service runs as the
NT Service\SQLServerExtensionaccount - When least privilege mode is disabled: The service runs as Local System
To enable least privilege mode, review Least privilege mode.
Yes, least privilege mode is supported and recommended for SQL Server enabled by Azure Arc.
Important:
- Least privilege mode is available for all license types (PAYG, Paid, License Only)
- Existing servers with extension version
1.1.2859.223or greater will eventually have the least privileged configuration applied automatically - To prevent automatic application of least privilege, block extension upgrades after
1.1.2859.223 - Least privilege is required to run
DBCC CLONEDATABASEwithout errors
Learn more about the permissions assigned at Configure Windows service accounts and permissions for Azure extension for SQL Server.
Least privilege mode uses minimum permissions to deploy SQL Server enabled by Azure Arc. To enable least privilege mode, review Operate SQL Server enabled by Azure Arc with least privilege.
The associated services are represented as SQL Server instances in Azure Resource Manager (ARM) with a service_type property:
Supported associated services:
- SQL Server Analysis Services (SSAS)
- SQL Server Integration Services (SSIS)
- SQL Server Reporting Services (SSRS)
- Power BI Report Server
Key billing points:
- Associated services require a separate license only when installed as a standalone instance (without SQL Server Database Engine on the same machine)
- When installed with SQL Server Database Engine, no separate license is required
- If a p-core license is activated as PAYG in the corresponding scope and the machine is configured to use it, standalone associated services are not individually billed
Feature availability:
- ✅ Connect to Azure Arc
- ✅ Pay-as-you-go billing
- ✅ ESU subscriptions
- ✅ SQL Server inventory
- ✅ Automatic updates
- ✅ Operate with least privilege
- ❌ Best Practices Assessment (Database Engine only)
- ❌ Migration Assessment (Database Engine only)
- ❌ Monitoring (Database Engine only)
Review Manage licensing and billing and Extended Security Updates for details.
Extended Security Updates (ESUs) provide security updates for SQL Server instances that have reached the end of their support lifecycle. ESUs can extend support for up to three years after the end-of-support date.
Supported versions for ESU: SQL Server 2012 and SQL Server 2014 (versions that have reached end-of-support).
ESU Timeline:
- SQL Server 2012: ESU ended July 12, 2025 (3 years of coverage completed)
- SQL Server 2014: ESU Year 1 started July 10, 2024; coverage available through July 2027
There are two ways to get ESUs:
-
ESU Subscription through Azure Arc (Recommended):
- Continuous coverage until canceled
- Billed hourly through Azure
- Can be canceled at any time
- Automatic cancellation when migrated to Azure or upgraded
- Supports automatic and manual patch installation
- Requires SQL Server to be connected to Azure Arc
-
ESU Plan through Volume Licensing:
- Each year of coverage must be purchased separately
- Must be paid in full
- Differently priced by year
- Requires registration on Azure portal
- Supports manual installation of patches only
For virtual machines:
- Billed for the total number of virtual cores of the machine (minimum 4 cores)
- VMs eligible for failover rights are not billable
For physical servers:
- Billed for all physical cores of the machine (minimum 4 cores)
- Physical servers eligible for failover rights are not billable
Bill-back charges:
- If you enroll after the end-of-support date, you'll receive a one-time bill-back charge for the months missed since the start of the current ESU year
- This ensures coverage is continuous from the ESU year start date
Bill-back charges:
- If you enroll after the end-of-support date, you'll receive a one-time bill-back charge for the months missed since the start of the current ESU year
Yes. SQL Server licenses with Software Assurance or pay-as-you-go (PAYG) can benefit from free passive instances of SQL Server for high availability and disaster recovery (HADR) configurations.
Azure Extension for SQL Server automatically detects passive instances for availability groups (AGs) or failover clustered instances (FCIs) and reflects the use by emitting special $0 meters for disaster recovery, as long as you configured the LicenseType property to Paid or PAYG.
- Upgrade to newer SQL Server version: ESU subscription is automatically canceled
- Migrate to Azure SQL: ESU charges automatically stop, but you continue to have access to the ESUs
Azure Arc automatically installs the Azure extension for SQL Server when a server connected to Azure Arc has SQL Server installed. All SQL Server instance resources are automatically created in Azure.
Deployment methods:
- Automatic connection: Connect server to Azure Arc, SQL Server instances are automatically discovered
- Manual connection: Use Azure portal, PowerShell, or CLI to explicitly connect instances
- At-scale deployment: Use Azure Policy, Configuration Manager, or PowerShell scripts
- During SQL Server installation: SQL Server 2022 can be connected to Azure Arc during installation (Windows only)
Add a tag to the Windows or Linux server with:
- Name:
ArcSQLServerExtensionDeployment - Value:
Disabled
This tag must be added before connecting the server to Azure Arc.
When a server with SQL Server is connected to Azure Arc:
- Azure Connected Machine agent is installed on the server
- SQL Server instances are automatically discovered
- Azure extension for SQL Server is deployed
- SQL Server instance resources are created in Azure
- New roles are applied to SQL Server and databases
- Instance and database inventory begins
Yes, you can use the excludedInstances setting in Azure Policy or extension configuration to exclude specific SQL Server instances based on pattern matching of instance names.
Versions: SQL Server 2012 (11.x) through SQL Server 2025 (17.x) — 64-bit only
Editions: Enterprise, Standard, Web, Express, Developer, Evaluation
- Note: Business Intelligence edition is not supported
- Express LocalDB is not supported
- Web edition is not available in SQL Server 2025 and later versions
Windows:
- Windows 10 and 11
- Windows Server 2012 R2 and later (Windows Server 2012 has limited support)
Linux:
- Ubuntu 20.04 (x64)
- Red Hat Enterprise Linux (RHEL) 8 (x64)
- SUSE Linux Enterprise Server (SLES) 15 (x64)
Note: Most features are available on Windows. Linux support is available but with a limited feature set.
No. SQL Server instances running in Azure Virtual Machines are not supported with Azure Arc-enabled SQL Server. Azure VMs already have native Azure management capabilities.
No. SQL Server running in containers is not currently supported.
| Feature | License Only | License with SA or Subscription | Pay-as-you-go |
|---|---|---|---|
| Connect to Azure Arc | Yes | Yes | Yes |
| SQL Server inventory | Yes | Yes | Yes |
| Detailed inventory | Yes | Yes | Yes |
| Migration readiness | Yes | Yes | Yes |
| Database migration | Yes | Yes | Yes |
| Microsoft Entra authentication | Yes | Yes | Yes |
| Microsoft Defender for Cloud | Yes | Yes | Yes |
| Microsoft Purview | Yes | Yes | Yes |
| Failover cluster instances | Yes | Yes | Yes |
| Always On availability groups | Yes | Yes | Yes |
| Operate with least privilege | Yes | Yes | Yes |
| Free Power BI Report Server license¹ | Yes | Yes | Yes |
| Best practices assessment | No | Yes | Yes |
| ESU subscription | No | Yes | Yes |
| Automated backups (preview) | No | Yes | Yes |
| Point-in-time restore | No | Yes | Yes |
| Automatic updates | No | Yes | Yes |
| Monitoring (preview) | No | Yes | Yes |
| Client connection summary | No | Yes | Yes |
| Free new version upgrade | No | Yes | Yes |
| HADR benefit (free passive replicas) | No | Yes | Yes |
| Unlimited virtualization (Enterprise) | No | Yes | Yes |
| 180-day dual-use benefit | No | Yes | Yes |
¹ For SQL Server 2022 and earlier: Enterprise Edition with SA only. For SQL Server 2025: Standard and Enterprise with all license types.
Monitoring (preview):
- Real-time performance monitoring from Azure portal
- Built-in performance dashboards
- Tracks active connections, database I/O, CPU, and memory usage
- Available for Enterprise and Standard editions on Windows only
- Current limitation: Failover cluster instances (FCIs) are not supported
- Version requirements:
- SQL Server 2012: Not available
- SQL Server 2014: Not available
- SQL Server 2016 SP1 or later: Supported
- SQL Server 2019 and later: Supported
Best Practices Assessment:
- Evaluates configuration against Microsoft best practices
- Provides recommendations for performance and security improvements
- Runs on-demand or on a schedule
- Available for all editions on Windows
- Focuses on configuration, not real-time performance
Migration assessment is an automatic feature that:
- Provides cloud readiness analysis for migration to Azure
- Identifies risks and mitigation strategies
- Recommends the best Azure SQL target (SQL MI, Azure SQL DB, or SQL on Azure VM)
- Provides right-sized SKU recommendations based on performance data
- Estimates costs for recommended configurations
- Runs automatically once per week
- Is free and available for all SQL Server editions
Yes, most automatic features can be disabled:
- Migration assessment: Can be disabled per instance
- Best practices assessment: Disabled by default, must be explicitly enabled
- Performance monitoring: Enabled by default but can be disabled
- Automatic updates: Disabled by default
Microsoft Entra authentication (formerly Azure Active Directory) provides modern, centralized identity and access management for SQL Server 2022 and later.
Benefits:
- Removes the need for password-based authentication
- Supports multi-factor authentication (MFA)
- Enables single sign-on (SSO)
- Uses managed identity for passwordless authentication to Azure resources
- Centralized identity management
Requirements:
- SQL Server 2022 (16.x) or SQL Server 2025 (17.x) Preview
- SQL Server enabled by Azure Arc
- Latest Azure extension for SQL Server
Common causes:
- Arc agent not installed: Ensure the Azure Connected Machine agent is installed and running
- Extension not deployed: Check if the Azure extension for SQL Server is installed
- Tag blocking deployment: Check if the
ArcSQLServerExtensionDeployment = Disabledtag is present - Resource provider not registered: Ensure
Microsoft.AzureArcDatais registered - Network connectivity issues: Verify access to
*.<region>.arcdataservices.com - Region not supported: Verify the region is supported for Arc-enabled SQL Server
In Azure portal:
- Navigate to your Arc-enabled server resource
- Go to Extensions under Settings
- Look for WindowsAgent.SqlServer (Windows) or LinuxAgent.SqlServer (Linux)
- Check the version number
Alternatively, check the extension log file at:
C:\ProgramData\GuestConfig\extension_logs\Microsoft.AzureData.WindowsAgent.SqlServer\
Issue: Assessment fails to connect to SQL Server
Resolution:
- Verify SQL Server is online and accessible
- Ensure
NT AUTHORITY\SYSTEMis a member of the sysadmin server role (or configure least privilege mode) - Check that databases are online and updateable
- Review connectivity using Troubleshoot connectivity issues in SQL Server
Issue: Assessment data isn't uploading to Log Analytics workspace
Resolution:
- Verify the linked Log Analytics workspace has a table named
SqlAssessment_CL - Ensure Azure Monitor Agent (version >= 1.10.0) is successfully provisioned
- Check the Extensions tab under the Arc resource to verify AMA status
To disconnect:
- Navigate to the SQL Server - Azure Arc resource in Azure portal
- Select Delete to remove the Azure resource
- The extension will remain on the server but stop reporting
- To fully remove the extension, go to the Server - Azure Arc resource
- Select Extensions and remove the Azure extension for SQL Server
For complete removal including the Arc agent, see Disconnect SQL Server instances from Azure Arc.
If the extension is stuck in an odd state for a long time:
- Try to disconnect your SQL Server instances from Azure Arc
- Reconnect using one of the supported deployment methods
- If the issue persists, contact Microsoft Support
Windows:
- Extension logs:
C:\ProgramData\GuestConfig\extension_logs\Microsoft.AzureData.WindowsAgent.SqlServer\ - Latest version log file:
unifiedagent.log - Older versions log file:
ExtensionLog_0.log
Linux:
- Extension logs:
/var/lib/GuestConfig/extension_logs/Microsoft.AzureData.LinuxAgent.SqlServer/
For support:
- Review the troubleshooting documentation
- Check known issues
- Search the Microsoft Q&A forum
- Create an Azure support request
- SQL Server enabled by Azure Arc - Overview
- Prerequisites
- Deployment options
- Release notes
- Known issues
- Troubleshooting guides
- Azure Arc documentation
Note: This FAQ is based on the latest Microsoft Learn documentation as of December 2025. Features and capabilities are subject to change. For the most up-to-date information, always refer to the official Microsoft Learn documentation.