Microsoft Defender for SQL

APPLIES TO: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

Microsoft Defender for SQL is a unified package for advanced SQL security capabilities. Microsoft Defender for Cloud is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.

What are the benefits of Microsoft Defender for SQL?

Microsoft Defender for Cloud provides a set of advanced SQL security capabilities, including SQL Vulnerability Assessment and Advanced Threat Protection.

  • Vulnerability Assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. It provides visibility into your security state, and it includes actionable steps to resolve security issues and enhance your database fortifications.
  • Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your database. It continuously monitors your database for suspicious activities, and it provides immediate security alerts on potential vulnerabilities, Azure SQL injection attacks, and anomalous database access patterns. Advanced Threat Protection alerts provide details of the suspicious activity and recommend action on how to investigate and mitigate the threat.

Enable Microsoft Defender for SQL once to enable all these included features. With one click, you can enable Microsoft Defender for all databases on your server in Azure or in your SQL Managed Instance. Enabling or managing Microsoft Defender for Cloud settings requires belonging to the SQL security manager role, or one of the database or server admin roles.

For more information about Microsoft Defender for SQL pricing, see the Microsoft Defender for Cloud pricing page.

Enable Microsoft Defender for Cloud

There are multiple ways to enable Microsoft Defender plans. You can enable it at the subscription level (recommended) from:

Alternatively, you can enable it at the resource level as described in Enable Microsoft Defender for Azure SQL Database at the resource level

Enable Microsoft Defender for Azure SQL Database at the subscription level from Microsoft Defender for Cloud

To enable Microsoft Defender for Azure SQL Database at the subscription level from within Microsoft Defender for Cloud:

  1. From the Azure portal, open Defender for Cloud.

  2. From Defender for Cloud's menu, select Pricing and settings.

  3. Select the relevant subscription.

  4. Change the plan setting to On.

    Enabling Microsoft Defender for Azure SQL Database at the subscription level.

  5. Select Save.

Enable Microsoft Defender plans programatically

The flexibility of Azure allows for a number of programmatic methods for enabling Microsoft Defender plans.

Use any of the following tools to enable Microsoft Defender for your subscription:

Method Instructions
REST API Pricings API
Azure CLI az security pricing
PowerShell Set-AzSecurityPricing
Azure Policy Bundle Pricings

Enable Microsoft Defender for Azure SQL Database at the resource level

We recommend enabling Microsoft Defender plans at the subscription level and this can help the creation of protected resources. However, if you have an organizational reason to enable Microsoft Defender for Cloud at the server level, use the following steps:

  1. From the Azure portal, open your server or managed instance.

  2. Under the Security heading, select Defender for Cloud.

  3. Select Enable Microsoft Defender for SQL.

    Enable Microsoft Defender for SQL from within Azure SQL databases.

Note

A storage account is automatically created and configured to store your Vulnerability Assessment scan results. If you've already enabled Microsoft Defender for another server in the same resource group and region, then the existing storage account is used.

The cost of Microsoft Defender for SQL is aligned with Microsoft Defender for Cloud standard tier pricing per node, where a node is the entire server or managed instance. You are thus paying only once for protecting all databases on the server or managed instance with Microsoft Defender for Cloud. You can evaluate Microsoft Defender for Cloud via a free trial.

Manage Microsoft Defender for Cloud settings

To view and manage Microsoft Defender for Cloud settings:

  1. From the Security area of your server or managed instance, select Defender for Cloud.

    On this page, you'll see the status of Microsoft Defender for SQL:

    Checking the status of Microsoft Defender for SQL inside Azure SQL databases.

  2. If Microsoft Defender for SQL is enabled, you'll see a Configure link as shown in the previous graphic. To edit the settings for Microsoft Defender for SQL, select Configure.

    Settings for Microsoft Defender for SQL.

  3. Make the necessary changes and select Save.

Next steps