Azure Policy built-in definitions for Azure SQL Database & SQL Managed Instance

Applies to: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

This page is an index of Azure Policy built-in policy definitions for Azure SQL Database and SQL Managed Instance. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure SQL Database & SQL Managed Instance

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: SQL Databases should be Zone Redundant SQL Databases can be configured to be Zone Redundant or not. Databases with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL databases that need zone redundancy configuration to enhance availability and resilience within Azure. Audit, Deny, Disabled 1.0.0-preview
[Preview]: SQL Elastic database pools should be Zone Redundant SQL Elastic database pools can be configured to be Zone Redundant or not. SQL Elastic database pools are Zone Redundant if it's 'zoneRedundant' property is set to 'true'. Enforcing this policy helps ensure that Event Hubs are appropriately configured for zone resilience, reducing the risk of downtime during zone outages. Audit, Deny, Disabled 1.0.0-preview
[Preview]: SQL Managed Instances should be Zone Redundant SQL Managed Instances can be configured to be Zone Redundant or not. Instances with the 'zoneRedundant' setting set to 'false' are not configured for zone redundancy. This policy helps identify SQL managedInstances that need zone redundancy configuration to enhance availability and resilience within Azure. Audit, Deny, Disabled 1.0.0-preview
An Azure Active Directory administrator should be provisioned for SQL servers Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services AuditIfNotExists, Disabled 1.0.0
Auditing on SQL server should be enabled Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. AuditIfNotExists, Disabled 2.0.0
Azure Defender for SQL should be enabled for unprotected Azure SQL servers Audit SQL servers without Advanced Data Security AuditIfNotExists, Disabled 2.0.1
Azure Defender for SQL should be enabled for unprotected SQL Managed Instances Audit each SQL Managed Instance without advanced data security. AuditIfNotExists, Disabled 1.0.2
Azure SQL Database should be running TLS version 1.2 or newer Setting TLS version to 1.2 or newer improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2 or newer. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Audit, Disabled, Deny 2.0.0
Azure SQL Database should have Microsoft Entra-only authentication enabled Require Azure SQL logical servers to use Microsoft Entra-only authentication. This policy doesn't block servers from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://docs.azure.cn/azure-sql/database/authentication-azure-ad-only-authentication-create-server. Audit, Deny, Disabled 1.0.0
Azure SQL Database should have Microsoft Entra-only authentication enabled during creation Require Azure SQL logical servers to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://docs.azure.cn/azure-sql/database/authentication-azure-ad-only-authentication-create-server. Audit, Deny, Disabled 1.2.0
Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://docs.azure.cn/azure-sql/database/authentication-azure-ad-only-authentication-create-server. Audit, Deny, Disabled 1.0.0
Azure SQL Managed Instances should disable public network access Disabling public network access (public endpoint) on Azure SQL Managed Instances improves security by ensuring that they can only be accessed from inside their virtual networks or via Private Endpoints. To learn more about public network access, visit https://docs.azure.cn/azure-sql/managed-instance/public-endpoint-configure. Audit, Deny, Disabled 1.0.0
Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation Require Azure SQL Managed Instance to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://docs.azure.cn/azure-sql/database/authentication-azure-ad-only-authentication-create-server. Audit, Deny, Disabled 1.2.0
Configure Azure Defender to be enabled on SQL managed instances Enable Azure Defender on your Azure SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists, Disabled 2.0.0
Configure Azure Defender to be enabled on SQL servers Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. DeployIfNotExists 2.1.0
Configure Azure SQL database servers diagnostic settings to Log Analytics workspace Enables auditing logs for Azure SQL Database server and stream the logs to a Log Analytics workspace when any SQL Server which is missing this auditing is created or updated DeployIfNotExists, Disabled 1.0.2
Configure Azure SQL Server to disable public network access Disabling the public network access property shuts down public connectivity such that Azure SQL Server can only be accessed from a private endpoint. This configuration disables the public network access for all databases under the Azure SQL Server. Modify, Disabled 1.0.0
Configure Azure SQL Server to enable private endpoint connections A private endpoint connection enables private connectivity to your Azure SQL Database via a private IP address inside a virtual network. This configuration improves your security posture and supports Azure networking tools and scenarios. DeployIfNotExists, Disabled 1.0.0
Configure SQL servers to have auditing enabled To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. This is sometimes required for compliance with regulatory standards. DeployIfNotExists, Disabled 3.0.0
Configure SQL servers to have auditing enabled to Log Analytics workspace To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. DeployIfNotExists, Disabled 1.0.0
Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace Deploys the diagnostic settings for SQL Databases to stream resource logs to a Log Analytics workspace when any SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 4.0.0
Deploy Advanced Data Security on SQL servers This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. DeployIfNotExists 1.3.0
Deploy Diagnostic Settings for Azure SQL Database to Event Hub Deploys the diagnostic settings for Azure SQL Database to stream to a regional Event Hub on any Azure SQL Database which is missing this diagnostic settings is created or updated. DeployIfNotExists 1.2.0
Deploy SQL DB transparent data encryption Enables transparent data encryption on SQL databases DeployIfNotExists, Disabled 2.2.0
Long-term geo-redundant backup should be enabled for Azure SQL Databases This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. AuditIfNotExists, Disabled 2.0.0
Private endpoint connections on Azure SQL Database should be enabled Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. Audit, Disabled 1.1.0
Public network access on Azure SQL Database should be disabled Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. Audit, Deny, Disabled 1.1.0
SQL Auditing settings should have Action-Groups configured to capture critical activities The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging AuditIfNotExists, Disabled 1.0.0
SQL Database should avoid using GRS backup redundancy Databases should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
SQL databases should have vulnerability findings resolved Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. AuditIfNotExists, Disabled 4.1.0
SQL Managed Instance should have the minimal TLS version of 1.2 Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities. Audit, Disabled 1.0.1
SQL Managed Instances should avoid using GRS backup redundancy Managed Instances should avoid using the default geo-redundant storage for backups, if data residency rules require data to stay within a specific region. Note: Azure Policy is not enforced when creating a database using T-SQL. If not explicitly specified, database with geo-redundant backup storage is created via T-SQL. Deny, Disabled 2.0.0
SQL managed instances should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.0
SQL Server should use a virtual network service endpoint This policy audits any SQL Server not configured to use a virtual network service endpoint. AuditIfNotExists, Disabled 1.0.0
SQL servers should use customer-managed keys to encrypt data at rest Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. Audit, Deny, Disabled 2.0.1
SQL servers with auditing to storage account destination should be configured with 90 days retention or higher For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards. AuditIfNotExists, Disabled 3.0.0
Transparent Data Encryption on SQL databases should be enabled Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements AuditIfNotExists, Disabled 2.0.0
Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet Virtual network based firewall rules are used to enable traffic from a specific subnet to Azure SQL Database while ensuring the traffic stays within the Azure boundary. AuditIfNotExists 1.0.0
Vulnerability assessment should be enabled on SQL Managed Instance Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 1.0.1
Vulnerability assessment should be enabled on your SQL servers Audit Azure SQL servers which do not have vulnerability assessment properly configured. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. AuditIfNotExists, Disabled 3.0.0

Limitations

  • Azure Policy applicable to Azure SQL Database and SQL Managed Instance creation is not enforced when using T-SQL or SSMS.

Next steps