Classic configuration vulnerability findings

Article
2025-04-28

Microsoft Defender for Cloud provides vulnerability assessments for your Azure SQL databases. Vulnerability assessments scan your databases for software vulnerabilities and provide a list of findings. You can use the findings to remediate software vulnerabilities and disable them.

Prerequisites

Ensure you know whether you're using the express or classic configurations before continuing.

To determine your configuration:

In the Azure portal, open the specific resource in Azure SQL Database, SQL Managed Instance, or Azure Synapse.
Under the Security, select Defender for Cloud.
In Enablement Status, select Configure to open the Microsoft Defender for SQL settings, for the entire server, or managed instance.

If the vulnerability settings show the option to configure a storage account, you're using the classic configuration. Otherwise, you're using the express configuration.

View scan history

Select Scan History in the vulnerability assessment pane to view the history of all scans previously run on this database.

Disable specific findings from Microsoft Defender for Cloud (preview)

If you need to ignore a finding rather than remediate it, you can disable it. Disabled findings don't affect your secure score or generate noise.

When a finding matches your disable rules criteria, it doesn't appear in the findings list. Typical scenarios might include:

Disable findings with medium or lower severity.
Disable findings that are nonpatchable.
Disable findings from benchmarks that aren't of interest for a defined scope.

Important

To disable specific findings, you need permission to edit a policy in Azure Policy. Learn more in Azure RBAC permissions in Azure Policy.
Disabled findings are still included in the weekly SQL vulnerability assessment email report.
Disabled rules appear in the 'Not applicable' section of the scan results.

Disable a rule

Defender for Cloud provides a way to disable specific findings.

Sign in to the Azure portal.
Navigate to Microsoft Defender for Cloud > Recommendations.
Search for and select Vulnerability assessment findings on your SQL servers on machines should be remediated.
Select Disable rule.
Select the scope.
Define your criteria. You can use the following criteria:
- Finding ID
- Severity
- Benchmarks
Select Apply rule.

Changes can take up to 24 hours to take effect.

View, override, or delete a rule

Select Disable rule.
From the scope list, subscriptions with active rules show as Rule applied.
To view or delete the rule, select the ellipsis menu ("...").

Manage vulnerability assessments programmatically

Azure PowerShell

Note

This article uses the Azure Az PowerShell module, which is the PowerShell module for interacting with Azure. To get started with the Az PowerShell module, see Install Azure PowerShell.

You can use Azure PowerShell cmdlets to manage your vulnerability assessments programmatically. The supported cmdlets are:

Cmdlet name as a link	Description
Clear-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline	Clears the vulnerability assessment rule baseline. Sets the baseline before using this cmdlet to clear it.
Clear-AzSqlDatabaseVulnerabilityAssessmentSetting	Clears the vulnerability assessment settings of a database.
Clear-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline	Clears the vulnerability assessment rule baseline of a managed database. First, set the baseline before you use this cmdlet to clear it.
Clear-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting	Clears the vulnerability assessment settings of a managed database.
Clear-AzSqlInstanceVulnerabilityAssessmentSetting	Clears the vulnerability assessment settings of a managed instance.
Convert-AzSqlDatabaseVulnerabilityAssessmentScan	Converts vulnerability assessment scan results of a database to an Excel file (export).
Convert-AzSqlInstanceDatabaseVulnerabilityAssessmentScan	Converts vulnerability assessment scan results of a managed database to an Excel file (export).
Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline	Gets the vulnerability assessment rule baseline of a database for a given rule.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline	Gets the vulnerability assessment rule baseline of a managed database for a given rule.
Get-AzSqlDatabaseVulnerabilityAssessmentScanRecord	Gets all vulnerability assessment scan records associated with a given database.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentScanRecord	Gets all vulnerability assessment scan records associated with a given managed database.
Get-AzSqlDatabaseVulnerabilityAssessmentSetting	Returns the vulnerability assessment settings of a database.
Get-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting	Returns the vulnerability assessment settings of a managed database.
Set-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline	Sets the vulnerability assessment rule baseline.
Set-AzSqlInstanceDatabaseVulnerabilityAssessmentRuleBaseline	Sets the vulnerability assessment rule baseline for a managed database.
Start-AzSqlDatabaseVulnerabilityAssessmentScan	Triggers the start of a vulnerability assessment scan on a database.
Start-AzSqlInstanceDatabaseVulnerabilityAssessmentScan	Triggers the start of a vulnerability assessment scan on a managed database.
Update-AzSqlDatabaseVulnerabilityAssessmentSetting	Updates the vulnerability assessment settings of a database.
Update-AzSqlInstanceDatabaseVulnerabilityAssessmentSetting	Updates the vulnerability assessment settings of a managed database.
Update-AzSqlInstanceVulnerabilityAssessmentSetting	Updates the vulnerability assessment settings of a managed instance.

For a script example, see Azure SQL vulnerability assessment PowerShell support.

Azure CLI

Important

The following Azure CLI commands are for SQL databases hosted on VMs or on-premises machines. For vulnerability assessments regarding Azure SQL Databases, refer to the Azure portal or PowerShell section.

You can use Azure CLI commands to manage your vulnerability assessments programmatically. The supported commands are:

Command name as a link	Description
`az security va sql baseline delete`	Delete SQL vulnerability assessment rule baseline.
`az security va sql baseline list`	View SQL vulnerability assessment baseline for all rules.
`az security va sql baseline set`	Sets SQL vulnerability assessment baseline. Replaces the current baseline.
`az security va sql baseline show`	View SQL vulnerability assessment rule baseline.
`az security va sql baseline update`	Update SQL vulnerability assessment rule baseline. Replaces the current rule baseline.
`az security va sql results list`	View all SQL vulnerability assessment scan results.
`az security va sql results show`	View SQL vulnerability assessment scan results.
`az security va sql scans list`	List all SQL vulnerability assessment scan summaries.
`az security va sql scans show`	View SQL vulnerability assessment scan summaries.

Resource Manager templates

To configure vulnerability assessment baselines using Azure Resource Manager templates, use the Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines type.

Ensure you have enabled vulnerabilityAssessments before you add baselines.

Here's an example for defining Baseline Rule VA2065 to master database and VA1143 to user database as resources in a Resource Manager template:

   "resources": [
      {
         "type": "Microsoft.Sql/servers/databases/vulnerabilityAapiVersion": "2018-06-01",
         "name": "[concat(parameters('server_name'),'/', parameters('database_name') , '/default/VA2065/master')]",
         "properties": {
            "baselineResults": [
               {
                  "result": [
                     "FirewallRuleName3",
                     "StartIpAddress",
                     "EndIpAddress"
                  ]
               },
               {
                  "result": [
                     "FirewallRuleName4",
                     "62.92.15.68",
                     "62.92.15.68"
                  ]
               }
            ]
         },
         "type": "Microsoft.Sql/servers/databases/vulnerabilityAapiVersion": "2018-06-01",
         "name": "[concat(parameters('server_name'),'/', parameters('database_name'), '/default/VA2130/Default')]",
         "dependsOn": [
            "[resourceId('Microsoft.Sql/servers/vulnerabilityAssessments', parameters('server_name'), 'Default')]"
         ],
         "properties": {
            "baselineResults": [
               {
                  "result": [
                     "dbo"
                  ]
               }
            ]
         }
      }
   ]

For master database and user database, the resource names are defined differently:

Master database - "name": "[concat(parameters('server_name'),'/', parameters('database_name'), '/default/VA2065/master')]",
User database - "name": "[concat(parameters('server_name'),'/', parameters('database_name'), '/default/VA2065/default')]",

To handle Boolean types as true/false, set the baseline result with binary input like "1"/"0".

   {
      "type": "Microsoft.Sql/servers/databases/vulnerabilityapiVersion": "2018-06-01",
      "name": "[concat(parameters('server_name'),'/', parameters('database_name'), '/default/VA1143/Default')]",

      "dependsOn": [
         "[resourceId('Microsoft.Sql/servers/vulnerabilityAssessments', parameters('server_name'), 'Default')]"
      ],

      "properties": {
         "baselineResults": [
            {
               "result": [
                  "1"
               ]
            }
         ]
      }

   }

Learn more about Microsoft Defender for Azure SQL.
Learn more about data discovery and classification.
Learn more about storing vulnerability assessment scan results in a storage account accessible behind firewalls and VNets.
Check out common questions about Azure SQL databases.