Express configuration vulnerability findings

Article
2025-04-28

Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.

Prerequisites

Make sure that you know whether you're using the express or classic configurations before you continue.

To see which configuration you're using:
1. In the Azure portal, open the specific resource in Azure SQL Database, SQL Managed Instance Database, or Azure Synapse.
2. Under the Security heading, select Defender for Cloud.
3. In the Enablement Status, select Configure to open the Microsoft Defender for SQL settings pane for either the entire server or managed instance.
If the vulnerability settings show the option to configure a storage account, you're using the classic configuration. If not, you're using the express configuration.

Express configuration

View scan history

Select Scan History in the vulnerability assessment pane to view a history of all scans previously run on this database.

Express configuration doesn't store scan results if they're identical to previous scans. The scan time shown in the scan history is the time of the last scan where the scan results changed.

Disable specific findings from Microsoft Defender for Cloud (preview)

If you have an organizational need to ignore a finding rather than remediate it, you can disable the finding. Disabled findings don't impact your secure score or generate unwanted noise. You can see the disabled finding in the "Not applicable" section of the scan results.

When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios might include:

Disable findings with medium or lower severity
Disable findings that are non-patchable
Disable findings from benchmarks that aren't of interest for a defined scope

Important

To disable specific findings, you need permissions to edit a policy in Azure Policy. Learn more in Azure RBAC permissions in Azure Policy.

To create a rule:

From the recommendations detail page for Vulnerability assessment findings on your SQL servers on machines should be remediated, select Disable rule.
Select the relevant scope.
Define your criteria. You can use any of the following criteria:
- Finding ID
- Severity
- Benchmarks
Create a disable rule for VA findings on SQL servers on machines
Select Apply rule. Changes might take up to 24 hours to take effect.
To view, override, or delete a rule:
1. Select Disable rule.
2. From the scope list, subscriptions with active rules show as Rule applied.
3. To view or delete the rule, select the ellipsis menu ("...").

Configure email notifications using Azure Logic Apps

To receive regular updates of the vulnerability assessment status for your database, you can use the customizable Azure Logic Apps template.

Using the template will allow you to:

Choose the timing of the email reports.
Have a consistent view of your vulnerability assessment status that includes disabled rules.
Send reports for Azure SQL Servers and SQL VMs.
Customize report structure and look-and-feel to match your organizational standards.

Manage vulnerability assessments programmatically

The express configuration is supported in the latest REST API version with the following functionality:

Description	Scope	API
Baseline bulk operations	System Database	Sql Vulnerability Assessment Baselines Sql Vulnerability Assessment Baseline
Baseline bulk operations	User Database	Database Sql Vulnerability Assessment Baselines
Single rule baseline operations	User Database	Database Sql Vulnerability Assessment Rule Baselines
Single rule baseline operations	System Database	Sql Vulnerability Assessment Rule Baselines Sql Vulnerability Assessment Rule Baseline
Single scan results	User Database	Database Sql Vulnerability Assessment Scan Result
Single scan results	System Database	Sql Vulnerability Assessment Scan Result
Scan details (summary)	User Database	Database Sql Vulnerability Assessment Scans
Scan details (summary)	System Database	Sql Vulnerability Assessment Scans
Execute manual scan	User Database	Database Sql Vulnerability Assessment Execute Scan
Execute manual scan	System Database	Sql Vulnerability Assessment Execute Scan
VA settings (GET only is supported for Express Configuration)	User Database	Database Sql Vulnerability Assessments Settings
VA Settings operations	Server	Sql Vulnerability Assessments Settings Sql Vulnerability Assessments

Azure Resource Manager templates

Use the following ARM template to create a new Azure SQL Logical Server with express configuration for SQL vulnerability assessment.

To configure vulnerability assessment baselines by using Azure Resource Manager templates, use the Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines type. Make sure that vulnerabilityAssessments is enabled before you add baselines.

Here are several examples to how you can set up baselines using ARM templates:

Setup batch baseline based on latest scan results:

{
    "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines",
    "apiVersion": "2022-02-01-preview",
    "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default')]",
    "properties": {
        "latestScan": true
        }
}

Set up batch baseline based on specific results:

{
    "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines",
    "apiVersion": "2022-02-01-preview",
    "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default')]",
    "properties": {
        "latestScan": false,
        "results": {
        "VA2065": [
            [
                 "FirewallRuleName3",
                     "62.92.15.67",
                     "62.92.15.67"
            ],
            [
                 "FirewallRuleName4",
                     "62.92.15.68",
                     "62.92.15.68"
            ]
        ],
        "VA2130": [
            [
                 "dbo"
            ]
        ]
     }
  }
}

Set up baseline for a specific rule:

{
    "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/rules",
    "apiVersion": "2022-02-01-preview",
    "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default/VA1143')]",
    "properties": {
    "latestScan": false,
    "results": [
        [ "True" ]
        ]
    }
}

Set up batch baselines on the master database based on latest scan results:

{
    "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines",
    "apiVersion": "2022-02-01-preview",
    "name": "[concat(parameters('serverName'),'/master/default/default')]",
    "properties": {
        "latestScan": true
        }
}

PowerShell

Express configuration isn't supported in PowerShell cmdlets but you can use PowerShell to invoke the latest vulnerability assessment capabilities using REST API, for example:

Enable express configuration on an Azure SQL Server
Setup baselines based on latest scan results for all databases in an Azure SQL Server
Express configuration PowerShell commands reference

Azure CLI

Invoke express configuration using Azure CLI.

Learn more about Microsoft Defender for Azure SQL.
Learn more about data discovery and classification.
Learn more about storing vulnerability assessment scan results in a storage account accessible behind firewalls and VNets.
Check out common questions about Azure SQL databases.