Azure Defender for SQL

APPLIES TO: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

Azure Defender for SQL is a unified package for advanced SQL security capabilities. Azure Defender is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.

What are the benefits of Azure Defender for SQL?

Azure Defender provides a set of advanced SQL security capabilities, including SQL Vulnerability Assessment and Advanced Threat Protection.

  • Vulnerability Assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. It provides visibility into your security state, and it includes actionable steps to resolve security issues and enhance your database fortifications.
  • Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your database. It continuously monitors your database for suspicious activities, and it provides immediate security alerts on potential vulnerabilities, Azure SQL injection attacks, and anomalous database access patterns. Advanced Threat Protection alerts provide details of the suspicious activity and recommend action on how to investigate and mitigate the threat.

Enable Azure Defender for SQL once to enable all these included features. With one click, you can enable Azure Defender for all databases on your server in Azure or in your SQL Managed Instance. Enabling or managing Azure Defender settings requires belonging to the SQL security manager role, or one of the database or server admin roles.

For more information about Azure Defender for SQL pricing, see the Azure Security Center pricing page.

Enable Azure Defender

There are multiple ways to enable Azure Defender plans. You can enable it at the subscription level (recommended) from:

Alternatively, you can enable it at the resource level as described in Enable Azure Defender for Azure SQL Database at the resource level

Enable Azure Defender for Azure SQL Database at the subscription level from Azure Security Center

To enable Azure Defender for Azure SQL Database at the subscription level from within Azure Security Center:

  1. From the Azure portal, open Security Center.

  2. From Security Center's menu, select Pricing and settings.

  3. Select the relevant subscription.

  4. Change the plan setting to On.

    Enabling Azure Defender for Azure SQL Database at the subscription level.

  5. Select Save.

Enable Azure Defender plans programatically

The flexibility of Azure allows for a number of programmatic methods for enabling Azure Defender plans.

Use any of the following tools to enable Azure Defender for your subscription:

Method Instructions
REST API Pricings API
Azure CLI az security pricing
PowerShell Set-AzSecurityPricing
Azure Policy Bundle Pricings

Enable Azure Defender for Azure SQL Database at the resource level

We recommend enabling Azure Defender plans at the subscription level and this can help the creation of unprotected resources. However, if you have an organizational reason to enable Azure Defender at the server level, use the following steps:

  1. From the Azure portal, open your server or managed instance.

  2. Under the Security heading, select Security Center.

  3. Select Enable Azure Defender for SQL.

    Enable Azure Defender for SQL from within Azure SQL databases.

Note

A storage account is automatically created and configured to store your Vulnerability Assessment scan results. If you've already enabled Azure Defender for another server in the same resource group and region, then the existing storage account is used.

The cost of Azure Defender is aligned with Azure Security Center standard tier pricing per node, where a node is the entire server or managed instance. You are thus paying only once for protecting all databases on the server or managed instance with Azure Defender. You can try Azure Defender out initially with a free trial.

Manage Azure Defender settings

To view and manage Azure Defender settings:

  1. From the Security area of your server or managed instance, select Security Center.

    On this page, you'll see the status of Azure Defender for SQL:

    Checking the status of Azure Defender for SQL inside Azure SQL databases.

  2. If Azure Defender for SQL is enabled, you'll see a Configure link as shown in the previous graphic. To edit the settings for Azure Defender for SQL, select Configure.

    Settings for Azure Defender for SQL.

  3. Make the necessary changes and select Save.

Next steps