Microsoft Defender for SQL

Applies to: Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

Microsoft Defender for SQL is a Defender plan in Microsoft Defender for Cloud. Microsoft Defender for SQL includes functionality for surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database. It provides a single go-to location for enabling and managing these capabilities.

What are the benefits of Microsoft Defender for SQL?

Microsoft Defender for SQL provides a set of advanced SQL security capabilities, including SQL Vulnerability Assessment and Advanced Threat Protection.

  • Vulnerability Assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. It provides visibility into your security state, and it includes actionable steps to resolve security issues and enhance your database fortifications.
  • Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit your database. It continuously monitors your database for suspicious activities, and it provides immediate security alerts on potential vulnerabilities, Azure SQL injection attacks, and anomalous database access patterns. Advanced Threat Protection alerts provide details of the suspicious activity and recommend action on how to investigate and mitigate the threat.

Enable Microsoft Defender for SQL once to enable all these included features. With one select, you can enable Microsoft Defender for all databases on your server in Azure or in your SQL Managed Instance. Enabling or managing Microsoft Defender for SQL settings requires belonging to the SQL security manager role, or one of the database or server admin roles.

For more information about Microsoft Defender for SQL pricing, see the Microsoft Defender for Cloud pricing page.

Enable Microsoft Defender for SQL

There are multiple ways to enable Microsoft Defender plans. You can enable it at the subscription level (recommended) either:

Alternatively, you can enable it at the resource level as described in Enable Microsoft Defender for Azure SQL Database at the resource level.

When you enable on the subscription level, all databases in Azure SQL Database and Azure SQL Managed Instance are protected. You can then disable them individually if you choose. If you want to manually manage which databases are protected, disable at the subscription level and enable each database that you want protected.

Enable Microsoft Defender for Azure SQL Database at the subscription level in Microsoft Defender for Cloud

To enable Microsoft Defender for Azure SQL Database at the subscription level from within Microsoft Defender for Cloud:

  1. From the Azure portal, open Defender for Cloud.

  2. From Defender for Cloud's menu, select Environment Settings.

  3. Select the relevant subscription.

  4. Change the plan setting to On.

    Screenshot showing enabling Microsoft Defender for Azure SQL Database at the subscription level.

  5. Select Save.

Enable Microsoft Defender plans programatically

The flexibility of Azure allows for several programmatic methods for enabling Microsoft Defender plans.

Use any of the following tools to enable Microsoft Defender for your subscription:

Method Instructions
REST API Pricings API
Azure CLI az security pricing
PowerShell Set-AzSecurityPricing
Azure Policy Bundle Pricings

Enable Microsoft Defender for Azure SQL Database at the resource level

We recommend enabling Microsoft Defender plans at the subscription level so that new resources are automatically protected. However, if you have an organizational reason to enable Microsoft Defender for Cloud at the server level, use the following steps:

  1. From the Azure portal, open your server or managed instance.

  2. Under the Security heading, select Defender for Cloud.

  3. Select Enable Microsoft Defender for SQL.

    Screenshot showing Enable Microsoft Defender for SQL from within Azure SQL databases.

Note

A storage account is automatically created and configured to store your Vulnerability Assessment scan results. If you've already enabled Microsoft Defender for another server in the same resource group and region, then the existing storage account is used.

The cost of Microsoft Defender for SQL is aligned with Microsoft Defender for Cloud standard tier pricing per node, where a node is the entire server or managed instance. You are thus paying only once for protecting all databases on the server or managed instance with Microsoft Defender for SQL. You can evaluate Microsoft Defender for Cloud with a free trial.

Manage Microsoft Defender for SQL settings

To view and manage Microsoft Defender for SQL settings:

  1. From the Security area of your server or managed instance, select Defender for Cloud.

    On this page, you see the status of Microsoft Defender for SQL (disabled or enabled):

    Screenshot showing status as enabled or disabled.

  2. If Microsoft Defender for SQL is enabled, you see a Configure link as shown in the previous graphic. To edit the settings for Microsoft Defender for SQL, select Configure.

    Screenshot showing Configure screen for Microsoft Defender for SQL.

  3. Make the necessary changes and select Save.

Next steps