Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
All Microsoft Defender for Cloud features will be officially retired in the Azure in China region on August 18, 2026. Due to this upcoming retirement, Azure in China customers are no longer able to onboard new subscriptions to the service. A new subscription is any subscription that was not already onboarded to the Microsoft Defender for Cloud service prior to August 18, 2025, the date of the retirement announcement. For more information on the retirement, see Microsoft Defender for Cloud Deprecation in Microsoft Azure Operated by 21Vianet Announcement.
Customers should work with their account representatives for Microsoft Azure operated by 21Vianet to assess the impact of this retirement on their own operations.
SQL vulnerability assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security for:
Azure SQL Database
Azure SQL Managed Instance
Azure Synapse Analytics
Vulnerability assessment is part of Microsoft Defender for Azure SQL, a unified package for advanced SQL security capabilities. You can access and manage vulnerability assessment from each SQL database resource in the Azure portal.
Note
Vulnerability assessment is supported for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics are collectively referred to as databases in this article. The server refers to the server that hosts databases for Azure SQL Database and Azure Synapse.
What is SQL vulnerability assessment?
SQL vulnerability assessment provides visibility into your database security state. It includes actionable steps to resolve security issues and enhance your SQL security posture.
Vulnerability assessment is a scanning service built into Azure SQL. It uses a knowledge base of rules that flag security vulnerabilities and deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions.
Scan results include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Customize an assessment report for your environment by setting an acceptable baseline for:
- Permission configurations.
- Feature configurations.
- Database settings.
Configuration models
SQL Vulnerability Assessment supports two configuration models:
Express configuration
In the express configuration, Microsoft Defender for Cloud manages storage for vulnerability assessment scan results. No customer-managed storage account is required.
Scan results are stored in the same Azure region as the logical SQL server.
Permissions
| Task | Required roles |
|---|---|
| View SQL vulnerability assessment results in Microsoft Defender for Cloud recommendations | Security Admin or Security Reader |
| Change SQL vulnerability assessment settings | SQL Security Manager |
| Access resource-level scan results or automated email links | SQL Security Manager |
Data residency
Scan results are stored in the same Azure region as the logical SQL server. Data is collected and stored only when SQL vulnerability assessment is enabled.
Classic configuration
In the classic configuration, scan results are stored in a customer-managed Azure Storage account that you configure. You control the storage account location, access model, and resiliency.
Permissions
| Task | Required roles |
|---|---|
| View SQL vulnerability assessment results in Microsoft Defender for Cloud recommendations | Security Admin or Security Reader |
| Change SQL vulnerability assessment settings | SQL Security Manager and Storage Blob Data Reader and Owner (on the storage account) |
| Access resource-level scan results or automated email links | SQL Security Manager and Storage Blob Data Reader |
Data residency
Scan results are stored in the Azure Storage account you configure. The storage account location determines data residency.
Configuration model comparison
The following table compares the capabilities and behavior differences between the express and classic configurations:
| Parameter | Express configuration | Classic configuration |
|---|---|---|
| Supported SQL Flavors | • Azure SQL Database • Azure Synapse Dedicated SQL Pools (formerly Azure SQL Data Warehouse) |
• Azure SQL Database • Azure SQL Managed Instance • Azure Synapse Analytics |
| Supported Policy Scope | • Subscription • Server |
• Subscription • Server • Database |
| Dependencies | None | Azure storage account |
| Recurring scan | • Always active • Scan scheduling is internal and not configurable |
• Configurable on/off • Scan scheduling is internal and not configurable |
| System databases scan | • Scheduled scan • Manual scan |
• Scheduled scan only if there's one user database or more • Manual scan every time a user database is scanned |
| Supported Rules | All vulnerability assessment rules for the supported resource type | All vulnerability assessment rules for the supported resource type |
| Baseline Settings | • Batch – several rules in one command • Set by latest scan results • Single rule |
• Single rule |
| Apply baseline | Takes effect without rescanning the database | Takes effect only after rescanning the database |
| Single rule scan result size | Maximum of 1 MB | Unlimited |
| Email notifications | • Logic Apps | • Internal scheduler • Logic Apps |
| Scan export | Azure Resource Graph | Excel format, Azure Resource Graph |
| Supported Clouds |
Commercial clouds
Azure Government
Microsoft Azure operated by 21Vianet |
Commercial clouds
Azure Government
Azure operated by 21Vianet |
Related content
- Enable SQL vulnerability assessments
- Express configuration common questions and Troubleshooting.
- Learn more about Microsoft Defender for Azure SQL.
- Learn more about data discovery and classification.
- Learn more about storing vulnerability assessment scan results in a storage account accessible behind firewalls and VNets.
- Find and remediate SQL vulnerability assessment findings