SQL Server vulnerability assessments should be enabled


The SQL vulnerability assessment service scans databases for known security vulnerabilities and highlights issues such as misconfigurations, excessive permissions, and unprotected sensitive data. To enable vulnerability assessments, a storage account must be configured to store scan results.

Remediation Steps

Azure Portal

  • Navigate to SQL servers.

  • Select the SQL server and in the left navigation, select Security Center.

  • Select Enable Azure Defender for SQL if not already enabled.

  • In Azure Defender for SQL: Enabled at the subscription-level, select Configure.

  • Under VULNERABILITY ASSESSMENT SETTINGS, click Select storage account.

  • Select the storage account where you want scan results to be stored.

  • Click Save.

Azure PowerShell

  • Enable Azure Defender for SQL, if not already enabled:

    • Set-AZSqlServerThreatDetectionPolicy -ResourceGroupName <resource group name> -ServerName <server name> -EmailAdmins $True

  • Enable the vulnerability assessment service by setting a storage account:

Update-AzSqlServerVulnerabilityAssessmentSetting `
  -ResourceGroupName "<resource group name>" `
  -ServerName "<server name>" `
  -StorageAccountName "<storage name from same subscription and same location" `
  -ScanResultsContainerName "vulnerability-assessment" `
  -RecurringScansInterval Weekly `
  -EmailSubscriptionAdmins $true `
  -NotificationEmail @("mail1@mail.com" , "mail2@mail.com")