Express configuration vulnerability findings

Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL databases. Scans detect software vulnerabilities and return findings. You can remediate vulnerabilities or disable findings when needed.

Prerequisites

• Make sure you know whether you're using the express or classic configuration models before you continue.

  To see which configuration you're using:

  1. In the Azure portal, open the specific resource in Azure SQL Database, Azure SQL Managed Instance, or Azure Synapse.
  2. Under the Security heading, select Defender for Cloud.
  3. In the Enablement Status, select Configure to open the Microsoft Defender for SQL settings pane for either the entire server or managed instance.

  If the vulnerability settings show the option to configure a storage account, you're using the classic configuration. If not, you're using the express configuration.

Express configuration

Important

Express Configuration is generally available for Azure SQL Managed Instance and Azure Synapse Analytics Workspaces. This extends the generally available Microsoft-managed experience for Azure SQL Database, at no additional cost.

This release allows you to enable SQL VA without configuring a customer-managed storage account. Express Configuration is the recommended enablement mode and provides the same security value as Classic Configuration with a simplified setup.

A unified REST API (v2026-04-01-preview) manages SQL VA consistently across Azure SQL Database, SQL Managed Instance, Synapse Workspaces, and SQL on machines (Azure VM and Arc-enabled SQL).

View scan history

Select Scan History in the vulnerability assessment pane to view a history of all scans previously run on this database.

Express configuration doesn't store scan results if they're identical to previous scans. The scan time shown in the scan history is the time of the last scan where the scan results changed.

Disable specific findings from Microsoft Defender for Cloud (preview)

If you have an organizational need to ignore a finding rather than remediate it, you can disable the finding. Disabled findings don't impact your secure score or generate unwanted noise. You can see the disabled finding in the "Not applicable" section of the scan results.

When a finding matches the criteria you've defined in your disable rules, it won't appear in the list of findings. Typical scenarios might include:

• Disable findings with medium or lower severity
• Disable findings that are non-patchable
• Disable findings from benchmarks that aren't of interest for a defined scope

Important

To disable specific findings, you need permissions to edit a policy in Azure Policy. Learn more in Azure RBAC permissions in Azure Policy.

To create a rule:

1. From the recommendations detail page for Vulnerability assessment findings on your SQL servers on machines should be remediated, select Disable rule.

2. Select the relevant scope.

3. Define your criteria. You can use any of the following criteria:

   • Finding ID
   • Severity
   • Benchmarks

4. Select Apply rule. Changes can take up to 24 hours to take effect.

To view, override, or delete a rule:

1. Select Disable rule.
2. From the scope list, subscriptions with active rules show as Rule applied.
3. To view or delete the rule, select the ellipsis menu ("...").

Configure email notifications using Azure Logic Apps

To receive regular updates of the vulnerability assessment status for your database, you can use the customizable Azure Logic Apps template.

Using this template lets you:

• Choose the timing of the email reports.
• Have a consistent view of your vulnerability assessment status that includes disabled rules.
• Send reports for Azure SQL Servers and SQL VMs.
• Customize report structure and appearance to match your organizational standards.

Manage vulnerability assessments programmatically

You can manage SQL vulnerability assessment programmatically by using REST APIs, Azure Resource Manager templates, PowerShell, or Azure CLI.

Unified SQL vulnerability assessment API (recommended)

The unified SQL vulnerability assessment API version 2026-04-01-preview is recommended for Azure SQL Database, Azure SQL Managed Instance, Azure Synapse Analytics workspaces, and SQL on machines.

• SQL vulnerability assessment settings API reference
• SQL vulnerability assessment baseline rules API reference
• SQL vulnerability assessment scan results API reference
• SQL vulnerability assessment scans API reference

Azure Resource Manager templates

Use the SQL vulnerability assessments ARM template reference to manage SQL vulnerability assessment resources by using Azure Resource Manager templates or Bicep.

Azure SQL Database-only API

Use the Azure SQL Database-only API version 2022-05-01-preview for Azure SQL Database scenarios that require the SQL resource provider APIs.

Description	Scope	API
Baseline bulk operations	System Database	Sql Vulnerability Assessment Baselines Sql Vulnerability Assessment Baseline
Baseline bulk operations	User Database	Database Sql Vulnerability Assessment Baselines
Single rule baseline operations	User Database	Database Sql Vulnerability Assessment Rule Baselines
Single rule baseline operations	System Database	Sql Vulnerability Assessment Rule Baselines Sql Vulnerability Assessment Rule Baseline
Single scan results	User Database	Database Sql Vulnerability Assessment Scan Result
Single scan results	System Database	Sql Vulnerability Assessment Scan Result
Scan details (summary)	User Database	Database Sql Vulnerability Assessment Scans
Scan details (summary)	System Database	Sql Vulnerability Assessment Scans
Execute manual scan	User Database	Database Sql Vulnerability Assessment Execute Scan
Execute manual scan	System Database	Sql Vulnerability Assessment Execute Scan
VA settings (GET only is supported for Express Configuration)	User Database	Database Sql Vulnerability Assessments Settings
VA Settings operations	Server	Sql Vulnerability Assessments Settings Sql Vulnerability Assessments

Azure Resource Manager templates

Use the ARM template for Azure SQL logical server with express configuration to create a new Azure SQL logical server with express configuration for SQL vulnerability assessment.

To configure vulnerability assessment baselines by using Azure Resource Manager templates, use the Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines type. Make sure that vulnerabilityAssessments is enabled before you add baselines.

Here are several examples to how you can set up baselines using ARM templates:

• Setup batch baseline based on latest scan results:

  {
      "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines",
      "apiVersion": "2022-02-01-preview",
      "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default')]",
      "properties": {
          "latestScan": true
          }
  }
  

• Set up batch baseline based on specific results:

  {
      "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines",
      "apiVersion": "2022-02-01-preview",
      "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default')]",
      "properties": {
          "latestScan": false,
          "results": {
          "VA2065": [
              [
                   "FirewallRuleName3",
                       "62.92.15.67",
                       "62.92.15.67"
              ],
              [
                   "FirewallRuleName4",
                       "62.92.15.68",
                       "62.92.15.68"
              ]
          ],
          "VA2130": [
              [
                   "dbo"
              ]
          ]
       }
    }
  }
  

• Set up baseline for a specific rule:

  {
      "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines/rules",
      "apiVersion": "2022-02-01-preview",
      "name": "[concat(parameters('serverName'),'/', parameters('databaseName') , '/default/default/VA1143')]",
      "properties": {
      "latestScan": false,
      "results": [
          [ "True" ]
          ]
      }
  }
  

• Set up batch baselines on the master database based on latest scan results:

  {
      "type": "Microsoft.Sql/servers/databases/sqlVulnerabilityAssessments/baselines",
      "apiVersion": "2022-02-01-preview",
      "name": "[concat(parameters('serverName'),'/master/default/default')]",
      "properties": {
          "latestScan": true
          }
  }
  

PowerShell

Express configuration isn't supported in PowerShell cmdlets, but you can use PowerShell to invoke the latest vulnerability assessment capabilities by using the REST API. For example, you can:

• Enable express configuration on an Azure SQL Server.
• Set up baselines based on latest scan results for all databases in an Azure SQL Server.
• Review the Express configuration PowerShell commands reference.

Azure CLI

Invoke express configuration by using Azure CLI commands for express configuration.

Related content

• Microsoft Defender for Azure SQL
• Data discovery and classification for Azure SQL
• Store vulnerability assessment scan results in a storage account behind firewalls and VNets
• Common questions about Azure SQL databases