Azure SQL Database
An Azure relational database service.
5,765 questions
Vulnerability Assessment and Advanced Threat Protection not being automatically enabled.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 5%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Adam Rice
0
Reputation points
I have been trying to get Vulnerability Assessment (VA) and Advanced Threat Protection (ATP) enabled on my Azure SQL databases without much luck. The behaviour I am seeing contradicts the documentation.
Following Microsoft's recommended approach I enabled Defender for SQL at the subscription level.
According to the documentation, with this setup, protection of resources should be automatic.
We recommend enabling Microsoft Defender plans at the subscription level so that new resources are automatically protected.
When you enable the Defender for Azure SQL plan in Defender for Cloud, Defender for Cloud automatically enables Advanced Threat Protection and vulnerability assessment with the express configuration for all Azure SQL databases in the selected subscription.
However in reality, it seems that both VA and ATP need to be enabled manually.
Initially after deployment both the SQL Server and SQL Database resources show Defender for SQL as being "Not configure" on the Overview blade and "Disabled" on the Microsoft Defender for Cloud blade.
After waiting about 7 or 8 minutes this changes.
Both the SQL Server and DB resources show that it is Partially Configured (Overview blade) and "Enabled at the subscription-level" on the Defender blade.
Also, the yellow box has appeared informing me that VA is not configured and I'm invited to Enable this. My understanding of the documentation was that this step should not be required and VA should be automatically enabled.
I click the Enable button.
I'm now able to run VA scans from the Defender blade and view the results.
There is nothing in the Azure portal that I can see for configuring ATP. I used the CLI to check the status, and it is showing as disabled.
I use the Azure CLI to enable ATP on my database.
At this point the SQL Server resource shows Defender as being Configured (Overview blade)
and "Enabled at the subscription-level" on the Defender blade.
Below is what that configuration page looks like:
Questions:
- After all the above, the DB is still showing Defender as being "Partially Configured" on the Overview blade. What else needs configuring to make this show as Configured?
- The documentation clearly states that when you enable Defender at the subscription-level, VA and ATP are enabled on all DBs in the selected subscription. Why are they not being enabled automatically?
{count} votes
-
Oury Ba-MSFT 19,581 Reputation points Microsoft Employee2024-09-05T19:47:48.1366667+00:00 @Adam Rice Thank you for reaching out and sorry about the issue you are facing.
Is this the same issue as https://learn.microsoft.com/en-us/answers/questions/1846076/why-are-advanced-threat-protection-and-vulnerabili ?
-
Oury Ba-MSFT 19,581 Reputation points Microsoft Employee
2024-09-05T19:58:22.1366667+00:00 @Adam Rice I have read and understand the doc. I would need to reproduce this end from end and get back to you shortly.
Regards,
Oury
-
Oury Ba-MSFT 19,581 Reputation points Microsoft Employee
2024-09-05T21:31:14+00:00 Enable Defender for SQL at the Subscription Level: You’ve already done this, which is the recommended approach. This should automatically enable VA and ATP for all databases in the subscription. And the doc is correct.
I have also followed the same approach and VA and ATP are enabled for my DB resource.
I believe you are experiencing a delay issue. Could you please confirm now if both are enabled in the Azure Portal.
Additional info:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/faq-defender-for-databases
If I enable this Microsoft Defender plan on my subscription, are all SQL servers on the subscription protected?
No. To defend a SQL Server deployment on an Azure virtual machine, or a SQL Server running on an Azure Arc-enabled machine, Defender for Cloud requires:
- a Log Analytics agent on the machine
- the relevant Log Analytics workspace to have the Microsoft Defender for SQL solution enabled
The subscription status, shown in the SQL server page in the Azure portal, reflects the default workspace status and applies to all connected machines. Only the SQL servers on hosts with a Log Analytics agent reporting to that workspace are protected by Defender for Cloud
-
Adam Rice 0 Reputation points
2024-09-06T07:13:06.39+00:00 See next reply.
-
Adam Rice 0 Reputation points
2024-09-06T07:17:08.6233333+00:00 Hi @Oury Ba-MSFT ,
- Yes I raised the issue twice. When I tried to submit the question the page errored. I tried looking for my question to see if had been submitted, couldn't find it so re-raised it. After that I was able to find the first one. This site doesn't seem to allow you to delete questions, so we have a duplicate.
- I don't believe it's a delay. At the time I'd waited over 24 hours and the status of VA and ATP on the resources didn't change.
-
Adam Rice 0 Reputation points
2024-09-06T07:42:57.4633333+00:00 @Oury Ba-MSFT could you run this command please?
az sql db advanced-threat-protection-setting show --resource-group {resource-group} --server {sql-server} --name {db-name}I'd like to verify that you are indeed seeing ATP enabled on the DB because mine is showing as Disabled (this DB was created 1 month ago).
-
Oury Ba-MSFT 19,581 Reputation points Microsoft Employee
2024-09-06T21:32:43.61+00:00 @Adam Rice Thank you for getting back to me.
Sure, let me try the code from my end and update you.
Did you by chance created a support case for deeper investigation. Let me confirm if the above CLI code is working first.
Regards,
Oury
-
Oury Ba-MSFT 19,581 Reputation points Microsoft Employee
2024-09-09T22:41:56.8266667+00:00 I used the same CLI code and see that it is disabled as well.
Let me please get more information on this internally and get back.
Regards,
Oury
-
Adam Rice 0 Reputation points
2024-09-10T06:45:11.98+00:00 Hi @Oury Ba-MSFT , that's amazing. Thanks so much for checking further.
To answer your previous question, I do have an active support case. I opened it around the same time I posted the question here, but unfortunately there's been very little progress on it so far.
-
PRADEEPCHEEKATLA 90,226 Reputation points2024-09-11T02:41:21.9+00:00 @Adam Rice - Could you please share the support ticket to track internally?
Once the issue has been resolved with the help of support, please do share the resolution, which might be beneficial to other community members reading this thread.
Sign in to comment
Sign in to answer