Why are Advanced Threat Protection and Vulnerability Assessment not being enabled automatically?

Question

According to the documentation both ATP and VA should be enabled automatically for all DBs when the Defender for SQL plan is enabled at the subscription level.

We recommend enabling Microsoft Defender plans at the subscription level so that new resources are automatically protected.

Source

When you enable the Defender for Azure SQL plan in Defender for Cloud, Defender for Cloud automatically enables Advanced Threat Protection and vulnerability assessment with the express configuration for all Azure SQL databases in the selected subscription.

Source

I have enabled Defender for SQL at the subscription level.

Despite this, I'm not seeing the behaviour described in the documentation. The behaviour I am actually seeing is this.

Vulnerability Assessment

After creating a new SQL Server and Database, navigating to the Defender for Cloud blade I see this.

It identifies that Defender is enabled at the subscription-level, but VA is NOT enabled automatically and I'm presented with a button to manually Enable it. Clicking this enables VA and I'm able to run VA scans and view the results. However, my testing via the portal is just for education, I'm going to need to do this via Bicep so need to understand the behaviour and why it's different to the documentation.

Advanced Threat Protection

There is nothing I could see in the portal for configuring ATP. I used the Azure CLI to check the status and I could see that it is disabled.

So, using the CLI, I enabled it.

Questions:

1. Why are ATP and VA not being enabled automatically? Is this a documentation issue, is there a defect in the behaviour of Defender, or have I misinterpreted the documentation?
2. After manually enabling ATP and VA, the SQL DB is still showing Defender as being Partially Configured on the Overview blade. What else is there to get this fully configured?