This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 97%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBG%3C/text%3E%3C/svg%3E)
Hi all,
we have a strange issue with Defender for SQL on a SQL-Server in Azure.
All findings on DBs are flagged as "Not applicable" whether with the new express mode or with the old way.
On the VAxxxx itself all the DBs from this SQL-Server are listed unter Dismissed databases.
We do not find any exemption rules or other which would create this behavior.
With the old method we can download also the report and in fact the findings are OK - but they are exempted.
Using a graph query we can see that there is an Exempt from the parent - but like i said - we simply cannot identify from where the exempt does come from
To add:
It worked once without problems - we then moved the entire Subscription to a new Tenant.
After that it has this strange behavior.
Is there a way to reforce this?
Thanks
Hi, @Benjamin Graus Welcome to the Microsoft Q&A forum, Thanks for posting your question.
Currently, I am checking with the internal team and will provide you with more details on the above issue.
Regards
Geetha
Hey @Benjamin Graus
Is Microsoft Defender for Cloud enabled across your new subscription, MDC has to be specifically enabled for each subscription you want it to perform an assessment across and are you paying for MDC protection for SQL databases as there is a cost element involved
Regards
Bill
Hi,
yes of course. Defender for Cloud is enabled. We tried it at subscription level and also server level.
Keep in mind that the vulnerability assessment works fine f.e. on a new deployed SQL-Server + DB in the same ResourceGroup. Also on other DBs from other existing servers in different RG.
Only the existing one, where we used Vulnerability Assessment already prior the move to a new AD-Tenant has this strange behavior.
We tried also to switching back to the classic method of Defender for SQL but with the same result.
The Assessments are skipped / not applicable. But we are unable to find the exemption.
Regards,
Ben
Did you find anything when looking at the exemption configs for “SQL databases should have vulnerability findings resolved”?
Note that the scan export supported in classic configuration does not take into effect exemptions or disabled rules.
Express configuration doesn’t support the export ability at the moment – but all the data should be available in ARG with the correct status, as you’ve queried in your example.
Regards
Geetha
Hi Geetha,
Unfortunately not.
The sql-server is listed under the "healthy resources" but all VAs are Not Applicable
Maybe it's worth to set an excemption rule - wait - and remove it again?
I simply can find the trigger from where this excemption rule is coming from.
First a thought it was the ResourceGroup itself - but after I created a new SQL and turned on Defender it worked on the new DB in the same RG.
Thank You
@Benjamin Graus we need to understand why the status is “Not Applicable”. can send an email with the details.
Don't forget to mention in the subject line ATTN: Geetha
If you find a "solution" I am interested too, as we experience the same issue now. Defender is enabled, but all rules are "not applicable". Last week the rules were checked w/o issue and we did not change any settings by ourself.
@GeethaThatipatri-MSFT I've send you and email with some relevant details, let me know if you need more.
@Florian Pfeffer we've not found a solution until now. Did you moved to the new experience or still on the classic experience?
@Benjamin Graus We are still using the classic experience.
@Benjamin Graus @Florian Pfeffer Thanks for being patience
Please check if you have any exemption rules.
Please follow the steps from the below document for more information and how to remove it:
Regards
Geetha
Hi Geetha,
unfortunately not, that's the point of the thread.
The graph query described here https://learn.microsoft.com/en-us/azure/defender-for-cloud/exempt-resource#find-recommendations-with-exemptions-using-azure-resource-graph does not return any result:
Filter on Inventory within the Defender for cloud blade:
So we are not able to identify from where the exemption does come from...
Also on the Initiative we do not see an exemption:
Hope we can identify the issue. Maybe @Florian Pfeffer can confirm the same issue Regards
@Benjamin Graus @GeethaThatipatri-MSFT Yes, I can confirm the same issue here on my side.
@Benjamin Graus In my case the configuration of the default initiative Azure Security Benchmark was missing in MS Defender for Cloud. Still not clear why that happened, because from our side this initiative was not removed (either directly on subscription or management group level).
You can find the setting in Azure Portal -> MS Defender for Cloud -> Environment Settings -> Choose your management group or subscription for which you want to maintain the setting -> Security Policy -> Default Initiative.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 94%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)