Vulnerability Scan Assessment Emails not Received after Subscription Transfer

Oti967 0 Reputation points

We recently transferred our subscription to a new tenant. It was previously on classic configuration. I noticed that Weekly Vulnerability scan assessments was sent once but with 'failed to scan' findings which was not accurate.

Essentially, checking the sql databases we couldn't find any findings. So I re-enabled the MDC for SQL using express configuration and now it seems the scan doesn't work as all databases are classified as 'Not Applicable' when scanned. Still no mail is being sent out as before.

I also tried to change back to classic configuration using the powershell script but i get a failure response:

Vulnerability Assessment is enabled on this server or one of its underlying databases with an incompatible version

Kindly help


SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
13,268 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,262 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 17,771 Reputation points MVP

    Transferring a subscription to a new tenant in Azure and dealing with the transition from classic to modern configurations can sometimes lead to issues with services like Microsoft Defender for Cloud (MDC) and the Vulnerability Assessment (VA) for SQL databases. Let's address your concerns step by step:

    1. "Failed to Scan" Findings After Transfer

    • Subscription and Tenant Transfer Impact: Transferring a subscription to a new tenant can impact configurations and permissions, which might cause temporary disruptions in services like VA.
    • Re-configuration: After transferring, it's crucial to reconfigure and re-enable services like MDC and VA to ensure they align with the new tenant's settings.
    • Permissions and Roles: Verify that the necessary permissions and roles are correctly assigned in the new tenant. MDC and VA require specific roles for operation.

    2. Databases Classified as 'Not Applicable'

    • Compatibility and Configuration: The 'Not Applicable' status might indicate a compatibility issue with the database configuration or a misconfiguration in MDC.
    • Check Compatibility: Ensure that your SQL databases are compatible with the MDC vulnerability assessment. Some older versions or certain configurations might not support the latest assessment tools.
    • Re-enable Services: Since you've re-enabled MDC for SQL, ensure that the configurations are correctly set up, aligning with the requirements of the VA.

    3. Issues with Changing Back to Classic Configuration

    • Incompatible Versions: The error message suggests that there's a version mismatch between the current VA settings and what the classic configuration expects.
    • Resolving Version Conflicts: To resolve this, you may need to fully disable VA from the SQL databases and the server, then attempt to revert to the classic configuration.
    • Use Azure PowerShell or CLI: Utilize Azure PowerShell or CLI scripts to disable and then re-enable VA to ensure all settings are reset correctly.

    Additional Troubleshooting Steps

    1. Review Azure Activity Logs: Check the Azure activity logs for any errors or warnings that occurred during or after the tenant transfer.
    2. Consult Azure Documentation: Refer to the Microsoft Defender for Cloud documentation and the Vulnerability Assessment documentation for guidance on setting up and troubleshooting these services.
    3. Contact Azure Support: If the issues persist, reaching out to Azure support is advisable. They can provide more detailed assistance, especially considering the complexity of tenant transfers and service configurations.
    4. Monitor for Updates: After reconfiguration, monitor the services for a few days to see if the scans update their status and if the email alerts resume.

    Tenant transfers and configuration changes in Azure can be complex, so it's important to methodically check each component involved in MDC and VA services.

    Accept the answer if the information helped you. This will help us and others in the community as well.