Share via

Defender for Cloud not clearing SQL Vulnerabilities

Tony Windebank 20 Reputation points
2025-10-09T13:29:32.3833333+00:00

I am trying to fix SQL Vulnerabilities. I have removed members from db_owner roles on multiple databases using ALTER ROLE db_owner DROP MEMBER, checking to see if they have been removed (which has been successful) and have run a VA scan on these databases.

For some reason they are either not disappearing or showing as a baseline mismatch. Despite confirming they have been removed from the Databases. I am aware that my vulnerability scans are set to weekly but have a PowerShell script that runs it at will and I know works. All my plans bar the AI plan have been activated.

Has anyone experienced this before?

Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud

Answer accepted by question author

SUNOJ KUMAR YELURU 18,336 Reputation points MVP Volunteer Moderator
2025-10-09T15:09:49.09+00:00

Hello @Tony Windebank

You’ve already done most of the right steps — removing users from db_owner, verifying, and triggering a scan manually.

  1. Run this on each database to confirm no unexpected members remain:
SELECT r.name AS role_name, m.name AS member_name
FROM sys.database_role_members drm
JOIN sys.database_principals r ON drm.role_principal_id = r.principal_id
JOIN sys.database_principals m ON drm.member_principal_id = m.principal_id
WHERE r.name = 'db_owner';
  1. Trigger a Manual VA Scan (Defender-compatible)
  2. Reset or Update the Baseline
  3. Confirm Defender Sync

If the Answer is helpful, please click Accept Answer and Up-Vote, so that it can help others in the community looking for help on similar topics.

Was this answer helpful?

0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.