SQL vulnerability assessment helps you identify database vulnerabilities

SQL vulnerability assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security for:

Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

Vulnerability assessment is part of Microsoft Defender for Azure SQL, which is a unified package for advanced SQL security capabilities. Vulnerability assessment can be accessed and managed from each SQL database resource in the Azure portal.

Note

Vulnerability assessment is supported for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics are referred to collectively in the remainder of this article as databases, and the server is referring to the server that hosts databases for Azure SQL Database and Azure Synapse.

What is SQL vulnerability assessment?

SQL vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.

Vulnerability assessment is a scanning service built into Azure SQL Database. The service employs a knowledge base of rules that flag security vulnerabilities. It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.

The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions.

Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. You can customize an assessment report for your environment by setting an acceptable baseline for:

  • Permission configurations
  • Feature configurations
  • Database settings

What are the express and classic configurations?

You can configure vulnerability assessment for your SQL databases with either:

  • Express configuration – The default procedure that lets you configure vulnerability assessment without dependency on external storage to store baseline and scan result data.

  • Classic configuration – The legacy procedure that requires you to manage an Azure storage account to store baseline and scan result data.

What's the difference between the express and classic configuration?

Configuration modes benefits and limitations comparison:

Parameter Express configuration Classic configuration
Supported SQL Flavors • Azure SQL Database
• Azure Synapse Dedicated SQL Pools (formerly SQL DW)
• Azure SQL Database
• Azure SQL Managed Instance
• Azure Synapse Analytics
Supported Policy Scope • Subscription
• Server
• Subscription
• Server
• Database
Dependencies None Azure storage account
Recurring scan • Always active
• Scan scheduling is internal and not configurable
• Configurable on/off
Scan scheduling is internal and not configurable
Supported Rules All vulnerability assessment rules for the supported resource type. All vulnerability assessment rules for the supported resource type.
Baseline Settings • Batch – several rules in one command
• Set by latest scan results
• Single rule
• Single rule
Apply baseline Will take effect without rescanning the database Will take effect only after rescanning the database
Single rule scan result size Maximum of 1 MB Unlimited
Email notifications • Logic Apps • Internal scheduler
• Logic Apps
Scan export Azure Resource Graph Excel format, Azure Resource Graph
Supported Clouds Commercial clouds
Azure Government
Microsoft Azure operated by 21Vianet
Commercial clouds
Azure Government
Azure operated by 21Vianet

Next steps