Overview of Microsoft Defender for Azure SQL

Microsoft Defender for Azure SQL includes two Microsoft Defender plans that extend Microsoft Defender for Cloud's data security package to protect your SQL estate regardless of where it is located (Azure, multicloud, or hybrid environments). Microsoft Defender for Azure SQL includes functions that can be used to discover and mitigate potential database vulnerabilities. Defender for Azure SQL can also detect anomalous activities that may be an indication of a threat to your databases.


Aspect Details
Release state: Generally available (GA)
Pricing: Microsoft Defender for Azure SQL is billed as shown on the pricing page
Protected SQL versions: Azure SQL single databases and elastic pools
Azure SQL Managed Instance
Azure Synapse Analytics (formerly SQL DW) dedicated SQL pool
Clouds: Commercial clouds
Azure Government
Azure China 21Vianet (Partial: Subset of alerts and vulnerability assessment for SQL servers. Behavioral threat protections aren't available.)

What does Microsoft Defender for Azure SQL protect?

Microsoft Defender for Azure SQL databases protects:

When you enabled Microsoft Defender for Azure SQL, all supported resources that exist within the subscription are protected. Future resources created on the same subscription will also be protected.


Microsoft Defender for Azure SQL database currently works for read-write replicas only.

What are the benefits of Microsoft Defender for Azure SQL?

This plan includes functionality for identifying and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases.

A vulnerability assessment service discovers, tracks, and helps you remediate potential database vulnerabilities. Assessment scans provide an overview of your SQL machines' security state, and details of any security findings.

Learn more about vulnerability assessment for Azure SQL Database.

An advanced threat protection service continuously monitors your SQL servers for threats such as SQL injection, brute-force attacks, and privilege abuse. This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity, guidance on how to mitigate to the threats, and options for continuing your investigations with Microsoft Sentinel. Learn more about advanced threat protection.


View the list of security alerts for SQL servers in the alerts reference page.

What kind of alerts does Microsoft Defender for Azure SQL provide?

Threat intelligence enriched security alerts are triggered when there's:

  • Potential SQL injection attacks - including vulnerabilities detected when applications generate a faulty SQL statement in the database
  • Anomalous database access and query patterns - for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)
  • Suspicious database activity - for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server

Alerts include details of the incident that triggered them, as well as recommendations on how to investigate and remediate threats.

Next steps

In this article, you learned about Microsoft Defender for Azure SQL.

For related information, see these resources: