Enable Microsoft Defender for SQL servers on machines

This Microsoft Defender plan detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases on the SQL server.

You'll see alerts when there are suspicious database activities, potential vulnerabilities, or SQL injection attacks, and anomalous database access and query patterns.

Microsoft Defender for SQL servers on machines extends the protections for your Azure-native SQL servers to fully support hybrid environments and protect SQL servers hosted in Azure, multicloud environments, and even on-premises machines:

This plan includes functionality for identifying and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases.

A vulnerability assessment service discovers, tracks, and helps you remediate potential database vulnerabilities. Assessment scans provide an overview of your SQL machines' security state, and details of any security findings.

Learn more about vulnerability assessment for Azure SQL servers on machines.


Aspect Details
Release state: General availability (GA)
Pricing: Microsoft Defender for SQL servers on machines is billed as shown on the pricing page
Protected SQL versions: SQL Server version: 2012, 2014, 2016, 2017, 2019, 2022
- SQL on Azure virtual machines
- SQL Server on Azure Arc-enabled servers
- On-premises SQL servers on Windows machines without Azure Arc
Clouds: Commercial clouds
Azure Government
Azure China 21Vianet (Advanced Threat Protection Only)

Set up Microsoft Defender for SQL servers on machines

To enable this plan:

Step 1. Install the agent extension

Step 2. Provision the Log Analytics agent on your SQL server's host:

Step 3. Enable the optional plan in Defender for Cloud's environment settings page:

Step 1. Install the agent extension

Step 2. Provision the Log Analytics agent on your SQL server's host

  • SQL Server on Azure VM - If your SQL machine is hosted on an Azure VM, you can customize the Log Analytics agent configuration.

  • SQL Server on Azure Arc-enabled servers - If your SQL Server is managed by Azure Arc enabled servers, you can deploy the Log Analytics agent using the Defender for Cloud recommendation “Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)”.

  • SQL Server on-premises - If your SQL Server is hosted on an on-premises Windows machine without Azure Arc, you can connect the machine to Azure by either:

    • Deploy Azure Arc - You can connect any Windows machine to Defender for Cloud. However, Azure Arc provides deeper integration across all of your Azure environment. If you set up Azure Arc, you'll see the SQL Server – Azure Arc page in the portal and your security alerts will appear on a dedicated Security tab on that page. So the first and recommended option is to set up Azure Arc on the host and follow the instructions for SQL Server on Azure Arc, above.

    • Connect the Windows machine without Azure Arc - If you choose to connect a SQL Server running on a Windows machine without using Azure Arc, follow the instructions in Connect Windows machines to Azure Monitor.

Step 3. Enable the optional plan in Defender for Cloud's environment settings page

  1. From Defender for Cloud's menu, open the Environment settings page.

    • If you're using Microsoft Defender for Cloud's default workspace (named “default workspace-<your subscription ID>-<region>”), select the relevant subscription.

    • If you're using a non-default workspace, select the relevant workspace (enter the workspace's name in the filter if necessary).

  2. Set the option for SQL servers on machines plan to On.

    Screenshot of Microsoft Defender for Cloud's 'Defender plans' page with optional plans.

    The plan will be enabled on all SQL servers connected to the selected workspace. The protection will be fully active after the first restart of the SQL Server instance.


    To create a new workspace, follow the instructions in Create a Log Analytics workspace.

  3. Optionally, configure email notification for security alerts.

    You can set a list of recipients to receive an email notification when Defender for Cloud alerts are generated. The email contains a direct link to the alert in Microsoft Defender for Cloud with all the relevant details. For more information, see Set up email notifications for security alerts.

Microsoft Defender for SQL alerts

Alerts are generated by unusual and potentially harmful attempts to access or exploit SQL machines. These events can trigger alerts shown in the alerts reference page.

Explore and investigate security alerts

Microsoft Defender for SQL alerts are available in:

  • The Defender for Cloud's security alerts page
  • The machine's security page
  • The workload protections dashboard
  • Through the direct link in the alert emails

To view alerts:

  1. Select Security alerts from Defender for Cloud's menu and select an alert.

  2. Alerts are designed to be self-contained, with detailed remediation steps and investigation information in each one. You can investigate further by using other Microsoft Defender for Cloud and Microsoft Sentinel capabilities for a broader view:

    • Enable SQL Server's auditing feature for further investigations. If you're a Microsoft Sentinel user, you can upload the SQL auditing logs from the Windows Security Log events to Sentinel and enjoy a rich investigation experience. Learn more about SQL Server Auditing.

    • To improve your security posture, use Defender for Cloud's recommendations for the host machine indicated in each alert to reduce the risks of future attacks.

    Learn more about managing and responding to alerts.

FAQ - Microsoft Defender for SQL servers on machines

If I enable this Microsoft Defender plan on my subscription, are all SQL servers on the subscription protected?

No. To defend a SQL Server deployment on an Azure virtual machine, or a SQL Server running on an Azure Arc-enabled machine, Defender for Cloud requires:

  • a Log Analytics agent on the machine
  • the relevant Log Analytics workspace to have the Microsoft Defender for SQL solution enabled

The subscription status, shown in the SQL server page in the Azure portal, reflects the default workspace status and applies to all connected machines. Only the SQL servers on hosts with a Log Analytics agent reporting to that workspace are protected by Defender for Cloud.

Is there a performance effect from deploying Microsoft Defender for Azure SQL on machines?

The focus of Microsoft Defender for SQL on machines is obviously security. But we also care about your business and so we've prioritized performance to ensure the minimal effect on your SQL servers.

The service has a split architecture to balance data uploading and speed with performance:

  • Some of our detectors, including an extended events trace named SQLAdvancedThreatProtectionTraffic, run on the machine for real-time speed advantages.
  • Other detectors run in the cloud to spare the machine from heavy computational loads.

Lab tests of our solution showed CPU usage averaging 3% for peak slices, comparing it against benchmark loads. An analysis of our current user data shows a negligible effect on CPU and memory usage.

Of course, performance always varies between environments, machines, and loads. The statements and numbers above are provided as a general guideline, not a guarantee for any individual deployment.

Next steps

For related information, see these resources: