Find and remediate vulnerabilities in your Azure SQL databases

Microsoft Defender for Cloud provides vulnerability assessment for your Azure SQL databases. Vulnerability assessment scans your databases for software vulnerabilities and provides a list of findings. You can use the findings to remediate software vulnerabilities and disable findings.


Make sure that you know whether you're using the express or classic configurations before you continue.

To see which configuration you're using:

  1. In the Azure portal, open the specific resource in Azure SQL Database, SQL Managed Instance Database, or Azure Synapse.
  2. Under the Security heading, select Defender for Cloud.
  3. In the Enablement Status, select Configure to open the Microsoft Defender for SQL settings pane for either the entire server or managed instance.

If the vulnerability settings show the option to configure a storage account, you're using the classic configuration. If not, you're using the express configuration.

Find vulnerabilities in your Azure SQL databases


One of the following permissions is required to see vulnerability assessment results in the Microsoft Defender for Cloud recommendation SQL databases should have vulnerability findings resolved:

  • Security Admin
  • Security Reader

The following permissions are required to changes vulnerability assessment settings:

  • SQL Security Manager

If you're receiving any automated emails with links to scan results the following permissions are required to access the links about scan results or to view scan results at the resource-level:

  • SQL Security Manager

Data residency

SQL vulnerability assessment queries the SQL server using publicly available queries under Defender for Cloud recommendations for SQL vulnerability assessment, and stores the query results. SQL vulnerability assessment data is stored in the location of the logical server it's configured on. For example, if the user enabled vulnerability assessment on a logical server in West Europe, the results will be stored in West Europe. This data will be collected only if the SQL vulnerability assessment solution is configured on the logical server.

On-demand vulnerability scans

You can run SQL vulnerability assessment scans on-demand:

  1. From the resource's Defender for Cloud page, select View additional findings in Vulnerability Assessment to access the scan results from previous scans.

    Screenshot of opening the scan results and manual scan options.

  2. To run an on-demand scan to scan your database for vulnerabilities, select Scan from the toolbar:

    Screenshot of selecting scan to run an on-demand vulnerability assessment scan of your SQL resource.


The scan is lightweight and safe. It takes a few seconds to run and is entirely read-only. It doesn't make any changes to your database.

Remediate vulnerabilities

When a vulnerability scan completes, the report is displayed in the Azure portal. The report presents:

  • An overview of your security state
  • The number of issues that were found
  • A summary by severity of the risks
  • A list of the findings for further investigations

Screenshot of sample scan report from the SQL vulnerability assessment scanner.

To remediate the vulnerabilities discovered:

  1. Review your results and determine which of the report's findings are true security issues for your environment.

  2. Select each failed result to understand its impact and why the security check failed.


    The findings details page includes actionable remediation information explaining how to resolve the issue.

    Screenshot of list of vulnerability assessment findings.

    Screenshot of examining the findings from a vulnerability scan.

  3. As you review your assessment results, you can mark specific results as being an acceptable baseline in your environment. A baseline is essentially a customization of how the results are reported. In subsequent scans, results that match the baseline are considered as passes. After you've established your baseline security state, vulnerability assessment only reports on deviations from the baseline. In this way, you can focus your attention on the relevant issues.

    Screenshot of approving a finding as a baseline for future scans.

  4. Any findings you've added to the baseline will now appear as Passed with an indication that they've passed because of the baseline changes. There's no need to run another scan for the baseline to take effect.

    Screenshot of passed assessments indicating they've passed per custom baseline.

Your vulnerability assessment scans can now be used to ensure that your database maintains a high level of security, and that your organizational policies are met.

Next steps