Protect Azure Arc-enabled SQL Server with Microsoft Defender for Cloud

You can configure your instance connected to Azure with Microsoft Defender for Cloud by following these steps.


Create a Log Analytics workspace

  1. Search for Log Analytics workspaces resource type and add a new one through the creation pane.


    You can use a Log Analytics workspace in any region so if you already have one, you can use it. But we recommend creating it in the same region where your Azure Arc-enabled SQL Server resource is created.

  2. Go to Agents management > Log Analytics agent instructions and copy Workspace ID and Primary key for later use.

Install Log Analytics Agent

The next step is needed only if you haven't yet configured MMA on the remote machine.

  1. Go to Azure Arc > Servers and open the Azure Arc-enabled server resource for the machine where the SQL Server instance is installed.

  2. Open the Extensions blade and click + Add.

  3. Select Log Analytics Agent - Azure Arc and click Next.

  4. Set the Workspace ID and Workspace key using the values you saved in the previous step.

  5. After validation succeeds, select Create to install the agent. When the deployment completes, the status updates to Succeeded.

For more information, see Extension management with Azure Arc.

Enable Microsoft Defender for Cloud

  1. Go to Azure Arc > SQL Servers and open the Azure Arc-enabled SQL server resource for the instance that you want to protect.

  2. Click on the Microsoft Defender for Cloud tile. If Enablement Status shows Disabled at the subscription-level, follow the steps documented in Enable Microsoft Defender for SQL servers on machines.


The first scan to generate the vulnerability assessment happens within 24 hours after enabling Microsoft Defender for Cloud. After that, auto scans are be performed every week on Sunday.


Explore security anomalies and threats in Azure Security Center.

  1. Open your SQL Server – Azure Arc resource and select Microsoft Defender for Cloud in the Settings section of the left menu. to see the recommendations and alerts for that SQL Server instance.

    Screenshot showing how to select security heading.

  2. Select any of the recommendations to see the vulnerability details.

    Screenshot showing the Vulnerability report.

  3. Select any security alert for full details and further explore the attack. The following diagram is an example of the Potential SQL Injection alert.

    Screenshot showing a brute force alert.

  4. Select Take action to mitigate the alert.

    Screenshot showing alert mitigation.

Next steps