Dela via

Protect SQL Server with Microsoft Defender for Cloud

Applies to: SQL Server

You can configure your instance of SQL Server enabled by Azure Arc with Microsoft Defender for Cloud by following these steps.


  • Your Windows-based SQL Server instance is connected to Azure. Follow the instructions to Connect your SQL Server to Azure Arc.


    Microsoft Defender for Cloud is only supported for SQL Server instances on Windows machines. This will not work for SQL Server on Linux machines.

  • Your user account is assigned one of the Security Center Roles (RBAC)

Create a Log Analytics workspace

  1. Search for Log Analytics workspaces resource type and add a new one through the creation pane.


    You can use a Log Analytics workspace in any region so if you already have one, you can use it. But we recommend creating it in the same region where your SQL Server enabled by Azure Arc resource is created.

  2. Go to Agents management > Log Analytics agent instructions and copy Workspace ID and Primary key for later use.

Install Log Analytics Agent

The next step is needed only if you haven't yet configured MMA on the remote machine.

  1. Go to Azure Arc > Servers and open the Azure Arc-enabled server resource for the machine where the SQL Server instance is installed.

  2. Open the Extensions pane and click + Add.

  3. Select Log Analytics Agent - Azure Arc and click Next.

  4. Set the Workspace ID and Workspace key using the values you saved in the previous step.

  5. After validation succeeds, select Create to install the agent. When the deployment completes, the status updates to Succeeded.

For more information, see Extension management with Azure Arc.

Enable Microsoft Defender for Cloud

  1. Go to Azure Arc > SQL Servers and open the Azure Arc-enabled SQL Server resource for the instance that you want to protect.

  2. Click on the Microsoft Defender for Cloud tile. If Enablement Status shows Disabled at the subscription-level, follow the steps documented in Enable Microsoft Defender for SQL servers on machines.


The first scan to generate the vulnerability assessment happens within 24 hours after enabling Microsoft Defender for Cloud. After that, auto scans are be performed every week on Sunday.


Explore security anomalies and threats in Azure Security Center.

  1. Open your SQL Server – Azure Arc resource and select Microsoft Defender for Cloud in the Settings section of the left menu. to see the recommendations and alerts for that SQL Server instance.

    Screenshot showing how to select security heading.

  2. Select any of the recommendations to see the vulnerability details.

    Screenshot showing the Vulnerability report.

  3. Select any security alert for full details and further explore the attack. The following diagram is an example of the Potential SQL Injection alert.

    Screenshot showing a brute force alert.

  4. Select Take action to mitigate the alert.

    Screenshot showing alert mitigation.

Next steps