SQL vulnerability assessment helps you identify database vulnerabilities
SQL vulnerability assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security for:
Azure SQL Database
Azure SQL Managed Instance
Azure Synapse Analytics
Vulnerability assessment is part of Microsoft Defender for Azure SQL, a unified package for advanced SQL security capabilities. You can access and manage vulnerability assessment from each SQL database resource in the Azure portal.
Note
Vulnerability assessment is supported for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. Databases in Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics are collectively referred to as databases in this article. The server refers to the server that hosts databases for Azure SQL Database and Azure Synapse.
What is SQL vulnerability assessment?
SQL vulnerability assessment provides visibility into your security state. It includes actionable steps to resolve security issues and enhance your database security. It helps you monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.
Vulnerability assessment is a scanning service built into Azure SQL Database. It employs a knowledge base of rules that flag security vulnerabilities. It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.
The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions.
Scan results include actionable steps to resolve each issue and provide customized remediation scripts where applicable. Customize an assessment report for your environment by setting an acceptable baseline for:
- Permission configurations.
- Feature configurations.
- Database settings.
What are the express and classic configurations?
Configure vulnerability assessment for your SQL databases with either:
Express configuration – The default procedure that lets you configure vulnerability assessment without relying on external storage to store baseline and scan result data.
Classic configuration – The legacy procedure that requires managing an Azure storage account to store baseline and scan result data.
What's the difference between the express and classic configuration?
Configuration modes benefits and limitations comparison:
| Parameter | Express configuration | Classic configuration |
|---|---|---|
| Supported SQL Flavors | • Azure SQL Database • Azure Synapse Dedicated SQL Pools (formerly Azure SQL Data Warehouse) |
• Azure SQL Database • Azure SQL Managed Instance • Azure Synapse Analytics |
| Supported Policy Scope | • Subscription • Server |
• Subscription • Server • Database |
| Dependencies | None | Azure storage account |
| Recurring scan | • Always active • Scan scheduling is internal and not configurable |
• Configurable on/off Scan scheduling is internal and not configurable |
| System databases scan | • Scheduled scan • Manual scan |
• Scheduled scan only if there's one user database or more • Manual scan every time a user database is scanned |
| Supported Rules | All vulnerability assessment rules for the supported resource type. | All vulnerability assessment rules for the supported resource type. |
| Baseline Settings | • Batch – several rules in one command • Set by latest scan results • Single rule |
• Single rule |
| Apply baseline | Will take effect without rescanning the database | Will take effect only after rescanning the database |
| Single rule scan result size | Maximum of 1 MB | Unlimited |
| Email notifications | • Logic Apps | • Internal scheduler • Logic Apps |
| Scan export | Azure Resource Graph | Excel format, Azure Resource Graph |
| Supported Clouds |
Commercial clouds
Azure Government
Microsoft Azure operated by 21Vianet |
Commercial clouds
Azure Government
Azure operated by 21Vianet |
Related content
- Enable SQL vulnerability assessments
- Express configuration common questions and Troubleshooting.
- Learn more about Microsoft Defender for Azure SQL.
- Learn more about data discovery and classification.
- Learn more about storing vulnerability assessment scan results in a storage account accessible behind firewalls and VNets.