Microsoft Defender for SQL is a critical security capability for protecting Azure SQL databases, Azure SQL Managed Instances, and SQL Server on Azure VMs. This chapter covers its three core pillars: vulnerability assessment, threat detection, and data discovery & classification. For the AZ-500 exam, this topic appears in roughly 5-10% of questions, primarily in the Security Operations domain (Objective 4.1). You must understand how to enable Defender for SQL, interpret its findings, and differentiate it from other Azure security services like Azure SQL Database's built-in firewall and Advanced Threat Protection.
Jump to a section
Imagine a bank vault that stores all your customer financial records. The vault itself is locked (encryption at rest), but the bank also needs to monitor every person who walks near it (vulnerability assessments), detect if someone tries to pick the lock (threat detection), and immediately sound an alarm if a teller tries to access a safe they shouldn't (anomaly detection). Microsoft Defender for SQL is like a security operations center (SOC) for that vault. It deploys 24/7 video surveillance (audit logging), motion sensors (behavioral monitoring), and an AI analyst that watches for patterns—like a person loitering near the vault door at 3 AM (brute force attempt) or a teller withdrawing $10,000 from a customer account they never served (privilege abuse). When a suspicious event occurs, the SOC automatically calls the bank manager (alert notification) and can even lock the vault door temporarily (automated response). Just as a bank vault's security is layered—physical locks, cameras, motion detectors, and human guards—Defender for SQL layers vulnerability scanning, threat detection, and behavior analytics to protect your SQL databases. Without it, you're relying solely on the vault door lock, leaving you blind to insider threats and sophisticated attacks.
What Is Microsoft Defender for SQL?
Microsoft Defender for SQL is a unified security package for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse SQL pools. It integrates three security capabilities: Vulnerability Assessment (VA), Advanced Threat Protection (ATP), and Data Discovery & Classification. The service is available in two tiers: the free basic tier (limited to vulnerability assessment) and the paid standard tier (full suite). For AZ-500, you need to know the standard tier, which is enabled at the server level for Azure SQL Database and Managed Instance, and at the machine level for SQL Server on Azure VMs.
How It Works Internally
Defender for SQL operates through a combination of agentless scanning and log analysis. For Azure SQL Database and Managed Instance, vulnerability assessment uses a built-in scanning engine that runs against the database catalog views and system tables. It checks for misconfigurations, missing patches, and security best practices. The scan results are stored in a user-specified Azure Storage account as a JSON file. Threat detection relies on SQL audit logs and telemetry from the Azure SQL backend. It uses Microsoft's threat intelligence and machine learning models to detect anomalous patterns such as SQL injection, brute force attacks, and unusual data exfiltration. Data discovery uses a classifier that scans the database schema and sample data to identify sensitive columns (e.g., credit card numbers, social security numbers).
Key Components, Values, Defaults, and Timers
Vulnerability Assessment (VA): Scans are automatically scheduled weekly by default. You can also trigger on-demand scans via PowerShell or Azure CLI. The baseline is a set of rules that define the 'approved' state of the database. Once baseline is set, subsequent scans only report deviations. The scan engine checks over 100 rules, including missing firewall rules, weak passwords, and excessive permissions.
Advanced Threat Protection (ATP): Alerts are generated based on detection models. Alert types include SQL injection, brute force, anomalous client login, and potential data exfiltration. Alerts appear in Microsoft Defender for Cloud (formerly Azure Security Center) and can be sent to Azure Sentinel or third-party SIEMs. The default alert severity categories are Low, Medium, and High.
Data Discovery & Classification: The classification engine by default scans for over 80 built-in sensitive information types. It assigns labels such as 'Confidential' and 'Public' based on sensitivity. The classification results are visible in the Azure portal under the Data Discovery & Classification blade.
Configuration and Verification Commands
To enable Defender for SQL on an Azure SQL Database server using Azure CLI:
az sql server update --name <server-name> --resource-group <rg> --enable-advanced-data-security trueTo enable vulnerability assessment scanning with a storage account:
az sql server va set --name <server-name> --resource-group <rg> --storage-account <storage-account> --enable-va trueTo view vulnerability assessment results:
az sql server va list --name <server-name> --resource-group <rg>To check threat detection alerts in PowerShell:
Get-AzSqlServerAdvancedThreatProtectionSetting -ServerName <server> -ResourceGroupName <rg>Interaction with Related Technologies
Defender for SQL integrates tightly with Microsoft Defender for Cloud. Alerts from ATP appear in the Security Alerts blade in Defender for Cloud. Vulnerability assessment findings appear under Recommendations. Data classification integrates with Azure Purview (now Microsoft Purview) for broader data governance. Defender for SQL also supports Azure Policy: you can use built-in policies to enforce enabling Defender for SQL on all servers in a subscription. For SQL Server on Azure VMs, Defender for SQL requires the Log Analytics agent and is managed through the Azure Arc-enabled SQL Server or directly via the SQL IaaS Agent extension.
Step-by-Step Mechanism of a Threat Detection Alert
When a SQL injection attempt occurs, the following happens: 1. The user sends a query that contains suspicious patterns (e.g., ' OR 1=1). 2. The SQL engine parses the query and logs it to the SQL audit log. 3. The Defender for SQL backend ingests the audit log within minutes (typically 5-10 minutes latency). 4. Machine learning models analyze the query pattern and compare it to known SQL injection signatures. 5. If a match is found, an alert is generated with severity (e.g., High), description, and recommended remediation. 6. The alert is pushed to Defender for Cloud and optionally to a configured SIEM. 7. An email notification can be sent to the security team if configured.
The entire process from query execution to alert generation is typically under 15 minutes.
Common Misconfigurations and Their Consequences
Not enabling at the server level: Defender for SQL must be enabled at the logical server level for Azure SQL Database, not just on individual databases. Enabling only at the database level leaves other databases unprotected.
Forgetting to configure email notifications: By default, no email is sent for alerts. You must configure the alert settings in Defender for Cloud to specify recipients.
Using a storage account without proper access: The vulnerability assessment storage account must allow write access from the SQL server. Misconfigured firewalls on the storage account can cause scan failures.
Not setting baselines: Without baselines, vulnerability assessment reports every deviation as a finding, leading to alert fatigue. Baselines help suppress known acceptable configurations.
Enable Defender for SQL
Navigate to the Azure SQL Database server in the Azure portal. Under Security, click 'Microsoft Defender for Cloud'. Toggle 'Enable Microsoft Defender for SQL' to On. This enables the standard tier for the server and all databases under it. Alternatively, use Azure CLI or PowerShell. For SQL Server on Azure VMs, you must install the Log Analytics agent and enable Defender for SQL via the SQL IaaS Agent extension. Note: Enabling at server level is mandatory for Azure SQL Database; enabling at database level alone is insufficient.
Configure Vulnerability Assessment
After enabling Defender for SQL, configure vulnerability assessment by specifying an Azure Storage account to store scan results. In the Azure portal, under 'Microsoft Defender for Cloud', click 'Vulnerability Assessment'. Select or create a storage account. Optionally, enable recurring scans (weekly by default) and set a baseline. The baseline is established by running an initial scan and accepting the results as safe. Subsequent scans compare against this baseline. You can also trigger on-demand scans using PowerShell or CLI.
Review Vulnerability Assessment Findings
View vulnerability assessment results in the Azure portal under 'Vulnerability Assessment' blade. Findings are categorized by severity (High, Medium, Low) and include a description and remediation steps. You can export results to Excel or integrate with Defender for Cloud recommendations. Each finding has a rule ID; you can suppress findings by marking them as 'baseline' if they are acceptable. Regularly review and remediate high-severity findings to maintain a secure posture.
Monitor Threat Detection Alerts
Threat detection alerts appear in Microsoft Defender for Cloud under 'Security Alerts'. Each alert includes the alert type (e.g., SQL Injection), severity, affected resources, and a description. You can view the alert details, including the query that triggered it and the client IP. Alerts can be exported to Azure Sentinel or a SIEM via continuous export. Configure email notifications in Defender for Cloud's alert settings to notify security teams. Respond by investigating the alert and taking remediation actions such as blocking the offending IP or reviewing user permissions.
Classify Sensitive Data
Use Data Discovery & Classification to identify and label sensitive columns. In the Azure portal, go to the database and under Security, click 'Data Discovery & Classification'. Click 'Add classification' to manually classify or use the 'Recommendations' tab to see suggested classifications based on built-in patterns (e.g., credit card numbers). Accept recommendations to apply labels and information types. Classifications are stored as SQL extended properties and can be queried. This helps with compliance and auditing.
Scenario 1: Fintech Company with PCI DSS Compliance
A fintech company processes credit card payments and must comply with PCI DSS. They use Azure SQL Database for transactional data. They enable Defender for SQL on all production servers. Vulnerability assessment scans weekly and identifies missing firewall rules and weak passwords. They set baselines to suppress known acceptable configurations. Threat detection alerts them to a potential SQL injection attack from a compromised web application. They investigate and block the offending IP using Azure SQL Database firewall. Data discovery identifies columns storing credit card numbers and they apply the 'Confidential' label. This helps them demonstrate compliance during audits. A common issue is that the vulnerability assessment storage account is in a different region, causing latency in scan results. They move the storage account to the same region as the SQL server to reduce latency.
Scenario 2: Healthcare Organization with HIPAA Compliance
A healthcare organization uses Azure SQL Managed Instance for patient records. They enable Defender for SQL and configure threat detection alerts to be sent to Azure Sentinel for SOC analysis. They use vulnerability assessment to check for missing patches and excessive permissions. One day, an alert fires for 'Anomalous client login' from a foreign IP address. The SOC investigates and finds that a developer accidentally exposed a connection string in a public GitHub repository. They rotate credentials and implement Azure Key Vault for secret management. They also classify columns containing patient health information (PHI) using data discovery. A challenge they face is that the weekly scan schedule is insufficient for their compliance requirements; they implement on-demand scans after every schema change.
Scenario 3: E-commerce Company with High-Traffic Database
An e-commerce company uses Azure SQL Database with a high volume of connections. They enable Defender for SQL but initially experience performance overhead due to audit logging. They optimize by enabling audit only on critical databases and setting appropriate retention periods. Threat detection alerts them to a brute force attack from a botnet. They use the alert's data to identify the attacking IP ranges and add firewall rules to block them. They also use data classification to identify columns storing customer PII and apply 'Confidential' labels. A common misconfiguration is not setting up email notifications, so the security team misses critical alerts until they check the portal. They configure email notifications for high-severity alerts and integrate with their incident management system.
AZ-500 Exam Focus
This section is critical for exam success. The AZ-500 exam tests Defender for SQL under Objective 4.1 'Configure security for data workloads'. You must know:
Specific Objective Codes: The exam blueprint lists 'Configure security for Azure SQL Database' and 'Configure Microsoft Defender for SQL'. Look for questions that ask about enabling, configuring, or interpreting alerts.
2. Common Wrong Answers: - 'Enable Defender for SQL at the database level instead of server level': This is a trap. Defender for SQL must be enabled at the logical server level to protect all databases. Enabling only at the database level is ineffective and not supported for all features. - 'Vulnerability assessment is free and does not require a storage account': False. Vulnerability assessment requires an Azure Storage account to store scan results. Without it, scans fail. - 'Threat detection alerts are sent immediately to the Azure portal': While alerts appear in Defender for Cloud, they are not sent by default via email. You must configure email notifications separately. - 'Data classification is automatic and requires no configuration': Data classification provides recommendations but you must accept them or manually classify. It is not fully automatic.
Specific Numbers and Values: Remember that vulnerability assessment scans are scheduled weekly by default. The ATP alert latency is typically 5-10 minutes. There are over 80 built-in sensitive information types for data classification. The storage account for VA must be in the same region as the SQL server for optimal performance.
Edge Cases:
For SQL Server on Azure VMs, Defender for SQL requires the Log Analytics agent. If the VM is not connected to a Log Analytics workspace, the service will not function.
For Azure SQL Managed Instance, Defender for SQL is enabled at the instance level, not server level.
If the storage account for VA is deleted, scans will fail until a new storage account is configured.
Eliminating Wrong Answers: Use the underlying mechanism. For example, if a question asks about enabling threat detection and gives options that mention 'database-level' vs 'server-level', recall that the mechanism requires server-level enablement. If a question asks about vulnerability assessment storage, remember that it's mandatory. If a question asks about alert delivery, know that email is optional. Always consider the default behavior and the required components.
Defender for SQL must be enabled at the logical server level for Azure SQL Database, not per database.
Vulnerability assessment requires an Azure Storage account; scans run weekly by default.
Threat detection alerts appear in Defender for Cloud; email notifications must be configured separately.
Data Discovery & Classification provides recommendations but requires manual acceptance.
For SQL Server on Azure VMs, the Log Analytics agent is required for Defender for SQL.
Alert latency is typically 5-10 minutes; not real-time.
Baselines in vulnerability assessment suppress known acceptable findings to reduce noise.
Defender for SQL integrates with Azure Sentinel for advanced SIEM capabilities.
These come up on the exam all the time. Here's how to tell them apart.
Defender for SQL (Standard Tier)
Includes vulnerability assessment, threat detection, and data classification.
Paid service (per server per month).
Provides weekly automated vulnerability scans.
Alerts appear in Microsoft Defender for Cloud.
Supports SQL Server on Azure VMs via Log Analytics agent.
Azure SQL Database Built-in Security Features
Includes firewall rules, authentication, and encryption at rest/in transit.
Free with Azure SQL Database.
No automated vulnerability scanning.
No threat detection or behavioral analytics.
Only applies to Azure SQL Database and Managed Instance, not VMs.
Mistake
Defender for SQL is the same as Azure SQL Database firewall.
Correct
No. The firewall is a network-level access control that blocks IP addresses. Defender for SQL provides vulnerability scanning, threat detection, and data classification. They are complementary but distinct services.
Mistake
Vulnerability assessment scans are real-time and can be run every minute.
Correct
Scans are scheduled weekly by default and can be triggered on-demand, but they cannot run more frequently than once per hour. The scan engine is not designed for real-time monitoring.
Mistake
Threat detection alerts are automatically remediated.
Correct
Alerts are informational and require manual investigation and remediation. There is no automatic blocking of IPs or queries unless you configure Azure SQL Database firewall rules or use Azure Policy with custom logic.
Mistake
Data Discovery & Classification automatically masks sensitive data.
Correct
It only identifies and labels sensitive columns. It does not mask or encrypt data. You must implement dynamic data masking or Always Encrypted separately to protect the data.
Mistake
Defender for SQL works on SQL Server on-premises without any agent.
Correct
For on-premises SQL Server, you need to use Azure Arc-enabled SQL Server and install the Log Analytics agent. Defender for SQL is primarily a cloud service; on-premises support requires additional configuration.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the Azure portal, go to the SQL server, under Security click 'Microsoft Defender for Cloud', and toggle 'Enable Microsoft Defender for SQL' to On. You can also use Azure CLI: `az sql server update --name <server> --resource-group <rg> --enable-advanced-data-security true`. This enables the standard tier for the server and all its databases.
They are essentially the same. Microsoft rebranded Advanced Threat Protection (ATP) as part of Defender for SQL. ATP is the threat detection component of Defender for SQL. So, when you enable Defender for SQL, you get ATP plus vulnerability assessment and data classification.
Yes, but you need to enable it via the SQL IaaS Agent extension and install the Log Analytics agent. The VM must be connected to a Log Analytics workspace. Then, you can enable Defender for SQL from the Azure portal under the VM's security settings.
By default, scans are scheduled to run weekly. You can also trigger on-demand scans at any time using PowerShell or Azure CLI. The scan frequency cannot be changed to more frequent than weekly for automated scans.
Vulnerability assessment scans will fail. You must configure a new storage account in the Defender for SQL settings. Scan results stored in the deleted account are lost. Always ensure the storage account exists and is accessible.
Yes, Defender for SQL supports Azure Synapse Analytics dedicated SQL pool (formerly SQL DW). You enable it at the server level just like Azure SQL Database. The same features (VA, ATP, data classification) are available.
In Microsoft Defender for Cloud, go to 'Security alerts' and click 'Alert settings'. Under 'Email notifications', specify the recipients and the severity levels that trigger emails. You can also use action groups to send alerts via email, SMS, or webhook.
You've just covered Microsoft Defender for SQL — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?