A company runs SQL Server on Azure Virtual Machines (IaaS). The security team wants to enable Advanced Threat Protection (ATP) to detect threats like SQL injection against these SQL Server instances. Which single action is required to achieve this?
Enabling Defender for SQL activates threat detection for Azure SQL databases and SQL Server on VMs. This is the direct method to get alerts for SQL injection and other threats.
Why this answer
To enable Advanced Threat Protection (ATP) for SQL Server on Azure VMs, you must enable Microsoft Defender for SQL at the Azure subscription or SQL Server resource level. This activates the SQL-specific threat detection capabilities, including alerts for SQL injection, anomalous access patterns, and suspicious activities. Without this, the SQL Server instances lack the dedicated security monitoring that ATP provides.
Exam trap
The trap here is that candidates confuse the prerequisite infrastructure (SQL IaaS Agent extension) with the actual security service (Defender for SQL), or assume that general server protection (Defender for Servers) covers SQL-specific threats, which it does not.
How to eliminate wrong answers
Option B is wrong because the SQL Server IaaS Agent extension is required for managing SQL Server on Azure VMs (e.g., licensing, patching), but it does not enable ATP; ATP is a feature of Microsoft Defender for SQL, not the extension. Option C is wrong because Microsoft Defender for Servers protects the VM's OS and network layer but does not include SQL-specific threat detection like SQL injection alerts; that requires Defender for SQL. Option D is wrong because configuring an Azure SQL firewall rule restricts network access but does not enable ATP; ATP is a security monitoring and alerting service, not a network control.