Description:

Azure SQL Vulnerability Assessment scans SQL servers and their databases for security risks, configuration issues, and deviations from best practices. For VA to function correctly, it must be enabled and must have a valid Storage Account assigned to store scan results and assessment reports. This control ensures that VA is enabled and the SQL Server has an associated Storage Account so that assessments can run successfully.


Rationale:

This control verifies that the SQL Server has VA enabled and that a Storage Account has been configured to store scan results, baseline files, and assessment logs. Without a configured Storage Account, Vulnerability Assessment cannot run, and the SQL Server is considered non-compliant. Storing scan results enables auditing, compliance tracking, and long-term visibility into SQL security posture.


Impact:

  • Improves SQL security posture by identifying risks early.

  • Provides automated vulnerability scans for all SQL databases.

  • Supports audit requirements with stored reports and baselines.

  • Reduces chances of data breaches caused by misconfigured SQL assets.


Default Value:

Vulnerability Assessment is not enabled by default, and no Storage Account is assigned automatically. Azure Defender for SQL does not configure VA storage settings without manual setup.


Pre-Requisites:

  • A Storage Account in the same region or globally accessible.

  • Permissions:

    • Microsoft.Sql/servers/vulnerabilityAssessments/write

    • Microsoft.Storage/storageAccounts/read

  • If using Defender for SQL, the Defender plan must be set to Standard (recommended but optional).

Test Plan:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for and open Azure SQL Server

  3. Select the target SQL Server

  4. From the left menu, under security, select Microsoft Defender for Cloud

  5. Verify Microsoft Defender for SQL is enabled

  6. Select Vulnerability assessment

  7. Verify that a Storage account is configured to store Vulnerability Assessment results

  8. Confirm Vulnerability Assessment status is Enabled

  9. If Vulnerability Assessment is not enabled or no storage account is configured, follow the implementation steps

Implementation Steps:

  1. Sign in to the Azure Portal at https://portal.azure.com

  2. Search for and open Azure SQL Server

  3. Select the target SQL Server

  1. From the left menu, under settings, open Microsoft Defender for Cloud

  2. Set Microsoft Defender for SQL to be enabled

  1. Select Vulnerability assessment

  2. Choose an existing Storage account or create a new one to store vulnerability assessment results

  3. Save the configuration to enable Vulnerability Assessment


Backout Plan:

  1. Sign in to the Azure Portal

  2. Search for and open Azure SQL Server

  3. Select the target SQL Server

  4. Open Microsoft Defender for Cloud or Microsoft Defender for SQL

  5. Select Vulnerability assessment

  6. Disable Vulnerability Assessment or remove the configured Storage account

  7. Save the changes

Reference:

  1. https://learn.microsoft.com/azure/azure-sql/database/sql-vulnerability-assessment

  2. https://learn.microsoft.com/azure/defender-for-cloud/defender-for-sql-introduction

  3. https://learn.microsoft.com/azure/security-benchmark/azure-security-benchmark-sql

  4. https://learn.microsoft.com/azure/governance/policy/samples/cis-azure-1-3-0