az security va sql scans list --resource-group <rg> --server-name <server> --database-name <database>Azure SQL vulnerability assessment
Azure SQL vulnerability assessment is a Defender for Cloud capability that scans Azure SQL databases for security misconfigurations, risky settings, and findings that can be reviewed and remediated.
Source: Microsoft Learn - SQL vulnerability assessment overview - Microsoft Defender for Cloud Reviewed 2026-05-11
- Exam trap
- Treating Azure SQL vulnerability assessment as a simple label instead of a production operating decision with owners and evidence.
- Production check
- Confirm which application, data set, owner, and environment depend on Azure SQL vulnerability assessment.
Article details and learning context
- Aliases
- None listed
- Difficulty
- intermediate
- CLI mappings
- 4
- Last verified
- 2026-05-11
Understand the concept
In plain English
Azure SQL vulnerability assessment is a security scanning capability that reviews Azure SQL databases for risky settings, missing controls, and findings that teams can remediate or baseline. It helps security engineers, DBAs, compliance analysts, and platform operators turn database hardening into reviewed findings instead of relying on memory or one-time checklists. Use it when a regulated workload needs recurring evidence that database permissions, configuration, and security posture are being checked. It is not a penetration test or guarantee of safety; findings still require judgment, remediation, accepted baselines, and access reviews.
Why it matters
Azure SQL vulnerability assessment matters because it gives security and database teams a shared, repeatable view of SQL hardening gaps before auditors or attackers find them. Without it, teams often discover weak settings during an audit or incident with no scan history, baseline rationale, or owner for remediation. In enterprises, it connects security operations, DBAs, compliance managers, application owners, risk teams, and auditors reviewing database posture. It turns SQL security posture management into enabled scans, reviewed findings, approved baselines, tracked remediation, and evidence tied to each database owner and exposes tradeoffs around finding volume, remediation effort, baseline discipline, Defender cost, compliance evidence needs, and operational ownership.
Official wording and source
Azure SQL vulnerability assessment is a Defender for Cloud capability that scans Azure SQL databases for security misconfigurations, risky settings, and findings that can be reviewed and remediated. Microsoft Learn places it in SQL vulnerability assessment overview - Microsoft Defender for Cloud; operators confirm scope, configuration, dependencies, and production impact.
Technical context
Technically, Azure SQL vulnerability assessment works through Defender for Cloud recommendations, vulnerability assessment scans, rule findings, baselines, remediation guidance, on-demand scans, and security posture reporting. It depends on Defender for SQL configuration, database scope, Microsoft Defender for Cloud access, storage or express configuration path, permissions, and remediation ownership. Common settings include Defender plan, VA enablement mode, scan cadence, baselines, recommendation status, database resource scope, and evidence destination. Operators review scan summaries, rule findings, baseline status, recommendation state, remediation history, Defender alerts, and database configuration changes.
Exam context
Compare with
Where it is used
Where you see it
- You see Azure SQL vulnerability assessment in Defender for Cloud recommendations where database rules, scan results, baselines, and remediation guidance are reviewed during accountable operational reviews.
- You see it in compliance meetings when auditors ask for recurring evidence that Azure SQL configuration and permissions are being checked during accountable operational reviews.
- You see VA output during remediation sprints when DBAs and security teams decide whether to fix, baseline, or escalate each database finding during accountable operational reviews.
Common situations
- Turn database hardening into reviewed findings instead of relying on memory or one-time checklists.
- Validate production readiness before releases, migrations, incidents, or audits.
- Control cost, access, monitoring, and recovery behavior with accountable evidence.
- Document ownership and support expectations for Azure operations.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Operational rollout Scenario, objectives, solution, measured impact, and takeaway.
Aster Credit Union, a finance organization, needed recurring evidence that member-data databases were hardened before a regulatory exam.
- Run monthly vulnerability scans.
- Resolve high-risk findings within 15 days.
- Document every accepted baseline.
- Reduce manual evidence collection time.
The architecture team used Azure SQL vulnerability assessment as the primary mechanism: Security enabled Defender for SQL vulnerability assessment across production databases and mapped each recommendation to a ticket owner. DBAs reviewed findings, fixed excessive permissions, and created baselines only after risk approval. Scan summaries and baseline decisions were exported into the audit evidence workspace. The design included owners, validation steps, rollback criteria, monitoring evidence, and support handoff notes. Before production use, engineers tested the workflow safely, trained the support shift, and captured acceptance criteria in the service runbook. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout.
- High-risk findings dropped from 18 to 2 in one quarter.
- Evidence collection time fell from 2 weeks to 2 days.
- Every baseline had a risk owner and review date.
- The regulatory exam accepted the scan history.
Azure SQL vulnerability assessment is valuable when teams connect the Azure feature to measurable outcomes, accountable operations, and practical risk reduction.
Scenario 02 Governed modernization Scenario, objectives, solution, measured impact, and takeaway.
Northstar Retail, a retail organization, found inconsistent SQL permissions across store analytics databases after rapid expansion.
- Discover risky database settings.
- Standardize remediation across 80 databases.
- Avoid breaking reporting users.
- Create a repeatable onboarding check.
The architecture team used Azure SQL vulnerability assessment as the primary mechanism: The platform team used vulnerability assessment results to identify permission drift, missing auditing, and configuration issues. DBAs tested remediation scripts in staging, then applied changes by region. Security approved baselines for two legacy reports while owners rebuilt them with safer roles. The design included owners, validation steps, rollback criteria, monitoring evidence, and support handoff notes. Before production use, engineers tested the workflow safely, trained the support shift, and captured acceptance criteria in the service runbook. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout.
- Seventy-six databases reached the target posture.
- Reporting disruption was avoided during remediation.
- New database onboarding now includes a VA scan.
- Permission drift incidents fell by 70 percent.
Azure SQL vulnerability assessment is valuable when teams connect the Azure feature to measurable outcomes, accountable operations, and practical risk reduction.
Scenario 03 Incident-ready optimization Scenario, objectives, solution, measured impact, and takeaway.
Medix Labs, a healthcare organization, needed to prove that research databases were checked before sharing reports with external partners.
- Complete a security review before partner access.
- Remove unnecessary privileged users.
- Keep accepted exceptions traceable.
- Give partners confidence in data controls.
The architecture team used Azure SQL vulnerability assessment as the primary mechanism: DBAs triggered an on-demand vulnerability assessment scan, reviewed the findings with security, and removed old admin accounts. One finding was baselined with a documented business reason until a legacy procedure could be rewritten. The final evidence package included scan status, remediation notes, and access-review approval. The design included owners, validation steps, rollback criteria, monitoring evidence, and support handoff notes. Before production use, engineers tested the workflow safely, trained the support shift, and captured acceptance criteria in the service runbook. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout. Business owners signed off on success measures, escalation contacts, and the rollback decision point before rollout.
- Privileged user count dropped from 14 to 5.
- Partner access was approved on schedule.
- The exception had a 60-day expiration.
- The same workflow became standard for new research datasets.
Azure SQL vulnerability assessment is valuable when teams connect the Azure feature to measurable outcomes, accountable operations, and practical risk reduction.
Azure CLI
Use command-line evidence for Azure SQL vulnerability assessment when portal views or desktop tools are too slow, inconsistent, or hard to audit. CLI output helps operators inspect Defender SQL VA scan results, baselines, database inventory, and security recommendation evidence, capture repeatable JSON, compare environments, and prove current state before production changes.
Useful for
- Inspect Defender SQL VA scan results, baselines, database inventory, and security recommendation evidence during reviews, incidents, migrations, or release readiness checks.
- Compare development, test, and production configuration without relying on screenshots or memory.
- Capture JSON or table output for change tickets, audits, rollback decisions, and support escalations.
- Validate resource group, subscription, identity, region, and target resource before any mutating command.
Before you run a command
- Confirm the active tenant, subscription, resource group, region, and exact resource name before running commands.
- Start with read-only show, list, or metrics commands before create, update, delete, failover, or migration actions.
- Check whether the command changes cost, access, data placement, encryption, retention, or workload connectivity.
- Make sure approval, rollback, owner contact, and evidence requirements are clear for production-impacting work.
What the output tells you
- Resource IDs, regions, SKUs, tags, identities, and states show whether live Azure configuration matches design intent.
- Empty, missing, or unexpected fields often reveal wrong scope, unsupported features, drift, or incomplete deployment steps.
- Operation state, timestamps, counts, errors, and report fields show whether a requested change completed successfully.
- Metric and configuration values help separate platform settings from application behavior during troubleshooting.
Mapped commands
Azure SQL vulnerability assessment
directaz security va sql results list --resource-group <rg> --server-name <server> --database-name <database> --scan-id <scan-id>az security va sql baseline show --resource-group <rg> --server-name <server> --database-name <database> --rule-id <rule>az security va sql baseline update --resource-group <rg> --server-name <server> --database-name <database> --rule-id <rule> --latestArchitecture context
Azure SQL vulnerability assessment fits into the database security-governance architecture as a recurring control that checks configuration, permissions, and exposure signals against known risk patterns. I treat it as evidence for security teams and auditors, not a one-time setup task. The design should define which databases are assessed, where results are reviewed, who owns remediation, and how accepted risks are documented. Findings can point to excessive permissions, weak configuration, missing auditing, or hardening gaps that application teams may not notice during normal development. It should be paired with Microsoft Defender for SQL, Microsoft Entra authentication, auditing, private access where appropriate, and change-management workflows. A useful assessment program turns findings into tracked work, not another dashboard nobody reads.
- Security
- Security for Azure SQL vulnerability assessment starts with knowing who can configure it, who can view its output, and what sensitive data, credentials, or network paths may be affected. Important controls include Defender enablement, scan permissions, least-privilege remediation, baseline approvals, evidence retention, and review of privileged users and unsafe settings. Operators should prefer managed identities or reviewed automation where possible, avoid broad contributor access, and record changes in Activity Log, audit trails, or approved tickets. Security teams should check whether logs, reports, copies, keys, or migrated data reveal customer data or topology details. The safest deployments document approval paths, break-glass use, retention expectations, and audit evidence.
- Cost
- Cost considerations for Azure SQL vulnerability assessment come from resources it controls, telemetry it produces, and operational choices it encourages. Key factors include Defender plan cost, security analyst time, remediation projects, logging storage, audit preparation, and avoided breach or compliance remediation expense. Teams should separate direct platform charges from avoided labor, avoided downtime, and reduced waste. Reviews should ask whether the configuration is oversized, underused, duplicated, or retaining more data than policy requires. Budgets, tags, and amortized reporting help connect spend to owners. The best cost outcome is not simply the lowest bill; it is spending enough to meet risk, recovery, performance, and compliance goals without hidden waste.
- Reliability
- Reliability depends on whether Azure SQL vulnerability assessment is tested under realistic operating conditions, not just enabled once during deployment. The most important practices are regular scan cadence, alert routing, stable evidence collection, baseline review dates, and avoiding disruptive remediation during critical workload periods. Teams should define expected state, monitor drift, and rehearse the failure modes that would make the capability necessary. Alerts need owners, thresholds, and escalation paths that match business impact. Good designs capture recovery or validation evidence because incident responders need to know what worked, what failed, and whether assumptions still support stated objectives after upgrades, migrations, or regional changes.
- Performance
- Performance for Azure SQL vulnerability assessment is about how quickly and predictably the capability supports the workload or operator action. Important concerns include read-only scan behavior, operational timing, remediation impact on access or queries, and faster decision-making from organized findings. Teams should measure the user-visible result rather than assuming the Azure feature is fast enough by default. For data and database services, check latency, throttling, concurrency, storage behavior, wait patterns, and query efficiency. For governance or migration capabilities, measure how long decisions, scans, transfers, and validations take during real events. Keep baselines so later tuning has evidence Keep baseline measurements for comparison.
- Operations
- Operationally, Azure SQL vulnerability assessment should fit into support, release, and review routines. Useful practices include finding triage runbooks, ticket integration, ownership mapping, scan schedules, exception review, and status dashboards for database hardening work. Owners should keep runbooks current, define who approves production changes, and make important state visible without tribal knowledge. During incidents, operators need quick ways to inspect configuration, confirm scope, and compare current behavior with intended design. After changes, teams should update diagrams, tags, alerts, and evidence repositories. The goal is a capability support staff can run confidently during off-hours, not a feature only the original architect understands.
Common mistakes
- Treating Azure SQL vulnerability assessment as a simple label instead of a production operating decision with owners and evidence.
- Running a mutating command before collecting read-only state and confirming the target subscription and resource.
- Copying examples into production without adjusting names, regions, identities, network rules, SKUs, or limits.
- Ignoring service-specific permissions, private networking, monitoring, rollback behavior, and cost impact before rollout.