top of page
Image by Thought Catalog

Post Details

  • Writer's pictureALIF Consulting

SQL vulnerability assessment helps you identify database vulnerabilities

About Alif : Alif empowers Microsoft MSP-CSP partners to provide exceptional IT services to their clients to ensure that the partners reduce their costs and focus on their business. We provide white-labelled managed services for technologies like Microsoft Azure, Microsoft 365, Microsoft Dynamics 365, Microsoft Security, SharePoint, Power Platform, SQL, Azure DevOps and a lot more. Our headquarter is in Pune, India whereas we work with over 50 partners across the globe that trust us with their client delivery.

SQL vulnerability assessment is an easy-to-configure service that can discover, track, and help you remediate potential database vulnerabilities. Use it to proactively improve your database security.

Vulnerability assessment is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities. Vulnerability assessment can be accessed and managed via the central Microsoft Defender for SQL portal.

What is SQL vulnerability assessment?

SQL vulnerability assessment is a service that provides visibility into your security state. Vulnerability assessment includes actionable steps to resolve security issues and enhance your database security. It can help you to monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.

Vulnerability assessment is a scanning service built into Azure SQL Database. The service employs a knowledge base of rules that flag security vulnerabilities. It highlights deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data.

The rules are based on Microsoft's best practices and focus on the security issues that present the biggest risks to your database and its valuable data. They cover database-level issues and server-level security issues, like server firewall settings and server-level permissions.

Results of the scan include actionable steps to resolve each issue and provide customized remediation scripts where applicable. You can customize an assessment report for your environment by setting an acceptable baseline for:

  • Permission configurations

  • Feature configurations

  • Database settings

Rule categories

SQL Vulnerability Assessment rules have five categories, which are in the following sections:


The SQL Vulnerability Assessment service needs permission to the storage account to save baseline and scan results. There are three methods:

  • Use Storage Account key: Azure creates the SAS key and saves it (though we don't save the account key)

  • Use Storage SAS key: The SAS key must have: Write | List | Read | Delete permissions

  • Use SQL Server managed identity: The SQL Server must have a managed identity. The storage account must have a role assignment for the SQL Managed Identity as Storage Blob Data Contributor. When you apply the settings, the VA fields storageContainerSasKey and storageAccountAccessKey must be empty. When storage is behind a firewall or virtual network, then the SQL managed identity is required.

When you use the Azure portal to save SQL VA settings, Azure checks if you have permission to assign a new role assignment for the managed identity as Storage Blob Data Contributor on the storage. If permissions are assigned, Azure uses SQL Server managed identity, otherwise Azure uses the key method.

Storage account requirements

The storage account in which vulnerability assessment scan results are saved must meet the following requirements:

  • Type: StorageV2 (General Purpose V2) or Storage (General Purpose V1)

  • Performance: Standard (only)

  • Region: The storage must be in the same region as the instance of Azure SQL Server.

  • If any of these requirements aren't met, saving changes to vulnerability assessment settings fails.


The following permissions are required to save changes to vulnerability assessment settings:

  • SQL Security Manager

  • Storage Blob Data Reader

  • Owner role on the storage account

  • Setting a new role assignment requires owner or user administrator access to the storage account and the following permissions:

  • Storage Blob Data Owner

6 views0 comments

Recent Posts

See All
bottom of page