last sync: 2025-Jul-25 17:39:48 UTC

Deploy Advanced Data Security on SQL servers

Azure BuiltIn Policy definition

Source Azure Portal
Display name Deploy Advanced Data Security on SQL servers
Id 6134c3db-786f-471e-87bc-8f479dc890f6
Version 1.3.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.3.0
Built-in Versioning [Preview]
Category SQL
Microsoft Learn
Description This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix.
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Fixed
DeployIfNotExists
RBAC role(s)
Role Name Role Id
SQL Security Manager 056cd41c-7e88-42e1-933e-88ba6a50c9c3
Storage Account Contributor 17d1049b-9a84-46fb-8f53-869881c3d3ab
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.Sql/securityAlertPolicies.state Microsoft.Sql
Microsoft.Sql
servers/databases/securityAlertPolicies
servers/securityAlertPolicies
properties.state
properties.state
True
True

False
False
Rule resource types IF (1)
THEN-Deployment (3)
Compliance Not a Compliance control
Initiatives usage
Rows: 1-1 / 1
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
Enforce recommended guardrails for SQL and SQL Managed Instance Enforce-Guardrails-SQL SQL GA ALZ
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-07-22 16:34:49 change Minor (1.2.0 > 1.3.0)
2021-06-08 15:17:13 change Minor (1.1.0 > 1.2.0)
2021-04-27 15:38:15 change Minor (1.0.0 > 1.1.0)
JSON compare
compare mode: version left: version right:
1.2.0 → 1.3.0 RENAMED
@@ -3,9 +3,9 @@
3
  "policyType": "BuiltIn",
4
  "mode": "Indexed",
5
  "description": "This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix.",
6
  "metadata": {
7
- "version": "1.2.0",
8
  "category": "SQL"
9
  },
10
  "parameters": {},
11
  "policyRule": {
@@ -67,9 +67,9 @@
67
  "type": "Microsoft.Sql/servers/securityAlertPolicies",
68
  "apiVersion": "2017-03-01-preview",
69
  "properties": {
70
  "state": "Enabled",
71
- "emailAccountAdmins": true
72
  }
73
  },
74
  {
75
  "name": "[concat(parameters('serverName'), '/Default')]",
 
3
  "policyType": "BuiltIn",
4
  "mode": "Indexed",
5
  "description": "This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix.",
6
  "metadata": {
7
+ "version": "1.3.0",
8
  "category": "SQL"
9
  },
10
  "parameters": {},
11
  "policyRule": {
 
67
  "type": "Microsoft.Sql/servers/securityAlertPolicies",
68
  "apiVersion": "2017-03-01-preview",
69
  "properties": {
70
  "state": "Enabled",
71
+ "emailAccountAdmins": false
72
  }
73
  },
74
  {
75
  "name": "[concat(parameters('serverName'), '/Default')]",
JSON
api-version=2021-06-01
EPAC
{7 items
  • displayName: "Deploy Advanced Data Security on SQL servers",
  • policyType: "BuiltIn",
  • mode: "Indexed",
  • description: "This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix.",
  • metadata: {2 items
    • version: "1.3.0",
    • category: "SQL"
    },
  • parameters: {},
  • policyRule: {2 items
    • if: {2 items
      • field: "type",
      • equals: "Microsoft.Sql/servers"
      },
    • then: {2 items
      • effect: "DeployIfNotExists",
      • details: {5 items
        • type: "Microsoft.Sql/servers/securityAlertPolicies",
        • name: "Default",
        • existenceCondition: {2 items
          • field: "Microsoft.Sql/securityAlertPolicies.state",
          • equals: "Enabled"
          },
        • roleDefinitionIds: [2 items],
        • deployment: {1 item
          • properties: {3 items
            • mode: "incremental",
            • template: {5 items
              • $schema: "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              • contentVersion: "1.0.0.0",
              • parameters: {2 items},
              • variables: {4 items
                • serverResourceGroupName: "[resourceGroup().name]",
                • subscriptionId: "[subscription().subscriptionId]",
                • uniqueStorage: 🔍"[ uniqueString( variables( 'subscriptionId' ), variables( 'serverResourceGroupName' ), parameters('location') ) ]",
                • storageName: 🔍"[ tolower( concat( 'sqlva', variables( 'uniqueStorage' ) ) ) ]"
                },
              • resources: [3 items
                • {7 items
                  • type: "Microsoft.Storage/storageAccounts",
                  • name: "[variables('storageName')]",
                  • apiVersion: "2019-04-01",
                  • location: "[parameters('location')]",
                  • sku: {1 item
                    • name: "Standard_LRS"
                    },
                  • kind: "StorageV2",
                  • properties: {3 items
                    • minimumTlsVersion: "TLS1_2",
                    • supportsHttpsTrafficOnly: "true",
                    • allowBlobPublicAccess: "false"
                    }
                  },
                • {4 items
                  • name: 🔍"[ concat( parameters('serverName'), '/Default' ) ]",
                  • type: "Microsoft.Sql/servers/securityAlertPolicies",
                  • apiVersion: "2017-03-01-preview",
                  • properties: {2 items
                    • state: "Enabled",
                    • emailAccountAdmins: false
                    }
                  },
                • {5 items
                  • name: 🔍"[ concat( parameters('serverName'), '/Default' ) ]",
                  • type: "Microsoft.Sql/servers/vulnerabilityAssessments",
                  • apiVersion: "2018-06-01-preview",
                  • properties: {3 items
                    • storageContainerPath: 🔍"[ concat( reference( resourceId( 'Microsoft.Storage/storageAccounts', variables( 'storageName' ) ) ).primaryEndpoints.blob, 'vulnerability-assessment' ) ]",
                    • storageAccountAccessKey: 🔍"[ listKeys( resourceId( 'Microsoft.Storage/storageAccounts', variables( 'storageName' ) ), '2018-02-01' ).keys[ 0 ].value ]",
                    • recurringScans: {3 items
                      • isEnabled: true,
                      • emailSubscriptionAdmins: true,
                      • emails: []
                      }
                    },
                  • dependsOn: [2 items
                    • 🔍"[ concat( 'Microsoft.Storage/storageAccounts/', variables( 'storageName' ) ) ]",
                    • 🔍"[ concat( 'Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default' ) ]"
                    ]
                  }
                ]
              },
            • parameters: {2 items}
            }
          }
        }
      }
    }
}