AzInitiativeAdvertizer

last sync: 2025-Aug-13 17:22:31 UTC

Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace

Azure BuiltIn Policy Initiative (PolicySet)

Source Azure Portal
Display nameConfigure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace
Idd7c3ea3a-edf3-4bd5-bd64-d5b635b05393
Version1.3.0
Details on versioning
Versioning Versions supported for Versioning: 3
1.3.0
1.2.1
1.2.0-preview
Built-in Versioning [Preview]
CategorySecurity Center
Microsoft Learn
DescriptionMicrosoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule and Log Analytics workspace in the same region as the machine.
Cloud environmentsAzureCloud = true
AzureChinaCloud = unknown
AzureUSGovernment = true
Available in AzUSGovThe PolicySet is available in AzureUSGovernment cloud. Version: '1.2.0'
Repository: Azure-Policy d7c3ea3a-edf3-4bd5-bd64-d5b635b05393
TypeBuiltIn
DeprecatedFalse
PreviewFalse
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 9
Builtin Policies: 9
Static Policies: 0
GA: 9
1 categories:
Security Center: 9
Policy-used
Rows: 1-9 / 9
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Page of 1
Policy DisplayName Policy Id Category Version Versioning Effect Roles# Roles State policy in AzUSGov
Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent 3592ff98-9787-443a-af59-4505d0fe0786 Security Center 1.3.0 3x
1.3.0, 1.2.2, 1.2.1-preview		 Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Azure Connected Machine Resource Administrator GA true
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL 65503269-6a54-4553-8a28-0065a8e6d929 Security Center 1.2.0 3x
1.2.0, 1.1.2, 1.1.1-preview		 Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Log Analytics Contributor GA true
Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace da0fd392-9669-4ad4-b32c-ca46aaa6c21f Security Center 1.6.0 6x
1.6.0, 1.5.0, 1.4.0, 1.3.0, 1.2.2, 1.2.1-preview		 Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Contributor GA true
Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR cbdd12e1-193a-445c-9926-560118c6daaa Security Center 1.1.0 3x
1.1.0, 1.0.2, 1.0.1-preview		 Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 2 Log Analytics Contributor, Monitoring Contributor GA true
Configure SQL Virtual Machines to automatically install Azure Monitor Agent f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Security Center 1.6.0 6x
1.6.0, 1.5.0, 1.4.0, 1.3.0, 1.2.2, 1.2.1-preview		 Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Virtual Machine Contributor GA true
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Security Center 1.6.0 6x
1.6.0, 1.5.0, 1.4.0, 1.3.0, 1.2.1, 1.2.0-preview		 Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 2 Log Analytics Contributor, Monitoring Contributor GA true
Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace c859b78a-a128-4376-a838-e97ce6625d16 Security Center 1.9.0 8x
1.9.0, 1.8.0, 1.7.0, 1.6.0, 1.5.0, 1.4.0, 1.3.1, 1.3.0-preview		 Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Contributor GA true
Configure the Microsoft Defender for SQL Log Analytics workspace 242300d6-1bfc-4d64-8d01-cee583709ebd Security Center 1.5.0 6x
1.5.0, 1.4.0, 1.3.0, 1.2.0, 1.1.2, 1.1.1-preview		 Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 Contributor GA true
Create and assign a built-in user-assigned managed identity 09963c90-6ee7-4215-8d26-1cc660a1682f Security Center 1.8.0 7x
1.8.0, 1.7.0, 1.6.0, 1.5.0, 1.4.0, 1.3.1, 1.3.0-preview		 Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled		 1 Contributor GA true
Roles used Total Roles usage: 11
Total Roles unique usage: 5
Role Role Id #Policies Policies
Log Analytics Contributor 92aaf0da-9dab-42b6-94a3-d43ce8d16293 3 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL, Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c 4 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a Log Analytics workspace, Configure the Microsoft Defender for SQL Log Analytics workspace, Create and assign a built-in user-assigned managed identity
Monitoring Contributor 749f88d5-cbae-40b8-bcfc-e573ddc772fa 2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL DCR, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
Virtual Machine Contributor 9980e02c-c2be-4d73-94e8-173b1dc7cf3c 1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent
Azure Connected Machine Resource Administrator cd570a14-e51a-42ad-bac8-bafd67325302 1 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent
History
Date/Time (UTC ymd) (i) Changes
2024-05-15 17:48:20 Version change: '1.2.1' to '1.3.0'
2023-11-22 19:18:10 Version change: '1.2.0-preview' to '1.2.1'
Name change: '[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace' to 'Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace'
2023-09-18 18:02:04 Description change: 'Configure machines to automatically install the Azure Monitor and Microsoft Defender for SQL agents. Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Create a resource group, a Data Collection Rule and Log Analytics workspace in the same region as the machine to store audit records.' to 'Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule and Log Analytics workspace in the same region as the machine.'
Name change: '[Preview]: Configure machines to create the default Microsoft Defender for SQL pipeline using Azure Monitor Agent' to '[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace'
2023-09-14 17:58:18 Version change: '1.1.0-preview' to '1.2.0-preview'
2023-08-25 17:58:14 add Initiative d7c3ea3a-edf3-4bd5-bd64-d5b635b05393
JSON compare
compare mode: version left: version right:
1.2.1 → 1.3.0 RENAMED
@@ -2,10 +2,11 @@
2
  "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace",
3
  "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule and Log Analytics workspace in the same region as the machine.",
4
  "metadata": {
5
  "category": "Security Center",
6
- "version": "1.2.1"
7
  },
 
8
  "parameters": {
9
  "workspaceRegion": {
10
  "type": "String",
11
  "metadata": {
@@ -41,27 +42,64 @@
41
  "displayName": "User-Assigned Managed Identity Resource Group Location",
42
  "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy."
43
  },
44
  "defaultValue": "eastus"
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
45
  }
46
  },
47
  "policyDefinitions": [
48
  {
49
  "policyDefinitionReferenceId": "MDC_DfSQL_AddUserAssignedIdentity_VM",
50
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09963c90-6ee7-4215-8d26-1cc660a1682f",
 
51
  "parameters": {
52
  "builtInIdentityResourceGroupLocation": {
53
  "value": "[parameters('builtInIdentityResourceGroupLocation')]"
 
 
 
 
 
 
54
  }
55
  }
56
  },
57
  {
58
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployWindowsAMA_VM",
59
- "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f91991d1-5383-4c95-8ee5-5ac423dd8bb1"
 
 
 
 
 
 
 
 
 
60
  },
61
  {
62
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM",
63
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce",
 
64
  "parameters": {
65
  "workspaceRegion": {
66
  "value": "[parameters('workspaceRegion')]"
67
  },
@@ -71,38 +109,49 @@
71
  }
72
  },
73
  {
74
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployDefaultWorkspace",
75
- "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242300d6-1bfc-4d64-8d01-cee583709ebd"
 
76
  },
77
  {
78
  "policyDefinitionReferenceId": "MDC_DfSQL_AMA_DefaultPipeline_VM",
79
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c859b78a-a128-4376-a838-e97ce6625d16",
 
80
  "parameters": {
81
  "enableCollectionOfSqlQueriesForSecurityResearch": {
82
  "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
83
  }
84
  }
85
  },
86
  {
87
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployWindowsAMA_Arc",
88
- "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786"
 
89
  },
90
  {
91
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc",
92
- "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929"
 
93
  },
94
  {
95
  "policyDefinitionReferenceId": "MDC_DfSQL_AMA_DefaultPipeline_Arc",
96
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0fd392-9669-4ad4-b32c-ca46aaa6c21f",
 
97
  "parameters": {
98
  "enableCollectionOfSqlQueriesForSecurityResearch": {
99
  "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
100
  }
101
  }
102
  },
103
  {
104
  "policyDefinitionReferenceId": "MDC_DfSQL_AMA_DefaultPipeline_DCRA_Arc",
105
- "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbdd12e1-193a-445c-9926-560118c6daaa"
 
106
  }
 
 
 
 
 
107
  ]
108
  }
 
2
  "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace",
3
  "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule and Log Analytics workspace in the same region as the machine.",
4
  "metadata": {
5
  "category": "Security Center",
6
+ "version": "1.3.0"
7
  },
8
+ "version": "1.3.0",
9
  "parameters": {
10
  "workspaceRegion": {
11
  "type": "String",
12
  "metadata": {
 
42
  "displayName": "User-Assigned Managed Identity Resource Group Location",
43
  "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy."
44
  },
45
  "defaultValue": "eastus"
46
+ },
47
+ "bringYourOwnUserAssignedManagedIdentity": {
48
+ "type": "Boolean",
49
+ "metadata": {
50
+ "displayName": "Bring your own User-Assigned Managed Identity",
51
+ "description": "Enable this to use your own user-assigned managed identity. The pre-created identity MUST exist otherwise the policy deployment will fail. If enabled, ensure that the user-assigned managed identity resource ID parameter matches the pre-created user-assigned managed identity resource ID. If not enabled, the policy will create a new user-assigned managed identitiy per subscription, in a new resource group named 'Built-In-Identity-RG'."
52
+ },
53
+ "allowedValues": [
54
+ true,
55
+ false
56
+ ],
57
+ "defaultValue": false
58
+ },
59
+ "userAssignedIdentityResourceId": {
60
+ "type": "String",
61
+ "metadata": {
62
+ "displayName": "User-Assigned Managed Identity Resource ID",
63
+ "description": "The resource ID of the pre-created user-assigned managed identity. This parameter is only used when bringYourOwnUserAssignedManagedIdentity is set to true"
64
+ },
65
+ "defaultValue": ""
66
  }
67
  },
68
  "policyDefinitions": [
69
  {
70
  "policyDefinitionReferenceId": "MDC_DfSQL_AddUserAssignedIdentity_VM",
71
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09963c90-6ee7-4215-8d26-1cc660a1682f",
72
+ "definitionVersion": "1.*.*",
73
  "parameters": {
74
  "builtInIdentityResourceGroupLocation": {
75
  "value": "[parameters('builtInIdentityResourceGroupLocation')]"
76
+ },
77
+ "bringYourOwnUserAssignedManagedIdentity": {
78
+ "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
79
+ },
80
+ "userAssignedIdentityResourceId": {
81
+ "value": "[parameters('userAssignedIdentityResourceId')]"
82
  }
83
  }
84
  },
85
  {
86
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployWindowsAMA_VM",
87
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f91991d1-5383-4c95-8ee5-5ac423dd8bb1",
88
+ "definitionVersion": "1.*.*",
89
+ "parameters": {
90
+ "bringYourOwnUserAssignedManagedIdentity": {
91
+ "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
92
+ },
93
+ "userAssignedIdentityResourceId": {
94
+ "value": "[parameters('userAssignedIdentityResourceId')]"
95
+ }
96
+ }
97
  },
98
  {
99
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM",
100
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce",
101
+ "definitionVersion": "1.*.*",
102
  "parameters": {
103
  "workspaceRegion": {
104
  "value": "[parameters('workspaceRegion')]"
105
  },
 
109
  }
110
  },
111
  {
112
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployDefaultWorkspace",
113
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242300d6-1bfc-4d64-8d01-cee583709ebd",
114
+ "definitionVersion": "1.*.*"
115
  },
116
  {
117
  "policyDefinitionReferenceId": "MDC_DfSQL_AMA_DefaultPipeline_VM",
118
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c859b78a-a128-4376-a838-e97ce6625d16",
119
+ "definitionVersion": "1.*.*",
120
  "parameters": {
121
  "enableCollectionOfSqlQueriesForSecurityResearch": {
122
  "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
123
  }
124
  }
125
  },
126
  {
127
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployWindowsAMA_Arc",
128
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786",
129
+ "definitionVersion": "1.*.*"
130
  },
131
  {
132
  "policyDefinitionReferenceId": "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc",
133
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929",
134
+ "definitionVersion": "1.*.*"
135
  },
136
  {
137
  "policyDefinitionReferenceId": "MDC_DfSQL_AMA_DefaultPipeline_Arc",
138
  "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da0fd392-9669-4ad4-b32c-ca46aaa6c21f",
139
+ "definitionVersion": "1.*.*",
140
  "parameters": {
141
  "enableCollectionOfSqlQueriesForSecurityResearch": {
142
  "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
143
  }
144
  }
145
  },
146
  {
147
  "policyDefinitionReferenceId": "MDC_DfSQL_AMA_DefaultPipeline_DCRA_Arc",
148
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbdd12e1-193a-445c-9926-560118c6daaa",
149
+ "definitionVersion": "1.*.*"
150
  }
151
+ ],
152
+ "versions": [
153
+ "1.3.0",
154
+ "1.2.1",
155
+ "1.2.0-preview"
156
  ]
157
  }
JSON
api-version=2023-04-01
EPAC 
{8 items}