Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Cloud's SQL Servers on Machines component of the Defender for Databases plan protects SQL IaaS and Defender for SQL extensions. This component identifies and mitigates potential database vulnerabilities and detects anomalous activity that could indicate threats to your databases.
When you enable the SQL Servers on Machines component of the Defender for Databases plan, auto-provisioning starts. Auto-provisioning installs and configures the required components, including the Azure Monitor Agent (AMA), SQL IaaS extension, and Defender for SQL extensions. It also configures the workspace, Data Collection Rules (DCRs), and identity when needed.
This article explains how to enable auto-provisioning for Defender for SQL across multiple subscriptions by using a PowerShell script. This process applies to SQL servers hosted on Azure Virtual Machines (VMs), on-premises environments, and Azure Arc-enabled SQL servers. It also covers optional configurations such as:
- custom data collection rules
- custom identity management
- default workspace integration
- custom workspace configuration
Prerequisites
Before you begin:
- Review SQL Server on Azure VMs, SQL Server enabled by Azure Arc, and how to migrate to Azure Monitor Agent from Log Analytics agent.
- Connect Amazon Web Services (AWS) accounts to Microsoft Defender for Cloud.
- Connect Google Cloud Platform (GCP) to Microsoft Defender for Cloud.
- Install PowerShell for your platform: Windows, Linux, macOS, or ARM.
- Install these PowerShell modules. For installation instructions, see Install-Module:
Az.ResourcesAz.OperationalInsightsAz.AccountsAzAz.PolicyInsightsAz.Security
- Have Virtual Machine Contributor, Contributor, or Owner permissions.
PowerShell script parameters and samples
The PowerShell script that enables Microsoft Defender for SQL on Machines on a given subscription has several parameters that you can customize to fit your needs. The following table lists the parameters and their descriptions:
| Parameter name | Required | Description |
|---|---|---|
SubscriptionId |
Required | The Azure subscription ID that you want to enable Defender for SQL Servers on Machines for. |
RegisterSqlVmAgnet |
Required | A flag indicating whether to register the SQL VM Agent in bulk. This parameter name matches the current upstream script. You can register multiple SQL VMs in Azure with the SQL IaaS Agent extension in bulk. For details, see Register multiple SQL VMs with SQL IaaS Agent extension. |
WorkspaceResourceId |
Optional | The resource ID of the Log Analytics workspace, if you want to use a custom workspace instead of the default one. |
DataCollectionRuleResourceId |
Optional | The resource ID of the data collection rule, if you want to use a custom Data Collection Rule (DCR) instead of the default one. |
UserAssignedIdentityResourceId |
Optional | The resource ID of the user assigned identity, if you want to use a custom user assigned identity instead of the default one. |
The following sample script is applicable when you use a default Log Analytics workspace, data collection rule, and managed identity.
Write-Host "------ Enable Defender for SQL on Machines example ------"
$SubscriptionId = "<SubscriptionID>"
$RegisterSqlVmAgnet = $true
.\EnableDefenderForSqlOnMachines.ps1 -SubscriptionId $SubscriptionId -RegisterSqlVmAgnet $RegisterSqlVmAgnet
The following sample script is applicable when you use a custom Log Analytics workspace, data collection rule, and managed identity.
Write-Host "------ Enable Defender for SQL on Machines example ------"
$SubscriptionId = "<SubscriptionID>"
$RegisterSqlVmAgnet = $false
$WorkspaceResourceId = "/subscriptions/<SubscriptionID>/resourceGroups/someResourceGroup/providers/Microsoft.OperationalInsights/workspaces/someWorkspace"
$DataCollectionRuleResourceId = "/subscriptions/<SubscriptionID>/resourceGroups/someOtherResourceGroup/providers/Microsoft.Insights/dataCollectionRules/someDcr"
$UserAssignedIdentityResourceId = "/subscriptions/<SubscriptionID>/resourceGroups/someElseResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/someManagedIdentity"
.\EnableDefenderForSqlOnMachines.ps1 -SubscriptionId $SubscriptionId -RegisterSqlVmAgnet $RegisterSqlVmAgnet -WorkspaceResourceId $WorkspaceResourceId -DataCollectionRuleResourceId $DataCollectionRuleResourceId -UserAssignedIdentityResourceId $UserAssignedIdentityResourceId
Enable Defender for SQL Servers on Machines at scale
To enable Defender for SQL Servers on Machines at scale:
Open a PowerShell window.
Copy the EnableDefenderForSqlOnMachines.ps1 script from the Defender for Cloud GitHub repository.
Paste the script into PowerShell.
Enter parameter information as needed.
Run the script.