Enable Defender for SQL Servers on Machines

The Defender for SQL Servers on Machines plan is one of the Defender for Databases plans in Microsoft Defender for Cloud. Use Defender for SQL Servers on Machines to protect SQL virtual machines (VM) and Azure Arc SQL Server instances.

Prerequisites

• Subscription permissions: To deploy the plan on a subscription, including Azure Policy, you need Subscription Owner permissions.

• SQL Server instance permissions: SQL Server service accounts must be a member of the sysadmin fixed server role on each SQL Server instance, which is the default setting. Learn more about the SQL Server service account requirement.

• Supported Resources:

  • SQL virtual machines, and Azure Arc SQL Server instances are supported.
  • On-premises machines must be onboarded to Arc and registered as Azure Arc SQL Server instances.

Communication: Allow outbound HTTPS traffic on Transmission Control Protocol (TCP) port 443 using Transport Layer Security (TLS) to *.<region>.arcdataservices.com URL. Learn more about URL requirements.

• Extensions: Ensure these extensions aren't blocked in your environment. Learn more about restricting extensions installation on Windows VMs.

  • Defender for SQL (IaaS and Arc)
    • Publisher: Microsoft.Azure.AzureDefenderForSQL
    • Type: AdvancedThreatProtection.Windows
  • SQL IaaS Extension (IaaS)
    • Publisher: Microsoft.SqlServer.Management
    • Type: SqlIaaSAgent
  • SQL IaaS Extension (Arc)
    • Publisher: Microsoft.AzureData
    • Type: WindowsAgent.SqlServer

• Supported SQL Server versions - SQL Server 2012 R2 (11.x) and later versions.

• Supported operating systems- SQL Server 2012 R2 and later versions.

Enable the plan

Enable the plan on an Azure subscription

To enable the Defender for SQL servers on machines plan, you need to enable the Defender for Databases plan on your subscription. The Defender for SQL servers on machines plan is included in the Defender for Databases plan.

1. Sign in to the Azure portal.

2. Navigate to Microsoft Defender for Cloud > Environment settings.

3. Select the relevant subscription.

4. On the Defender plans page, locate the Databases plan and select Select types.

   

5. In the Resource types selection window, toggle the SQL Servers on Machines plan to On.

   

6. Select Continue > Save.

Enable the plan on an Amazon Web Services (AWS) or Google Cloud Platform (GCP) subscription

To enable the Defender for SQL servers on machines plan, you need to enable the Defender for Databases plan on your subscription. The Defender for SQL servers on machines plan is included in the Defender for Databases plan.

1. Sign in to the Azure portal.

2. Search for and select Microsoft Defender for Cloud.

3. Select Environment settings.

4. Select the relevant AWS or GCP subscription.

5. On the Defender plans page, locate the Databases plan and select Settings.

6. In the SQL Servers on machines section, toggle the SQL Servers on machines plan to On.

   

7. Select Save.

Enable the plan at the SQL Server resource level

1. In the Azure portal, search for and select:

   • Azure Arc > Data services > SQL Server instances.
     or
   • SQL virtual machines.

2. Select the relevant SQL Server instance.

3. Locate the security menu and select Microsoft Defender for Cloud.

   

4. Select Enable Microsoft Defender for SQL servers on Machines.

   

Verify that your machines are protected

Depending on your environment, it can take a few hours to discover and protect SQL instances. As a final step, you should verify that all machines are protected.

Related content

• Verify that all machines are protected
• Troubleshoot Defender for SQL on machines configuration
• Enable Microsoft Defender for SQL Servers on Machines at scale
• Disable Defender for SQL Servers on Machines