Microsoft Expands SQL Vulnerability Assessment Express Configuration to Additional Azure Services with Unified Management API

Microsoft has announced significant enhancements to its SQL Vulnerability Assessment (SQL VA) service within Defender for Cloud, extending Express Configuration support to additional Azure SQL services and introducing a unified management API. These changes aim to simplify security operations, reduce administrative overhead, and provide consistent security coverage across hybrid SQL environments.

What Changed: Expanded Coverage and Unified Management

SQL VA is a core security capability in Defender for SQL that helps organizations identify database misconfigurations, excessive permissions, and other security deviations through continuous scanning. Previously, enabling SQL VA on Azure SQL Platform as a Service (PaaS) resources required customers to provision and maintain dedicated Azure Storage accounts for scan results and baselines. This approach created operational complexity, especially for organizations managing large SQL estates across multiple resource types.

The Express Configuration feature was introduced as a solution to these challenges by using Microsoft-managed storage instead of customer-provisioned accounts. With this public preview update, Microsoft has extended Express Configuration support to:

• Azure SQL Managed Instance (public preview)
• Azure Synapse Analytics workspaces (dedicated SQL pools, public preview)

Express Configuration for Azure SQL Database remains generally available and is now the default enablement mode when configuring Defender for SQL through the UI.

Additionally, Microsoft has introduced a new preview API version that brings SQL VA management under a unified model across all supported SQL resources:

• Azure SQL Database
• SQL Managed Instance
• Azure Synapse Analytics workspaces (Express Configuration only)
• SQL on machines (Azure Virtual Machines and Arc-enabled SQL Servers)

This unified API enables consistent configuration, scanning, and governance across diverse SQL deployments, addressing a significant pain point for organizations managing hybrid SQL environments.

Provider Comparison: Express Configuration vs. Classic Configuration

The expansion of Express Configuration represents a clear evolution in Microsoft's approach to SQL security management. When comparing Express Configuration with the Classic Configuration approach, several advantages emerge:

Operational Simplicity

• Express Configuration eliminates the need for customers to provision, configure, and maintain dedicated storage accounts
• Classic Configuration required manual storage account management, adding administrative overhead
• Express Configuration uses Microsoft-managed storage, reducing the attack surface by removing customer-managed storage dependencies

Consistent Management Experience

• The new unified API provides a single interface for SQL VA across all supported resource types
• Classic Configuration required different API endpoints for different SQL services, complicating automation
• Express Configuration enables consistent scripting and automation across hybrid SQL environments

Deployment Speed

• Express Configuration can be enabled immediately without prerequisite storage setup
• Classic Configuration required storage account provisioning before SQL VA could be enabled
• The unified API enables bulk configuration across multiple resource types simultaneously

Pricing Implications

• Express Configuration reduces storage costs by eliminating the need for customer-provisioned storage accounts
• Classic Configuration incurred additional costs for the provisioned storage accounts
• Both approaches use the same scanning engine and rule set, meaning security coverage remains consistent

From a migration perspective, organizations using Classic Configuration can transition to Express Configuration through an updated migration script. However, this migration must be performed programmatically during the public preview phase, as the UI does not yet support reverting from Express Configuration back to Classic Configuration.

Business Impact: Reducing Operational Overhead and Standardizing Security

The expansion of Express Configuration and introduction of the unified API deliver significant business value for organizations managing Azure SQL environments:

Reduced Operational Complexity Organizations with large SQL estates often struggle with inconsistent enablement and management across different resource types. The unified API addresses this by providing a single interface for SQL VA configuration, scanning, and baseline management across Azure SQL Database, SQL Managed Instance, Azure Synapse Analytics, and SQL on machines. This standardization simplifies security operations, reduces training requirements, and enables consistent security policies across hybrid environments.

Lower Total Cost of Ownership By eliminating the need for customer-managed storage accounts, Express Configuration reduces both direct storage costs and the administrative overhead associated with managing these resources. For organizations with hundreds or thousands of SQL instances, this represents a meaningful reduction in operational expenses.

Improved Security Consistency The unified management model helps ensure consistent security coverage across all SQL resources, reducing the risk of gaps in vulnerability visibility that can occur when different configuration methods are used. This is particularly valuable for organizations with complex hybrid SQL deployments spanning multiple Azure services and on-premises systems.

Enhanced Automation Capabilities The new preview API enables more sophisticated automation scenarios for SQL VA management. Organizations can now implement consistent enablement, scanning, and baseline management processes across their entire SQL estate through scripts and automation tools. This supports DevSecOps practices and integrates SQL security into broader cloud security management workflows.

Scalability Benefits Express Configuration is designed to scale efficiently, with automatic weekly scans and on-demand scanning capabilities. The baseline management features allow organizations to set baselines per finding or in bulk, with changes taking effect immediately without waiting for the next scan to complete. This scalability is crucial for organizations experiencing rapid growth in their SQL deployments.

Getting Started with Express Configuration

Organizations interested in adopting Express Configuration can begin through several methods:

Portal Enablement Defender for Cloud now supports Express Configuration as the default when enabling Defender for SQL on a resource through the UI. For Azure SQL Managed Instance and Synapse workspaces, administrators can simply navigate to the Defender for Cloud portal to enable Express Configuration without storage account prerequisites.

Automation Through Scripts Microsoft provides a SQL VA Express Configuration quickstart script that enables organizations to automate the enablement process, discover databases, run scans, and manage baselines through the unified API. This approach is ideal for consistent deployment across multiple environments. For more information on SQL VA automation, refer to the official documentation.

Migration from Classic Configuration Organizations with existing Classic Configuration implementations can use the updated migration script to transition to Express Configuration. During the public preview, this migration must be performed programmatically, with UI support expected in future releases. The migration script is available through the Microsoft Defender for Cloud GitHub repository.

Limitations and Considerations

While the Express Configuration expansion delivers significant benefits, organizations should be aware of several limitations and prerequisites:

Permissions Requirements Different roles are required for various SQL VA operations:

• Viewing results: Security Admin or Security Reader
• Changing settings: Security Admin or SQL Security Manager
• Accessing resource-level results: Security Admin or SQL Security Manager

Classic Configuration Conflicts If Classic Configuration is already enabled on a resource, enabling Express Configuration through the API will fail. Organizations must use the migration script to transition between these configuration modes.

SQL Managed Instance Prerequisites Express Configuration for SQL Managed Instance requires a system-assigned managed identity, which must be properly configured before enabling the feature. For more information on configuring managed identities for Azure SQL Managed Instance, refer to the official documentation.

Preview Enablement Scope During the public preview, subscription-level enablement does not automatically apply Express Configuration to SQL Managed Instance or Synapse workspaces. These resources must be explicitly configured through the portal or API.

Conclusion

Microsoft's expansion of SQL VA Express Configuration to additional Azure services and introduction of a unified management API represents a significant step forward in simplifying database security management. By reducing operational complexity, standardizing security operations, and enabling consistent management across hybrid SQL environments, these enhancements help organizations strengthen their security posture while reducing administrative overhead.

For organizations managing diverse SQL deployments in Azure, the unified API and expanded Express Configuration support provide a more streamlined approach to vulnerability assessment, enabling better security coverage with fewer resources. As the public preview evolves and additional features are added, Microsoft continues to demonstrate its commitment to making cloud security more accessible and manageable for organizations of all sizes.

Organizations interested in adopting these new capabilities can begin exploring them through the Defender for Cloud portal or by utilizing the provided automation scripts. With proper planning and implementation, these enhancements can significantly improve the efficiency and effectiveness of SQL security operations in Azure environments.

For more information about Microsoft's cloud security offerings, visit the Microsoft Defender for Cloud Blog.