Menu
I have created my Azure SQL server through ARM templates. To enable the vulnerability assessment I need to enable Advanced data security. I use the following code in my ARM template inside the resource bracket of the SQL server resource to enable this.
{
"name": "vulnerabilityAssessments",
"type": "vulnerabilityAssessments",
"apiVersion": "2018-06-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('sqlServerName'))]"
],
"properties": {
"storageContainerPath": "[concat('https://', parameters('storageAccountName'), '.blob.core.windows.net/vulnerability-assessment/')]",
"storageAccountAccessKey": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccountName')), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": false,
"emails": "[parameters('emailaddresses')]"
}
}
},
As you can see I set my storage account to the vulnerability assessment, but when i deploy this I get the following error:
VulnerabilityAssessmentADSIsDisabled", "message": "Advanced Data Security should be enabled in order to use Vulnerability Assessment."
And when I look into my advanced data security blade of the SQL server I see this been set:
If I set the storage account manually. The vulnerability assessment is enabled.... I tried to change the vulnerability assessment brackets on the database level and tried to debug the storage account reference in the properties but can't seem to see what i do wrong or what I keep forgetting ? Is there anyone who tried to do this already ?
PS: Like you can see in the image periodic recurring scans is off whilst I have enabled this inside the recurring scans array of vulnerability assessment.
553
Configure vulnerability assessment Under the Security heading, select Defender for Cloud. Select Configure on the link to open the Microsoft Defender for SQL settings pane for either the entire server or managed instance. SQL vulnerability assessment requires Microsoft Defender for SQL plan to be able to run scans.
SQL vulnerability assessment (VA) is a service that provides visibility into your security state, and includes actionable steps to resolve security issues and enhance your database security. It can help you: Meet compliance requirements that require database scan reports. Meet data privacy standards.
From the Azure portal, open Defender for Cloud. From Defender for Cloud's menu, open the Recommendations page. Select the recommendation Machines should have a vulnerability assessment solution.
Azure SQL Database secures data by allowing you to: Limit access using firewall rules. Use authentication mechanisms that require identity. Use authorization with role-based memberships and permissions.
The issue you are having is caused by deploying an ARM template with Vulnerability Assessment, but without enabling Advanced Data Security first.
You will have to deploy Advanced Data Security in the ARM template and add a dependency in the Vulnerability Assessment block, so it will only be deployed after Advanced Data Security is deployed.
For example:
{
"apiVersion": "2017-03-01-preview",
"type": "Microsoft.Sql/servers/securityAlertPolicies",
"name": "[concat(parameters('serverName'), '/Default')]",
"properties": {
"state": "Enabled",
"disabledAlerts": [],
"emailAddresses": [],
"emailAccountAdmins": true
}
},
{
"apiVersion": "2018-06-01-preview",
"type": "Microsoft.Sql/servers/vulnerabilityAssessments",
"name": "[concat(parameters('serverName'), '/Default')]",
"properties": {
"storageContainerPath": "[if(parameters('enableADS'), concat(reference(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-07-01').primaryEndpoints.blob, 'vulnerability-assessment'), '')]",
"storageAccountAccessKey": "[if(parameters('enableADS'), listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageName')), '2018-02-01').keys[0].value, '')]",
"recurringScans": {
"isEnabled": true,
"emailSubscriptionAdmins": true,
"emails": []
}
},
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]",
"[concat('Microsoft.Sql/servers/', parameters('serverName'), '/securityAlertPolicies/Default')]"
]
}
Note that in this example I'm assuming that you are using an existing storage. If you're deploying a storage within the same ARM template, you will have to add a dependancy for that too (under "dependsOn"):
"[concat('Microsoft.Storage/storageAccounts/', variables('storageName'))]"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
