Configure Emails for Vulnerability Assessment Scan Reports and Alerts

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Azure cloud resources.

03 From the Type filter box, select SQL server to list only the SQL database servers provisioned in the selected Azure subscription.

04 Click on the name (link) of the SQL server that you want to examine.

05 In the blade navigation panel, under Security, select Microsoft Defender for Cloud.

06 On the Microsoft Defender for Cloud page, make sure that Microsoft Defender for SQL is enabled, then choose (Configure) next to Microsoft Defender for SQL:. It is recommended to enable Microsoft Defender at the subscription-level, which is explained here, but it can also be enabled at the individual server-level.

07 On the Server settings configuration page, under VULNERABILITY ASSESSMENT SETTINGS, ensure there is a storage account configured. Next, check the Send scan reports to configuration box. If the configuration box is inactive, periodic recurring scans are disabled for the selected SQL database server. If the Send scan reports to box is active but empty, there are no email addresses configured to receive Vulnerability Assessment (VA) scan reports and alerts for the selected Microsoft SQL database server.

08 Repeat steps no. 4 – 7 for each SQL database server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

01 Run Get-AzSqlServer PowerShell command with custom query filters to list the names of each SQL database server and the name of its associated resource group, available within the current Azure subscription:

Get-AzSqlServer | Select-Object ServerName,ResourceGroupName

02 The command output should return the requested SQL database server information:

ServerName             ResourceGroupName
----------             -----------------
cc-prod-db-server      cloud-shell-storage-westeurope
cc-ms-sql-server       cloud-shell-storage-westeurope

03 Run Get-AzSqlServerVulnerabilityAssessmentSetting command using the name of the SQL server that you want to examine as the identifier parameter and custom query filters to determine if there are email addresses configured to receive Vulnerability Assessment scan reports and alerts:

Get-AzSqlServerVulnerabilityAssessmentSetting
-ServerName "cc-prod-db-server"
-ResourceGroupName "cloud-shell-storage-westeurope" | Select-Object NotificationEmail,StorageAccountName

04 The command output should return the requested email address(es):

NotificationEmail StorageAccountName
----------------- ------------------
{}                myStorage

05 Repeat step no. 3 and 4 for each SQL database server available within the current subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

01 Sign in to the Microsoft Azure Portal.

02 Navigate to All resources blade at https://portal.azure.com/#blade/HubsExtension/BrowseAll to access your Azure cloud resources.

03 From the Type filter box, select SQL server to list only the SQL database servers provisioned in the selected Azure subscription.

04 Click on the name of the SQL server that you want to reconfigure.

05 In the blade navigation panel, under Security, select Microsoft Defender for Cloud.

06 On the Microsoft Defender for Cloud page, make sure that Microsoft Defender for SQL is enabled, then choose (Configure) next to Microsoft Defender for SQL:. It is recommended to enable Microsoft Defender at the subscription-level, which is explained here, but it can also be enabled at the individual server-level.

07 On the Server settings configuration page, under VULNERABILITY ASSESSMENT SETTINGS, perform the following actions:

1. Ensure there is a storage account configured.
2. Ensure that Periodic recurring scans is set to ON to enable periodic recurring scans for your Microsoft SQL database server.
3. In the Send scan reports to configuration box, provide a semicolon separated list of email addresses to which Vulnerability Assessment scan reports and alerts will be sent.
4. Choose Save to apply the changes. Scans will be triggered automatically once a week. A scan result summary will be sent to the email addresses that you provide.

08 Repeat steps no. 4 – 7 for each SQL database server provisioned in the selected Azure subscription.

09 Repeat steps no. 3 – 8 for each subscription created in your Microsoft Azure cloud account.

01 Run Update-AzSqlServerVulnerabilityAssessmentSetting cmdlet using the name of the SQL server that you want to reconfigure and the name of the associated resource group as the identifier parameters to define one or more email addresses required to receive Vulnerability Assessment (VA) scan reports and alerts. Set the -RecurringScansInterval parameter to Weekly to ensure that the Periodic Recurring Scans setting is enabled. Replace the highlighted information, i.e. <storage-account-name> and <notification-email-address> with your own details:

Update-AzSqlServerVulnerabilityAssessmentSetting
-ServerName "cc-prod-db-server"
-ResourceGroupName "cloud-shell-storage-westeurope"
-StorageAccountName "<storage-account-name>"
-RecurringScansInterval Weekly
-NotificationEmail @("<notification-email-address>", "<notification-email-address>")

02 The command output should return the new Vulnerability Assessment (VA) settings:

ServerName                : cc-prod-db-server
ResourceGroupName         : cloud-shell-storage-westeurope
StorageAccountName        : myStorage
ScanResultsContainerName  : vulnerability-assessment
RecurringScansInterval    : Weekly
EmailAdmins               : False
NotificationEmail         : {<notification-email-address>", <notification-email-address>"}

03 Repeat steps no. 1 and 2 for each SQL database server provisioned within the current Azure subscription.

04 Repeat steps no. 1 – 3 for each subscription created in your Microsoft Azure cloud account.