Threat Protection in Azure SQL Database

Azure SQL Database provides built‑in threat detection and mitigation capabilities to protect your data against suspicious activities and potential attacks. This documentation explains how to enable, configure, and monitor Threat Protection, and includes best‑practice recommendations and code samples.

Key Features

• SQL Vulnerability Assessment – Scans your database schema for security best‑practice violations.
• Advanced Threat Protection (ATP) – Detects anomalous login attempts, SQL injection, and data exfiltration.
• Transparent Data Encryption (TDE) – Encrypts data at rest automatically.
• Auditing – Records database events to a storage account, Log Analytics workspace, or Event Hub.

Getting Started

Enable Advanced Threat Protection using the Azure portal, Azure CLI, PowerShell, or ARM templates. Below is a CLI example.

# Enable Advanced Threat Protection on an Azure SQL Database
az sql db threat-policy update \
    --resource-group MyResourceGroup \
    --server myserver \
    --name mydatabase \
    --state Enabled \
    --email-account-admins true \
    --email-addresses admin@example.comCopy

Monitoring & Alerts

Threat alerts are streamed to Azure Monitor. Use the following Kusto query in Log Analytics to view recent alerts.

AzureDiagnostics
| where Category == "ThreatDetection"
| where TimeGenerated > ago(24h)
| project TimeGenerated, Resource, ThreatType, Severity, Description
| order by TimeGenerated descCopy

Best Practices

Practice	Recommendation
Enable ATP	Turn on Advanced Threat Protection for every production database.
Restrict Admin Access	Use Azure AD authentication and limit admin logins to MFA‑protected accounts.
Periodic Vulnerability Scans	Schedule weekly Vulnerability Assessments and remediate findings.
Secure Auditing Storage	Write audit logs to a storage account with SAS tokens and enable soft delete.

Related Topics

• SQL Database Firewall Rules
• Auditing Overview
• Transparent Data Encryption
• Query Performance Insights