Table: azure_sql_server - Query Azure SQL Servers using SQL
Azure SQL Server is a fully managed relational database service, which is a part of the broader Microsoft Azure Platform. It offers the broadest SQL Server engine compatibility and powers your cloud applications with AI-built-in, secure and manageable data platform. The service provides automatic updates, scaling, provisioning, backups, and monitoring, leaving developers free to focus on application design and optimization.
Table Usage Guide
The azure_sql_server
table provides insights into SQL Servers within Microsoft Azure. As a database administrator or developer, explore server-specific details through this table, including server versions, locations, configurations, and more. Utilize it to uncover information about servers, such as their current state, the number of databases, the firewall rules, and the performance tier.
Examples
List servers that have auditing disabled
Identify instances where auditing is disabled on Azure SQL servers. This is beneficial for enhancing security measures by pinpointing potential weaknesses in your server configurations.
select name, id, audit -> 'properties' ->> 'state' as audit_policy_statefrom azure_sql_server, jsonb_array_elements(server_audit_policy) as auditwhere audit -> 'properties' ->> 'state' = 'Disabled';
select name, id, json_extract(audit.value, '$.properties.state') as audit_policy_statefrom azure_sql_server, json_each(server_audit_policy) as auditwhere json_extract(audit.value, '$.properties.state') = 'Disabled';
List servers with an audit log retention period less than 90 days
Assess the elements within your system to identify servers that have an audit log retention period of less than 90 days. This is useful to ensure compliance with data retention policies and to identify potential risks associated with short retention periods.
select name, id, (audit -> 'properties' ->> 'retentionDays') :: integer as audit_policy_retention_daysfrom azure_sql_server, jsonb_array_elements(server_audit_policy) as auditwhere (audit -> 'properties' ->> 'retentionDays') :: integer < 90;
select name, s.id, json_extract(audit.value, '$.properties.retentionDays') as audit_policy_retention_daysfrom azure_sql_server as s, json_each(server_audit_policy) as auditwhere json_extract(audit.value, '$.properties.retentionDays') < 90;
List servers that have advanced data security disabled
This query helps identify servers where advanced data security is turned off. This is useful for quickly pinpointing potential security risks in your server infrastructure.
select name, id, security -> 'properties' ->> 'state' as security_alert_policy_statefrom azure_sql_server, jsonb_array_elements(server_security_alert_policy) as securitywhere security -> 'properties' ->> 'state' = 'Disabled';
select name, s.id, json_extract(security.value, '$.properties.state') as security_alert_policy_statefrom azure_sql_server as s, json_each(server_security_alert_policy) as securitywhere json_extract(security.value, '$.properties.state') = 'Disabled';
List servers that have Advanced Threat Protection types set to All
Determine the areas in which Azure SQL servers have their Advanced Threat Protection set to 'All'. This can help to assess the security measures in place and identify any potential vulnerabilities.
select name, id, security -> 'properties' -> 'disabledAlerts' as security_alert_policy_statefrom azure_sql_server, jsonb_array_elements(server_security_alert_policy) as security, jsonb_array_elements_text(security -> 'properties' -> 'disabledAlerts') as disabled_alerts, jsonb_array_length(security -> 'properties' -> 'disabledAlerts') as alert_lengthwhere alert_length = 1 and disabled_alerts = '';
select name, s.id, json_extract(security.value, '$.properties.disabledAlerts') as security_alert_policy_statefrom azure_sql_server as s, json_each(server_security_alert_policy) as security, json_each( json_extract(security.value, '$.properties.disabledAlerts') ) as disabled_alertswhere json_array_length( json_extract(security.value, '$.properties.disabledAlerts') ) = 1 and disabled_alerts.value = '';
List servers that do not have an Active Directory admin set
Identify Azure SQL servers that are potentially vulnerable due to the absence of an Active Directory administrator. This can help in enhancing security by ensuring all servers have designated administrators.
select name, idfrom azure_sql_serverwhere server_azure_ad_administrator is null;
select name, idfrom azure_sql_serverwhere server_azure_ad_administrator is null;
List servers for which TDE protector is encrypted with the service-managed key
Determine the servers where the Transparent Data Encryption (TDE) protector is encrypted using a service-managed key. This is useful for understanding your server's encryption setup and ensuring it aligns with your organization's security policies.
select name, id, encryption ->> 'kind' as encryption_protector_kindfrom azure_sql_server, jsonb_array_elements(encryption_protector) as encryptionwhere encryption ->> 'kind' = 'servicemanaged';
select name, id, json_extract(encryption.value, '$.kind') as encryption_protector_kindfrom azure_sql_server, json_each(encryption_protector) as encryptionwhere json_extract(encryption.value, '$.kind') = 'servicemanaged';
Query examples
- key_vault_keys_for_sql_server
- key_vault_vaults_for_sql_server
- network_subnets_for_sql_server
- network_virtual_networks_for_sql_server
- sql_server_ad_authentication_enabled
- sql_server_audit_policy
- sql_server_auditing_disabled_count
- sql_server_auditing_enabled
- sql_server_azure_ad_authentication_disabled_count
- sql_server_by_encryption_type
- sql_server_by_kind
- sql_server_by_region
- sql_server_by_state
- sql_server_by_subscription
- sql_server_count
- sql_server_customer_managed_encryption_count
- sql_server_default_encrypted_servers_count
- sql_server_encryption
- sql_server_firewall_rule
- sql_server_private_endpoint_connection
- sql_server_public_count
- sql_server_public_network_access
- sql_server_state
- sql_server_tags
- sql_server_version
- sql_server_virtual_network_rules
- sql_server_vulnerability_assessment
- sql_server_vulnerability_assessment_disabled_count
- sql_server_vulnerability_assessment_enabled
- sql_servers_for_network_subnet
- sql_servers_for_network_virtual_network
- sql_servers_for_sql_database
Control examples
- All Controls > SQL > Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- All Controls > SQL > Ensure that 'Auditing' Retention is 'greater than 90 days'
- All Controls > SQL > Ensure that Azure Active Directory Admin is configured
- All Controls > SQL > Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- All Controls > SQL > Ensure that VA setting 'Send scan reports to' is configured for a SQL server
- All Controls > SQL > Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- All Controls > SQL > Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- All Controls > SQL > SQL server threat detection should be enabled for all
- An Azure Active Directory administrator should be provisioned for SQL servers
- Auditing on SQL server should be enabled
- Azure Defender for SQL should be enabled for unprotected Azure SQL servers
- CIS v1.3.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v1.3.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server
- CIS v1.3.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server
- CIS v1.3.0 > 4 Database Services > 4.4 Ensure that Azure Active Directory Admin is configured
- CIS v1.3.0 > 4 Database Services > 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key
- CIS v1.3.0 > 6 Networking > 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- CIS v1.4.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v1.4.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.4 Ensure that VA setting 'Send scan reports to' is configured for a SQL server
- CIS v1.4.0 > 4 Database Services > 4.2 SQL Server - Azure Defender for SQL > 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL server
- CIS v1.4.0 > 4 Database Services > 4.5 Ensure that Azure Active Directory Admin is configured
- CIS v1.4.0 > 4 Database Services > 4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key
- CIS v1.4.0 > 6 Networking > 6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers
- CIS v1.5.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
- CIS v1.5.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers
- CIS v2.0.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server
- CIS v2.0.0 > 4 Database Services > 4.2 SQL Server - Microsoft Defender for SQL > 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers
- CIS v2.1.0 > 4 Database Services > 4.1 SQL Server - Auditing > 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v3.0.0 > 5 Database Services > 5.1 SQL Azure SQL Database > 5.1.1 Ensure that 'Auditing' is set to 'On'
- CIS v3.0.0 > 5 Database Services > 5.1 SQL Azure SQL Database > 5.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- CIS v3.0.0 > 5 Database Services > 5.1 SQL Azure SQL Database > 5.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key
- CIS v3.0.0 > 5 Database Services > 5.1 SQL Azure SQL Database > 5.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers
- CIS v3.0.0 > 5 Database Services > 5.1 SQL Azure SQL Database > 5.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'
- CIS v3.0.0 > 5 Database Services > 5.1 SQL Azure SQL Database > 5.1.7 Ensure Public Network Access is Disabled
- Private endpoint connections on Azure SQL Database should be enabled
- Public network access on Azure SQL Database should be disabled
- SQL Server should use a virtual network service endpoint
- SQL servers should use customer-managed keys to encrypt data at rest
- SQL servers with auditing to storage account destination should be configured with 90 days retention or higher
- Vulnerability assessment should be enabled on your SQL servers
Schema for azure_sql_server
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
administrator_login | text | Specifies the username of the administrator for this server. | |
administrator_login_password | text | The administrator login password. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
cloud_environment | text | The Azure Cloud Environment. | |
encryption_protector | jsonb | The server encryption protector. | |
firewall_rules | jsonb | A list of firewall rules fro this server. | |
fully_qualified_domain_name | text | The fully qualified domain name of the server. | |
id | text | Contains ID to identify a SQL server uniquely. | |
kind | text | The Kind of sql server. | |
location | text | The resource location. | |
minimal_tls_version | text | Minimal TLS version. Allowed values: '1.0', '1.1', '1.2'. | |
name | text | = | The friendly name that identifies the SQL server. |
private_endpoint_connections | jsonb | The private endpoint connections of the sql server. | |
public_network_access | text | Whether or not public endpoint access is allowed for this server. | |
region | text | The Azure region/location in which the resource is located. | |
resource_group | text | = | The resource group which holds this resource. |
server_audit_policy | jsonb | Specifies the audit policy configuration for server. | |
server_azure_ad_administrator | jsonb | Specifies the active directory administrator. | |
server_security_alert_policy | jsonb | Specifies the security alert policy configuration for server. | |
server_vulnerability_assessment | jsonb | Specifies the server's vulnerability assessment. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
state | text | The state of the server. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | Specifies the set of tags attached to the server. | |
title | text | Title of the resource. | |
type | text | The resource type of the SQL server. | |
version | text | The version of the server. | |
virtual_network_rules | jsonb | A list of virtual network rules for this server. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_sql_server