|
| 1 | +--- |
| 2 | +title: How to enable Microsoft Defender for SQL servers on machines at scale |
| 3 | +description: Learn how to protect your Microsoft SQL servers on Azure VMs, on-premises, and in hybrid and multicloud environments with Microsoft Defender for Cloud at scale. |
| 4 | +ms.topic: how-to |
| 5 | +ms.author: dacurwin |
| 6 | +author: dcurwin |
| 7 | +ms.date: 07/14/2024 |
| 8 | +--- |
| 9 | + |
| 10 | +# Enable Microsoft Defender for SQL servers on machines at scale |
| 11 | + |
| 12 | +Microsoft Defender for Cloud's Defender for Databases plan provides security for SQL servers on virtual machines. In order to protect your databases, the Azure Monitoring Agent (AMA) must be implemented to prevent attacks and to identify configuration errors. |
| 13 | + |
| 14 | +When you enable Defender for Databases, it automatically enables the auto provisioning process which configures of all the required agent components necessary for the plan to function. The auto provisioning process includes installation the configuration of the AMA, workspace configuration, and the virtusl machines (VM) extension and solution. |
| 15 | + |
| 16 | +This page explains how you can enable the auto-provisioning process for Defender for Databases across multiple subscriptions simultaneously using PowerShell. This process applies to SQL servers hosted on Azure VMs, on-premises environments, and Azure Arc-enabled SQL servers. You will also learn how to utilize additional functionalities that accommodate a variety of configurations, including: |
| 17 | + |
| 18 | +- Custom data collection rules |
| 19 | + |
| 20 | +- Custom identity management |
| 21 | + |
| 22 | +- Default workspace integration |
| 23 | + |
| 24 | +- Custom workspace configuration |
| 25 | + |
| 26 | +## Prerequisites |
| 27 | + |
| 28 | +- Gain knowledge on: |
| 29 | + - [SQL server on VMs](https://azure.microsoft.com/products/virtual-machines/sql-server/) |
| 30 | + - [SQL Server enabled by Azure Arc](/sql/sql-server/azure-arc/overview?view=sql-server-ver16) |
| 31 | + - [How to install Log Analytics agent on Windows computers](../azure-monitor/agents/agent-windows.md) |
| 32 | + - [How to migrate to Azure Monitor Agent from Log Analytics agent](../azure-monitor/agents/azure-monitor-agent-migration.md) |
| 33 | + |
| 34 | +- [Connect AWS accounts to Microsoft Defender for Cloud](quickstart-onboard-aws.md) |
| 35 | +- [Connect your GCP project to Microsoft Defender for Cloud](quickstart-onboard-gcp.md) |
| 36 | + |
| 37 | +- Install Powershell on [Windows](/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4), [Linux](/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.4), [MacOS](/powershell/scripting/install/installing-powershell-on-macos?view=powershell-7.4), or [ARM](/powershell/scripting/install/powershell-on-arm?view=powershell-7.4). |
| 38 | +- [Install the following Powershell modules](/powershell/module/powershellget/install-module?view=powershellget-3.x): |
| 39 | + - Az.Resources |
| 40 | + - Az.OperationalInsights |
| 41 | + - Az.Accounts |
| 42 | + - Az |
| 43 | + - Az.PolicyInsights |
| 44 | + - Az.Security |
| 45 | + |
| 46 | +- Permissions: requires VM contributor, contributor or owner rules. |
| 47 | + |
| 48 | +## Run the Powershell script |
| 49 | + |
| 50 | +The Powershell script that enables Microsoft Defender for SQL on Machines on a given subscription. |
| 51 | + |
| 52 | +| Parameter name | Required | Description | |
| 53 | +|--|--|--| |
| 54 | +| SubscriptionId: | Required | The Azure subscription ID that you want to enable Defender for SQL servers on machines for. | |
| 55 | +| RegisterSqlVmAgnet | Required | A flag indicating whether to register the SQL VM Agent in bulk. <br><br> Learn more about [registering multiple SQL VMs in Azure with the SQL IaaS Agent extension](/azure/azure-sql/virtual-machines/windows/sql-agent-extension-manually-register-vms-bulk?view=azuresql). | |
| 56 | +| WorkspaceResourceId | Optional | The resource ID of the Log Analytics workspace, if you want to use a custom workspace instead of the default one. | |
| 57 | +| DataCollectionRuleResourceId | Optional | The resource ID of the data collection rule, if you want to use a custom DCR instead of the default one. | |
| 58 | +| UserAssignedIdentityResourceId | Optional | The resource ID of the user assigned identity, if you want to use a custom user assigned identity instead of the default one. | |
| 59 | + |
| 60 | +1. Open a Powershell window. |
| 61 | +1. |
| 62 | +1. |
| 63 | + |
| 64 | +```powershell |
0 commit comments