Azure SQL Managed Instance and Express Vulnerability Assessment

Julie 220 Reputation points

Hi,

I am using Azure SQL Managed Instance and have enabled Vulnerability Assessment Express recently.

What is the recommended way to configure alerts and notifications for Vulnerability Assessment findings on Azure SQL Managed Instance?

Before I got an email automatically by adding my address in gui, but with express it seems more complicated.

0 comments No comments
Sign in to comment

2 answers

  1. Pilladi Padma Sai Manisha 10,190 Reputation points Microsoft External Staff Moderator

    Hey @Julie

    good question. With Vulnerability Assessment Express, the “classic” experience of configuring alerts/notifications (including email behavior you might have set up before) can be different.

    Based on the provided docs, here’s what we can say for Azure SQL Managed Instance + Vulnerability Assessment Express:

    Recommended way to get notifications/alerts for VA findings (Express)

    1. Use the Microsoft Defender for Cloud vulnerability assessment findings experience in the portal
      • Vulnerability assessment can be accessed and managed from each SQL resource in the Azure portal.
      • For findings, you can use the Defender for Cloud UI (including viewing the scan results/findings from the relevant recommendation path).
    2. Enable/operate recurring scans (automation)
      • For Express configuration, recurring scans are always enabled.
      • That means Express is designed to keep scanning and updating findings automatically, rather than relying on the same notification workflow as classic.
    3. Understand the email behavior difference
      • The documentation specifically notes: “Email reports aren't supported with express configuration.”
      • So if your prior setup depended on receiving an email with a scan result summary, that expectation won’t match Express behavior.
    4. If you specifically need email-style notifications with Express
      • The doc suggests using a Logic Apps template to schedule an “almost identical, but highly customizable, report” since Express doesn’t support email reports directly.

    What you should double-check in your setup

    • Confirm you’re using Express configuration (and not classic) for the Managed Instance.
    • Confirm you’re viewing findings through the Defender for Cloud / recommendations / vulnerability assessment UX (since that’s the supported place to see findings with Express).
    • If email notifications are a must, implement the Logic Apps template approach.

    Follow-up questions (to tailor the exact steps)

    1. Are you trying to get email notifications, or is portal-based notifications/findings sufficient?
    2. In the portal, which blade are you using to configure VA — the one under Defender for Cloud / Microsoft Defender for SQL, or classic VA settings?
    3. When you say “alerts,” do you mean:
      • email summaries,
      • security recommendations in Defender for Cloud,
      • or both?
    4. Are you seeing findings in the Defender for Cloud recommendation, but expecting them to arrive via email?

    Reference list (links)

    If you answer the follow-up questions (especially whether you need email or just Defender portal alerts/findings), I can suggest the most fitting public-forum wording and exact navigation targets.

    1. Pilladi Padma Sai Manisha 10,190 Reputation points Microsoft External Staff Moderator

      Hi @Julie
      Following up to see if the below answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Sign in to comment

  2. AI answer

    For Azure SQL Managed Instance with Vulnerability Assessment (VA) in express mode, use a combination of Microsoft Defender for SQL configuration, Azure Monitor alerts, and (optionally) Logic Apps-based reporting to get notifications and alerting similar to or more flexible than the classic email option.

    Recommended setup:

    1. Enable and configure Microsoft Defender for SQL on the managed instance
      • In the Azure portal, open the SQL Managed Instance.
      • Under Security, select Microsoft Defender for Cloud.
      • Select Configure to open Server settings.
      • Turn Microsoft Defender for SQL to ON.
      • Select a Storage account for threat audit records.
      • Under Advanced Threat Protection Settings, configure:
        • Email recipients (by role or specific addresses).
        • Notification types you want to receive.
      • Select Save.
      This enables Defender’s threat detection and VA capabilities for the instance; email notifications here are primarily for threat detection alerts, not detailed VA reports, but they are the baseline security notifications for the managed instance.
    2. Use SQL Vulnerability Assessment regularly
      • Defender for SQL includes SQL Vulnerability Assessment for Azure SQL Managed Instance.
      • Run regular VA scans and remediate findings as part of the security process. This is the core of the “express” VA experience.
    3. Configure Azure Monitor alerts for the managed instance To get more flexible alerting (email, SMS, webhook, Logic Apps, etc.) around security and operational conditions:
      • In the Azure portal, open the SQL Managed Instance.
      • Under Monitoring, select Alerts.
      • Select + Create → Alert rule.
      • Confirm the Scope is the managed instance.
      • Choose a Signal (metric, activity log, resource health, or log search) that reflects the condition to monitor (for example, failed logins, storage usage, or other security-related metrics available for the instance).
      • Configure the Condition (threshold, frequency, etc.).
      • Select or create an Action group and add:
        • Email recipients
        • SMS, voice call, mobile push
        • Or actions such as Logic Apps, Functions, webhooks, ITSM, runbooks.
      • Set Severity, Alert rule name, region, and identity.
      • Ensure Enable upon creation is selected and (optionally) Automatically resolve alerts is enabled.
      • Complete Review + create and select Create.
      This gives fine-grained alerting for managed-instance-level metrics and events. While it does not directly fire on individual VA findings, it is the recommended way to build security/health notifications around the managed instance in the express model.
    4. Use Logic Apps for scheduled VA status emails (recommended for VA-specific reporting) For VA-specific, periodic email reports similar to (but more powerful than) the old per-database emails:
      • Use the Azure Logic Apps template for SQL Vulnerability Assessment reporting: Notify-SQLVulnerabilityReport from the Defender for Cloud workflow automation samples.
      • This template allows:
        • Choosing the schedule for email reports.
        • Including disabled rules in the report.
        • Sending reports for Azure SQL Servers and SQL VMs.
        • Customizing the report structure and appearance.
      With express VA, this Logic App–based approach is the recommended way to get consolidated, scheduled email reports of VA findings instead of relying on the older per-database email toggle.
    5. (Optional) Manage VA programmatically for automation
      • Use the unified SQL Vulnerability Assessment REST APIs (2026-04-01-preview) to:
        • Configure VA settings
        • Manage baselines
        • Trigger scans
        • Retrieve scan results
      • Combine these APIs with Azure Monitor and Logic Apps/Functions to build custom alerting pipelines (for example, trigger a Logic App when new high-severity findings appear and send targeted notifications).

    Summary

    • Classic “enter email in VA GUI and get per-database emails” is replaced in the express model by:
      • Defender for SQL email notifications (for threat detection),
      • Azure Monitor alert rules (for instance-level metrics/events), and
      • Logic Apps–based scheduled VA reports (for detailed VA findings).

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer