Introduction
We are releasing an architecture upgrade for the Defender for SQL Servers on Machines plan. This upgrade is designed to simplify the onboarding experience and improve protection coverage.
In this blog post, we will discuss details about the architecture upgrade and the key steps customers using the Defender for SQL Servers on Machine plan should take to adopt an optimal protection strategy following this update.
Overview of Defender for Cloud database security and the Defender for SQL Servers on Machines plan
Databases are an essential part of building modern applications. Microsoft Defender for Cloud, a Cloud Native Application Protection Platform (CNAPP), provides comprehensive database security capabilities to assist security and infrastructure administrators in identifying and mitigating security posture risks, and help Security Operation Center (SOC) analysts detect and respond to database cyberattacks.
As organizations advance their digital transformation, a comprehensive database security strategy that covers hybrid and multicloud scenarios is essential. The Defender for SQL Servers on Machines plan delivers this by protecting SQL Server instances hosted on Azure, AWS, GCP, and on-premises machines. It provides database security posture management capabilities and threat protection capabilities to help you start secure and stay secure when building applications. More specifically, it helps to:
- Centralize discovery of managed and shadow databases across clouds and hybrid environments.
- Reduce database risks using risk-based recommendations and attack path analysis.
- Detect and respond to database threats including SQL injections, access anomaly, and suspicious queries. SOC teams can also detect and investigate attacks on databases using built-in integration with Microsoft Defender XDR.
Benefits of the agent upgrade for the Defender for SQL Servers on Machine plan
Starting from April 28, 2025, we began a gradual rollout of an upgraded agent architecture for the Defender for SQL Servers on Machines plan. This upgraded architecture is designed to simplify the onboarding process and improve protection coverage.
This upgrade will eliminate the Azure Monitor framework dependency and replace it with a proven, native SQL extension infrastructure. Azure SQL VMs and Azure Arc-enabled SQL Servers will automatically migrate to the updated architecture.
Actions required after the upgrade
Although the agent architecture upgrade will be automatic, customers the have enabled the Defender for SQL Servers on Machines plan before April 28th, will need to take action to ensure they adopt optimal plan configurations to help detect and protect unregistered SQL Servers.
1) Update the Defender for SQL Servers on Machines plan configuration for optimal protection coverage
To automatically discover unregistered SQL Servers, customers are required to update the plan configurations using this guide. This will ensure Defender for SQL Servers on Machines plan can detect and protect all SQL Server instances. Click the Enable button to update the agent configuration setting:
2) Verify the protection status of SQL virtual machines or Arc-enabled SQL servers
Defender for Cloud provides a recommendation titled "The status of Microsoft SQL Servers on Machines should be protected” to help customers assess the protection status of all registered SQL Servers hosted on Azure, AWS, GCP, and on-premises machines within a specified Azure subscription and presents the protection status of each SQL Server instance.
Technical context on the architecture upgrade
Historically, the Defender for SQL Servers on Machines plan relied on the Azure Monitor agent framework (MMA/AMA) to deliver its capabilities. However, this architecture has proven to be sensitive to diverse customer environmental factors, often introducing friction during agent installation and configuration. To address these challenges, we are introducing an upgraded agent architecture designed to reduce complexity, improve reliability, and streamline onboarding across varied infrastructures.
Simplifying enablement with a new agent architecture
The SQL extension is a management tool that is available on all Azure SQL virtual machines and SQL servers connected through Azure Arc. It plays a key role in helping simplify the migration process to Azure, enabling large-scale management of your SQL environments and enhancing the security posture of your databases.
With the new agent architecture, Defender for SQL utilizes the SQL extension as a backchannel to streamline the data from SQL server instances to the Defender for Cloud portal.
Product performance implications
Our assessments confirm that the new architecture does not negatively impact performance. For more information, please refer to Common Questions - Defender for Databases.
Learn more
To learn more about the Defender for SQL Servers on Machines architecture upgrade designed to simplify the onboarding experience and enhance protection coverage, please visit our documentation and review the actions needed to adopt optimal plan configurations after the agent upgrade.
Microsoft