Azure SQL Database Auditing not writing to Storage Account behind firewall

Published Oct 23 2020 09:29 AM 2,681 Views

Issue: After enabling the Storage Account firewall, Azure SQL Database audit logs are not being written.


Mitigation steps:

If your storage account meets all this pre-requisites in this documentation and the audit is still not being written, please follow the steps below:


  1. Configure the Storage Account firewall to “Allow access from: Selected networks” and “Allow trusted Microsoft services to access this storage account”
  2. Disable the audit in the Azure SQL Database server and save
  3. Wait for the deploy to finish
  4. Wait 5 minutes
  5. Enable the audit again and save
  6. Wait for the deploy to finish
  7. Check if now the audit is being successfully written to the Storage Account.


By turning the audit on the Azure SQL Server ON after the Storage Account firewall is enabled, if the user has appropriate permissions, it should perform the necessary configurations in terms of permissions to the service. 


If the audit is still failing, please open a support request and let us know if you have received any error messages during the steps above and what permissions the server has in the Storage Account IAM, with the scope filtered by ‘This resource’:




Note: After performing the steps above, the Server should normally have the permission “Storage Blob Data Contributor” in the Storage Account


Occasional Visitor

So, when the logs are not written how do we get alerts?  where is the alert coming from and what metric is triggering this alert?


Hi @burhan6341 ,


Normally, customers notice this issue starts right after they enable the Storage Account firewall.

You should receive an alert similar to this one:




The alert above is triggered if the audit is not being recorded in the Storage Account for a number of reasons, including the issue mentioned in this post.

Version history
Last update:
‎Oct 23 2020 09:59 AM
Updated by: