AzInitiativeAdvertizer

last sync: 2025-Jun-26 17:23:22 UTC

Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace

Azure BuiltIn Policy Initiative (PolicySet)

-Source
+ Azure Portal
-Display name
+Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace
-Id
+de01d381-bae9-4670-8870-786f89f49e26
-Version
+.2.0
  Details on versioning
-Versioning
+                        Versions supported for Versioning: 3
1.2.0
1.1.1
1.1.0-preview
                         Built-in Versioning [Preview]
-Category
+Security Center
 Microsoft Learn
-Description
+Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.
-Cloud environments
+AzureCloud = true
AzureChinaCloud = unknown
AzureUSGovernment = true
-Available in AzUSGov
+The PolicySet is available in AzureUSGovernment cloud. Version: '1.2.0'
 Repository: Azure-Policy de01d381-bae9-4670-8870-786f89f49e26
-Type
+BuiltIn
-Deprecated
+False
-Preview
+False
-Policy-used summary
+                            Policy types
                            Policy states
                            Policy categories
                        

                        
                            
                                
                                    Total Policies: 8

                                    Builtin Policies: 8

                                    Static Policies: 0
                                
                            


                            
                                
                                    GA: 8
                                
                            


                            
                                
                                1 categories:

                                
                                
                                    Security Center: 8
-Policy types
+Policy categories
-                                    Total Policies: 8

                                    Builtin Policies: 8

                                    Static Policies: 0
+categories:

                                
                                
                                    Security Center: 8
-Policy-used
+Rows: 1-8 / 8
Records: Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators: 
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more
TableFilter v0.7.3
https://www.tablefilter.com/
©2015-2025 Max GuglielmiClose
?
 Page  of 1
                    
                        

                            Policy DisplayName
                            Policy Id
                            Category
                            Version
                            Versioning
                            Effect
                            Roles#
                            Roles
                            State
                            policy in AzUSGov
                        
                    
                        
                            Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent
                            3592ff98-9787-443a-af59-4505d0fe0786
                            Security Center
                            1.3.0
                            3x
1.3.0, 1.2.2, 1.2.1-preview
                            Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
                            1
                            Azure Connected Machine Resource Administrator
                            GA
                            true
                        
                        
                            Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL
                            65503269-6a54-4553-8a28-0065a8e6d929
                            Security Center
                            1.2.0
                            3x
1.2.0, 1.1.2, 1.1.1-preview
                            Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
                            1
                            Log Analytics Contributor
                            GA
                            true
                        
                        
                            Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
                            63d03cbd-47fd-4ee1-8a1c-9ddf07303de0
                            Security Center
                            1.8.0
                            7x
1.8.0, 1.7.0, 1.6.0, 1.5.0, 1.4.0, 1.3.1, 1.3.0-preview
                            Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
                            1
                            Contributor
                            GA
                            true
                        
                        
                            Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR
                            2227e1f1-23dd-4c3a-85a9-7024a401d8b2
                            Security Center
                            1.3.0
                            4x
1.3.0, 1.2.0, 1.1.1, 1.1.0-preview
                            Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
                            2
                            Log Analytics Contributor, Monitoring Contributor
                            GA
                            true
                        
                        
                            Configure SQL Virtual Machines to automatically install Azure Monitor Agent
                            f91991d1-5383-4c95-8ee5-5ac423dd8bb1
                            Security Center
                            1.6.0
                            6x
1.6.0, 1.5.0, 1.4.0, 1.3.0, 1.2.2, 1.2.1-preview
                            Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
                            1
                            Virtual Machine Contributor
                            GA
                            true
                        
                        
                            Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
                            ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce
                            Security Center
                            1.6.0
                            6x
1.6.0, 1.5.0, 1.4.0, 1.3.0, 1.2.1, 1.2.0-preview
                            Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
                            2
                            Log Analytics Contributor, Monitoring Contributor
                            GA
                            true
                        
                        
                            Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
                            04754ef9-9ae3-4477-bf17-86ef50026304
                            Security Center
                            1.10.0
                            9x
1.10.0, 1.9.0, 1.8.0, 1.7.0, 1.6.0, 1.5.0, 1.4.0, 1.3.1, 1.3.0-preview
                            Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
                            1
                            Contributor
                            GA
                            true
                        
                        
                            Create and assign a built-in user-assigned managed identity
                            09963c90-6ee7-4215-8d26-1cc660a1682f
                            Security Center
                            1.8.0
                            7x
1.8.0, 1.7.0, 1.6.0, 1.5.0, 1.4.0, 1.3.1, 1.3.0-preview
                            Default
DeployIfNotExists
Allowed
AuditIfNotExists, DeployIfNotExists, Disabled
                            1
                            Contributor
                            GA
                            true
                        
                    
No results
-Policy DisplayName
+policy in AzUSGov
-Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent
+true
-Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL
+true
-Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
+true
-Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR
+true
-Configure SQL Virtual Machines to automatically install Azure Monitor Agent
+true
-Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
+true
-Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace
+true
-Create and assign a built-in user-assigned managed identity
+true
-Roles used
+    Total Roles usage: 10

    Total Roles unique usage: 5

    
        
            
                Role
                Role Id
                #Policies
                Policies
            
        
        
            Monitoring Contributor
            749f88d5-cbae-40b8-bcfc-e573ddc772fa
            2
            Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
        
        
            Contributor
            b24988ac-6180-42a0-ab88-20f7382dd24c
            3
            Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace, Create and assign a built-in user-assigned managed identity
        
        
            Log Analytics Contributor
            92aaf0da-9dab-42b6-94a3-d43ce8d16293
            3
            Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL, Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
        
        
            Virtual Machine Contributor
            9980e02c-c2be-4d73-94e8-173b1dc7cf3c
            1
            Configure SQL Virtual Machines to automatically install Azure Monitor Agent
        
        
            Azure Connected Machine Resource Administrator
            cd570a14-e51a-42ad-bac8-bafd67325302
            1
            Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent
-Role
+Policies
-Monitoring Contributor
+Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
-Contributor
+Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace, Create and assign a built-in user-assigned managed identity
-Log Analytics Contributor
+Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL, Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR, Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL
-Virtual Machine Contributor
+Configure SQL Virtual Machines to automatically install Azure Monitor Agent
-Azure Connected Machine Resource Administrator
+Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent
-History
+                                Date/Time (UTC ymd) (i)
                                Changes
                            
                            
                                2024-05-15 17:48:20
                                                                    Version change: '1.1.1' to '1.2.0'
                                
                            
                            
                                2023-11-22 19:18:10
                                                                    Version change: '1.1.0-preview' to '1.1.1'
                                    Name change: '[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace' to 'Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace'
                                
                            
                            
                                2023-09-18 18:02:04
                                                                    Name change: '[Preview]: Configure machines to create the user-defined Microsoft Defender for SQL pipeline using Azure Monitor Agent' to '[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace'
                                    Description change: 'Configure machines to automatically install the Azure Monitor and Azure Security agents. Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace.' to 'Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.'
                                
                            
                            
                                2023-09-14 17:58:18
                                                                    Version change: '1.0.0-preview' to '1.1.0-preview'
                                
                            
                            
                                2023-08-25 17:58:14
                                                                    add Initiative de01d381-bae9-4670-8870-786f89f49e26
-Date/Time (UTC ymd) (i)
+Changes
--05-15 17:48:20
+                                    Version change: '1.1.1' to '1.2.0'
--11-22 19:18:10
+                                    Version change: '1.1.0-preview' to '1.1.1'
                                    Name change: '[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace' to 'Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace'
--09-18 18:02:04
+                                    Name change: '[Preview]: Configure machines to create the user-defined Microsoft Defender for SQL pipeline using Azure Monitor Agent' to '[Preview]: Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace'
                                    Description change: 'Configure machines to automatically install the Azure Monitor and Azure Security agents. Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Use the user-provided Log Analytics workspace to store audit records. Creates a resource group and a Data Collection Rule in the same region as the user-provided Log Analytics workspace.' to 'Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.'
--09-14 17:58:18
+                                    Version change: '1.0.0-preview' to '1.1.0-preview'
--08-25 17:58:14
+                                    add Initiative de01d381-bae9-4670-8870-786f89f49e26
-JSON compare
+  "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace",
@@ -2,10 +2,11 @@
   "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace",
   "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.",
   "metadata": {
     "category": "Security Center",
-    "version": "1.1.1"
   },
   "parameters": {
     "userWorkspaceResourceId": {
       "type": "String",
       "metadata": {
@@ -49,39 +50,103 @@
         "displayName": "User-Assigned Managed Identity Resource Group Location",
         "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy."
       },
       "defaultValue": "eastus"
     }
   },
   "policyDefinitions": [
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_AddUserAssignedIdentity_VM",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09963c90-6ee7-4215-8d26-1cc660a1682f",
       "parameters": {
         "builtInIdentityResourceGroupLocation": {
           "value": "[parameters('builtInIdentityResourceGroupLocation')]"
         }
       }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_DeployWindowsAMA_VM",
-      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f91991d1-5383-4c95-8ee5-5ac423dd8bb1"
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce",
       "parameters": {
         "workspaceRegion": {
           "value": "[parameters('workspaceRegion')]"
         },
         "userWorkspaceId": {
           "value": "[parameters('userWorkspaceId')]"
         }
       }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_AMA_UserWorkspacePipeline_VM",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04754ef9-9ae3-4477-bf17-86ef50026304",
       "parameters": {
         "userWorkspaceResourceId": {
           "value": "[parameters('userWorkspaceResourceId')]"
         },
@@ -92,22 +157,28 @@
           "value": "[parameters('userWorkspaceId')]"
         },
         "enableCollectionOfSqlQueriesForSecurityResearch": {
           "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
         }
       }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_DeployWindowsAMA_Arc",
-      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786"
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc",
-      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929"
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_AMA_UserWorkspacePipeline_Arc",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0",
       "parameters": {
         "userWorkspaceResourceId": {
           "value": "[parameters('userWorkspaceResourceId')]"
         },
@@ -118,21 +189,36 @@
           "value": "[parameters('userWorkspaceId')]"
         },
         "enableCollectionOfSqlQueriesForSecurityResearch": {
           "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
         }
       }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_AMA_UserWorkspacePipeline_DCRA_Arc",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2227e1f1-23dd-4c3a-85a9-7024a401d8b2",
       "parameters": {
         "workspaceRegion": {
           "value": "[parameters('workspaceRegion')]"
         },
         "userWorkspaceId": {
           "value": "[parameters('userWorkspaceId')]"
         }
       }
     }
   ]
 }
   "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace",
   "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.",
   "metadata": {
     "category": "Security Center",
+    "version": "1.2.0"
   },
+  "version": "1.2.0",
   "parameters": {
     "userWorkspaceResourceId": {
       "type": "String",
       "metadata": {
         "displayName": "User-Assigned Managed Identity Resource Group Location",
         "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy."
       },
       "defaultValue": "eastus"
+    },
+    "bringYourOwnUserAssignedManagedIdentity": {
+      "type": "Boolean",
+      "metadata": {
+        "displayName": "Bring your own User-Assigned Managed Identity",
+        "description": "Enable this to use your own user-assigned managed identity. The pre-created identity MUST exist otherwise the policy deployment will fail. If enabled, ensure that the user-assigned managed identity resource ID parameter matches the pre-created user-assigned managed identity resource ID. If not enabled, the policy will create a new user-assigned managed identitiy per subscription, in a new resource group named 'Built-In-Identity-RG'."
+      },
+      "allowedValues": [
+        true,
+        false
+      ],
+      "defaultValue": false
+    },
+    "userAssignedIdentityResourceId": {
+      "type": "String",
+      "metadata": {
+        "displayName": "User-Assigned Managed Identity Resource ID",
+        "description": "The resource ID of the pre-created user-assigned managed identity. This parameter is only used when bringYourOwnUserAssignedManagedIdentity is set to true."
+      },
+      "defaultValue": ""
+    },
+    "bringYourOwnDcr": {
+      "type": "Boolean",
+      "metadata": {
+        "displayName": "Bring your own DCR",
+        "description": "Enable this to use your own Data Collection Rule. The pre-created Data Collection Rule MUST exist otherwise the policy deployment will fail. If enabled, ensure that the Data Collection Rule Resource ID parameter matches the pre-created Data Collection Rule Resource ID. If not enabled, the policy will create a new Data Collection Rule per subscription."
+      },
+      "allowedValues": [
+        true,
+        false
+      ],
+      "defaultValue": false
+    },
+    "dcrResourceId": {
+      "type": "String",
+      "metadata": {
+        "displayName": "Data Collection Rule Resource ID",
+        "description": "The resource ID of the user-defined Data Collection Rule. This parameter is only used when bringYourOwnDcr is set to true."
+      },
+      "defaultValue": ""
     }
   },
   "policyDefinitions": [
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_AddUserAssignedIdentity_VM",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09963c90-6ee7-4215-8d26-1cc660a1682f",
+      "definitionVersion": "1.*.*",
       "parameters": {
         "builtInIdentityResourceGroupLocation": {
           "value": "[parameters('builtInIdentityResourceGroupLocation')]"
+        },
+        "bringYourOwnUserAssignedManagedIdentity": {
+          "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
+        },
+        "userAssignedIdentityResourceId": {
+          "value": "[parameters('userAssignedIdentityResourceId')]"
         }
       }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_DeployWindowsAMA_VM",
+      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f91991d1-5383-4c95-8ee5-5ac423dd8bb1",
+      "definitionVersion": "1.*.*",
+      "parameters": {
+        "bringYourOwnUserAssignedManagedIdentity": {
+          "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
+        },
+        "userAssignedIdentityResourceId": {
+          "value": "[parameters('userAssignedIdentityResourceId')]"
+        }
+      }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce",
+      "definitionVersion": "1.*.*",
       "parameters": {
         "workspaceRegion": {
           "value": "[parameters('workspaceRegion')]"
         },
         "userWorkspaceId": {
           "value": "[parameters('userWorkspaceId')]"
+        },
+        "bringYourOwnDcr": {
+          "value": "[parameters('bringYourOwnDcr')]"
+        },
+        "dcrResourceId": {
+          "value": "[parameters('dcrResourceId')]"
         }
       }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_AMA_UserWorkspacePipeline_VM",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/04754ef9-9ae3-4477-bf17-86ef50026304",
+      "definitionVersion": "1.*.*",
       "parameters": {
         "userWorkspaceResourceId": {
           "value": "[parameters('userWorkspaceResourceId')]"
         },
           "value": "[parameters('userWorkspaceId')]"
         },
         "enableCollectionOfSqlQueriesForSecurityResearch": {
           "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+        },
+        "bringYourOwnDcr": {
+          "value": "[parameters('bringYourOwnDcr')]"
         }
       }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_DeployWindowsAMA_Arc",
+      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786",
+      "definitionVersion": "1.*.*"
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc",
+      "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929",
+      "definitionVersion": "1.*.*"
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_AMA_UserWorkspacePipeline_Arc",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0",
+      "definitionVersion": "1.*.*",
       "parameters": {
         "userWorkspaceResourceId": {
           "value": "[parameters('userWorkspaceResourceId')]"
         },
           "value": "[parameters('userWorkspaceId')]"
         },
         "enableCollectionOfSqlQueriesForSecurityResearch": {
           "value": "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
+        },
+        "bringYourOwnDcr": {
+          "value": "[parameters('bringYourOwnDcr')]"
         }
       }
     },
     {
       "policyDefinitionReferenceId": "MDC_DfSQL_AMA_UserWorkspacePipeline_DCRA_Arc",
       "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2227e1f1-23dd-4c3a-85a9-7024a401d8b2",
+      "definitionVersion": "1.*.*",
       "parameters": {
         "workspaceRegion": {
           "value": "[parameters('workspaceRegion')]"
         },
         "userWorkspaceId": {
           "value": "[parameters('userWorkspaceId')]"
+        },
+        "bringYourOwnDcr": {
+          "value": "[parameters('bringYourOwnDcr')]"
+        },
+        "dcrResourceId": {
+          "value": "[parameters('dcrResourceId')]"
         }
       }
     }
+  ],
+  "versions": [
+    "1.2.0",
+    "1.1.1",
+    "1.1.0-preview"
   ]
 }
-JSON
+                            api-version=2023-04-01

                              EPAC
                            
                        
                    
                    
                        
                            {8 itemsdisplayName: "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace",
policyType: "BuiltIn",
description: "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.",
metadata: {2 itemscategory: "Security Center",
version: "1.2.0"
},
version: "1.2.0",
parameters: {9 itemsuserWorkspaceResourceId: {2 itemstype: "String",
metadata: {3 itemsdisplayName: "Workspace Resource Id",
description: "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.",
strongType: "omsWorkspace"
}
},
workspaceRegion: {3 itemstype: "String",
metadata: {3 itemsdisplayName: "Workspace region",
description: "Region of the Log Analytics workspace destination for the Data Collection Rule.",
strongType: "location"
},
defaultValue: ""
},
userWorkspaceId: {3 itemstype: "String",
metadata: {2 itemsdisplayName: "Workspace Id",
description: "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule."
},
defaultValue: ""
},
enableCollectionOfSqlQueriesForSecurityResearch: {4 itemstype: "Boolean",
metadata: {2 itemsdisplayName: "Enable collection of SQL queries for security research",
description: "Enable or disable the collection of SQL queries for security research."
},
allowedValues: [2 itemstrue,
false
],
defaultValue: false
},
builtInIdentityResourceGroupLocation: {3 itemstype: "String",
metadata: {2 itemsdisplayName: "User-Assigned Managed Identity Resource Group Location",
description: "The location of the resource group 'Built-In-Identity-RG' created by the policy."
},
defaultValue: "eastus"
},
bringYourOwnUserAssignedManagedIdentity: {4 itemstype: "Boolean",
metadata: {2 itemsdisplayName: "Bring your own User-Assigned Managed Identity",
description: "Enable this to use your own user-assigned managed identity. The pre-created identity MUST exist otherwise the policy deployment will fail. If enabled, ensure that the user-assigned managed identity resource ID parameter matches the pre-created user-assigned managed identity resource ID. If not enabled, the policy will create a new user-assigned managed identitiy per subscription, in a new resource group named 'Built-In-Identity-RG'."
},
allowedValues: [2 itemstrue,
false
],
defaultValue: false
},
userAssignedIdentityResourceId: {3 itemstype: "String",
metadata: {2 itemsdisplayName: "User-Assigned Managed Identity Resource ID",
description: "The resource ID of the pre-created user-assigned managed identity. This parameter is only used when bringYourOwnUserAssignedManagedIdentity is set to true."
},
defaultValue: ""
},
bringYourOwnDcr: {4 itemstype: "Boolean",
metadata: {2 itemsdisplayName: "Bring your own DCR",
description: "Enable this to use your own Data Collection Rule. The pre-created Data Collection Rule MUST exist otherwise the policy deployment will fail. If enabled, ensure that the Data Collection Rule Resource ID parameter matches the pre-created Data Collection Rule Resource ID. If not enabled, the policy will create a new Data Collection Rule per subscription."
},
allowedValues: [2 itemstrue,
false
],
defaultValue: false
},
dcrResourceId: {3 itemstype: "String",
metadata: {2 itemsdisplayName: "Data Collection Rule Resource ID",
description: "The resource ID of the user-defined Data Collection Rule. This parameter is only used when bringYourOwnDcr is set to true."
},
defaultValue: ""
}
},
policyDefinitions: [8 items{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_AddUserAssignedIdentity_VM",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity ,
definitionVersion: 1.*.*1.8.0,
parameters: {3 itemsbuiltInIdentityResourceGroupLocation: {1 itemvalue: "[parameters('builtInIdentityResourceGroupLocation')]"
},
bringYourOwnUserAssignedManagedIdentity: {1 itemvalue: "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
},
userAssignedIdentityResourceId: {1 itemvalue: "[parameters('userAssignedIdentityResourceId')]"
}
}
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_DeployWindowsAMA_VM",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent ,
definitionVersion: 1.*.*1.6.0,
parameters: {2 itemsbringYourOwnUserAssignedManagedIdentity: {1 itemvalue: "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
},
userAssignedIdentityResourceId: {1 itemvalue: "[parameters('userAssignedIdentityResourceId')]"
}
}
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL ,
definitionVersion: 1.*.*1.6.0,
parameters: {4 itemsworkspaceRegion: {1 itemvalue: "[parameters('workspaceRegion')]"
},
userWorkspaceId: {1 itemvalue: "[parameters('userWorkspaceId')]"
},
bringYourOwnDcr: {1 itemvalue: "[parameters('bringYourOwnDcr')]"
},
dcrResourceId: {1 itemvalue: "[parameters('dcrResourceId')]"
}
}
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_AMA_UserWorkspacePipeline_VM",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace ,
definitionVersion: 1.*.*1.10.0,
parameters: {5 itemsuserWorkspaceResourceId: {1 itemvalue: "[parameters('userWorkspaceResourceId')]"
},
workspaceRegion: {1 itemvalue: "[parameters('workspaceRegion')]"
},
userWorkspaceId: {1 itemvalue: "[parameters('userWorkspaceId')]"
},
enableCollectionOfSqlQueriesForSecurityResearch: {1 itemvalue: "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
},
bringYourOwnDcr: {1 itemvalue: "[parameters('bringYourOwnDcr')]"
}
}
},
{3 itemspolicyDefinitionReferenceId: "MDC_DfSQL_DeployWindowsAMA_Arc",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent ,
definitionVersion: 1.*.*1.3.0
},
{3 itemspolicyDefinitionReferenceId: "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL ,
definitionVersion: 1.*.*1.2.0
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_AMA_UserWorkspacePipeline_Arc",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace ,
definitionVersion: 1.*.*1.8.0,
parameters: {5 itemsuserWorkspaceResourceId: {1 itemvalue: "[parameters('userWorkspaceResourceId')]"
},
workspaceRegion: {1 itemvalue: "[parameters('workspaceRegion')]"
},
userWorkspaceId: {1 itemvalue: "[parameters('userWorkspaceId')]"
},
enableCollectionOfSqlQueriesForSecurityResearch: {1 itemvalue: "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
},
bringYourOwnDcr: {1 itemvalue: "[parameters('bringYourOwnDcr')]"
}
}
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_AMA_UserWorkspacePipeline_DCRA_Arc",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR ,
definitionVersion: 1.*.*1.3.0,
parameters: {4 itemsworkspaceRegion: {1 itemvalue: "[parameters('workspaceRegion')]"
},
userWorkspaceId: {1 itemvalue: "[parameters('userWorkspaceId')]"
},
bringYourOwnDcr: {1 itemvalue: "[parameters('bringYourOwnDcr')]"
},
dcrResourceId: {1 itemvalue: "[parameters('dcrResourceId')]"
}
}
}
],
versions: [3 items"1.2.0",
"1.1.1",
"1.1.0-preview"
]
}
                             api-version=2023-04-01

                              EPAC
                             {8 itemsdisplayName: "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace",
policyType: "BuiltIn",
description: "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace.",
metadata: {2 itemscategory: "Security Center",
version: "1.2.0"
},
version: "1.2.0",
parameters: {9 itemsuserWorkspaceResourceId: {2 itemstype: "String",
metadata: {3 itemsdisplayName: "Workspace Resource Id",
description: "Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.",
strongType: "omsWorkspace"
}
},
workspaceRegion: {3 itemstype: "String",
metadata: {3 itemsdisplayName: "Workspace region",
description: "Region of the Log Analytics workspace destination for the Data Collection Rule.",
strongType: "location"
},
defaultValue: ""
},
userWorkspaceId: {3 itemstype: "String",
metadata: {2 itemsdisplayName: "Workspace Id",
description: "Workspace Id of the Log Analytics workspace destination for the Data Collection Rule."
},
defaultValue: ""
},
enableCollectionOfSqlQueriesForSecurityResearch: {4 itemstype: "Boolean",
metadata: {2 itemsdisplayName: "Enable collection of SQL queries for security research",
description: "Enable or disable the collection of SQL queries for security research."
},
allowedValues: [2 itemstrue,
false
],
defaultValue: false
},
builtInIdentityResourceGroupLocation: {3 itemstype: "String",
metadata: {2 itemsdisplayName: "User-Assigned Managed Identity Resource Group Location",
description: "The location of the resource group 'Built-In-Identity-RG' created by the policy."
},
defaultValue: "eastus"
},
bringYourOwnUserAssignedManagedIdentity: {4 itemstype: "Boolean",
metadata: {2 itemsdisplayName: "Bring your own User-Assigned Managed Identity",
description: "Enable this to use your own user-assigned managed identity. The pre-created identity MUST exist otherwise the policy deployment will fail. If enabled, ensure that the user-assigned managed identity resource ID parameter matches the pre-created user-assigned managed identity resource ID. If not enabled, the policy will create a new user-assigned managed identitiy per subscription, in a new resource group named 'Built-In-Identity-RG'."
},
allowedValues: [2 itemstrue,
false
],
defaultValue: false
},
userAssignedIdentityResourceId: {3 itemstype: "String",
metadata: {2 itemsdisplayName: "User-Assigned Managed Identity Resource ID",
description: "The resource ID of the pre-created user-assigned managed identity. This parameter is only used when bringYourOwnUserAssignedManagedIdentity is set to true."
},
defaultValue: ""
},
bringYourOwnDcr: {4 itemstype: "Boolean",
metadata: {2 itemsdisplayName: "Bring your own DCR",
description: "Enable this to use your own Data Collection Rule. The pre-created Data Collection Rule MUST exist otherwise the policy deployment will fail. If enabled, ensure that the Data Collection Rule Resource ID parameter matches the pre-created Data Collection Rule Resource ID. If not enabled, the policy will create a new Data Collection Rule per subscription."
},
allowedValues: [2 itemstrue,
false
],
defaultValue: false
},
dcrResourceId: {3 itemstype: "String",
metadata: {2 itemsdisplayName: "Data Collection Rule Resource ID",
description: "The resource ID of the user-defined Data Collection Rule. This parameter is only used when bringYourOwnDcr is set to true."
},
defaultValue: ""
}
},
policyDefinitions: [8 items{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_AddUserAssignedIdentity_VM",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/09963c90-6ee7-4215-8d26-1cc660a1682f Create and assign a built-in user-assigned managed identity ,
definitionVersion: 1.*.*1.8.0,
parameters: {3 itemsbuiltInIdentityResourceGroupLocation: {1 itemvalue: "[parameters('builtInIdentityResourceGroupLocation')]"
},
bringYourOwnUserAssignedManagedIdentity: {1 itemvalue: "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
},
userAssignedIdentityResourceId: {1 itemvalue: "[parameters('userAssignedIdentityResourceId')]"
}
}
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_DeployWindowsAMA_VM",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f91991d1-5383-4c95-8ee5-5ac423dd8bb1 Configure SQL Virtual Machines to automatically install Azure Monitor Agent ,
definitionVersion: 1.*.*1.6.0,
parameters: {2 itemsbringYourOwnUserAssignedManagedIdentity: {1 itemvalue: "[parameters('bringYourOwnUserAssignedManagedIdentity')]"
},
userAssignedIdentityResourceId: {1 itemvalue: "[parameters('userAssignedIdentityResourceId')]"
}
}
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_VM",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ddca0ddc-4e9d-4bbb-92a1-f7c4dd7ef7ce Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL ,
definitionVersion: 1.*.*1.6.0,
parameters: {4 itemsworkspaceRegion: {1 itemvalue: "[parameters('workspaceRegion')]"
},
userWorkspaceId: {1 itemvalue: "[parameters('userWorkspaceId')]"
},
bringYourOwnDcr: {1 itemvalue: "[parameters('bringYourOwnDcr')]"
},
dcrResourceId: {1 itemvalue: "[parameters('dcrResourceId')]"
}
}
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_AMA_UserWorkspacePipeline_VM",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/04754ef9-9ae3-4477-bf17-86ef50026304 Configure SQL Virtual Machines to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace ,
definitionVersion: 1.*.*1.10.0,
parameters: {5 itemsuserWorkspaceResourceId: {1 itemvalue: "[parameters('userWorkspaceResourceId')]"
},
workspaceRegion: {1 itemvalue: "[parameters('workspaceRegion')]"
},
userWorkspaceId: {1 itemvalue: "[parameters('userWorkspaceId')]"
},
enableCollectionOfSqlQueriesForSecurityResearch: {1 itemvalue: "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
},
bringYourOwnDcr: {1 itemvalue: "[parameters('bringYourOwnDcr')]"
}
}
},
{3 itemspolicyDefinitionReferenceId: "MDC_DfSQL_DeployWindowsAMA_Arc",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786 Configure Arc-enabled SQL Servers to automatically install Azure Monitor Agent ,
definitionVersion: 1.*.*1.3.0
},
{3 itemspolicyDefinitionReferenceId: "MDC_DfSQL_DeployMicrosoftDefenderForSQLWindowsAgent_Arc",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL ,
definitionVersion: 1.*.*1.2.0
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_AMA_UserWorkspacePipeline_Arc",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/63d03cbd-47fd-4ee1-8a1c-9ddf07303de0 Configure Arc-enabled SQL Servers to automatically install Microsoft Defender for SQL and DCR with a user-defined LA workspace ,
definitionVersion: 1.*.*1.8.0,
parameters: {5 itemsuserWorkspaceResourceId: {1 itemvalue: "[parameters('userWorkspaceResourceId')]"
},
workspaceRegion: {1 itemvalue: "[parameters('workspaceRegion')]"
},
userWorkspaceId: {1 itemvalue: "[parameters('userWorkspaceId')]"
},
enableCollectionOfSqlQueriesForSecurityResearch: {1 itemvalue: "[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]"
},
bringYourOwnDcr: {1 itemvalue: "[parameters('bringYourOwnDcr')]"
}
}
},
{4 itemspolicyDefinitionReferenceId: "MDC_DfSQL_AMA_UserWorkspacePipeline_DCRA_Arc",
policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2227e1f1-23dd-4c3a-85a9-7024a401d8b2 Configure Arc-enabled SQL Servers with Data Collection Rule Association to Microsoft Defender for SQL user-defined DCR ,
definitionVersion: 1.*.*1.3.0,
parameters: {4 itemsworkspaceRegion: {1 itemvalue: "[parameters('workspaceRegion')]"
},
userWorkspaceId: {1 itemvalue: "[parameters('userWorkspaceId')]"
},
bringYourOwnDcr: {1 itemvalue: "[parameters('bringYourOwnDcr')]"
},
dcrResourceId: {1 itemvalue: "[parameters('dcrResourceId')]"
}
}
}
],
versions: [3 items"1.2.0",
"1.1.1",
"1.1.0-preview"
]
}