Verify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule

Why this matters

Firewall rules define which IP ranges can access your Azure SQL Server. Creating or modifying these rules can expand or restrict access to your databases and potentially expose them to unauthorized users.

Monitoring for Microsoft.Sql/servers/firewallRules/write operations ensures that any change to firewall configurations triggers an alert. This allows your team to investigate and respond rapidly to unauthorized or accidental network exposure, supporting both security and compliance objectives.

What this check does

This Auto Check verifies that an Activity Log Alert exists for the operation:

Microsoft.Sql/servers/firewallRules/write

Check Logic:
Passes if:

An active Activity Log Alert rule exists with:

• Category: Administrative
• Operation name: Microsoft.Sql/servers/firewallRules/write
• No filters on Level, Status, or Caller
• An Action Group assigned to send notifications

Fails if:

• No matching enabled alert rule is configured in the subscription.
• The check inspects Azure Monitor alert rules and validates condition logic and action configuration.

How to fix it

Create the required alert using Azure Portal, CLI, or PowerShell.

Azure Portal:

1. Navigate to Monitor > Alerts > Alert rules.
2. Click Create > Alert rule.
3. Set the subscription scope.
4. Under Condition, choose:
5. Signal: Create/Update server firewall rule
6. Operation: Microsoft.Sql/servers/firewallRules/write
7. Category: Administrative
8. Under Actions, assign or create an Action Group.
9. Under Details, provide an alert name and select a resource group.
10. Click Review + create, then Create.

Azure CLI:

az monitor activity-log alert create \  --name "<activity log rule name>" \  --resource-group "<resource group name>" \  --scope "/subscriptions/<subscription ID>" \  --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write \  --action-group <action group ID> \  --enabled true 

PowerShell:

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Sql/servers/firewallRules/write" -Field "operationName" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level" $actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>" $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<activity log alert rule name>" `  -ResourceGroupName "<resource group name>" `  -Condition $conditions `  -Scope $scope `  -Location "global" `  -Action $actionObject `  -Subscription "<subscription ID>" `  -Enabled $true

Update all placeholders to match your deployment.

Exceptions

This check should not be bypassed. All production environments should monitor SQL Server firewall changes. If logging is managed via a third-party SIEM or CSPM, ensure the equivalent rule exists and is auditable.

Further resources

• Create Activity Log Alerts (Azure Monitor)
• REST API: Create or update Activity Log Alerts
• List Alerts by Subscription
• Azure Security Benchmark – Logging