Verify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
Why this matters
Firewall rules define which IP ranges can access your Azure SQL Server. Creating or modifying these rules can expand or restrict access to your databases and potentially expose them to unauthorized users.
Monitoring for Microsoft.Sql/servers/firewallRules/write
operations ensures that any change to firewall configurations triggers an alert. This allows your team to investigate and respond rapidly to unauthorized or accidental network exposure, supporting both security and compliance objectives.
What this check does
This Auto Check verifies that an Activity Log Alert exists for the operation:
Microsoft.Sql/servers/firewallRules/write
Check Logic:
Passes if:
An active Activity Log Alert rule exists with:
- Category:
Administrative
- Operation name:
Microsoft.Sql/servers/firewallRules/write
- No filters on
Level
,Status
, orCaller
- An Action Group assigned to send notifications
Fails if:
- No matching enabled alert rule is configured in the subscription.
- The check inspects Azure Monitor alert rules and validates condition logic and action configuration.
How to fix it
Create the required alert using Azure Portal, CLI, or PowerShell.
Azure Portal:
- Navigate to Monitor > Alerts > Alert rules.
- Click Create > Alert rule.
- Set the subscription scope.
- Under Condition, choose:
- Signal: Create/Update server firewall rule
- Operation:
Microsoft.Sql/servers/firewallRules/write
- Category:
Administrative
- Under Actions, assign or create an Action Group.
- Under Details, provide an alert name and select a resource group.
- Click Review + create, then Create.
Azure CLI:
az monitor activity-log alert create \
--name "<activity log rule name>" \
--resource-group "<resource group name>" \
--scope "/subscriptions/<subscription ID>" \
--condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/write \
--action-group <action group ID> \
--enabled true
PowerShell:
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Sql/servers/firewallRules/write" -Field "operationName"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level"
$actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>"
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
$scope = "/subscriptions/<subscription ID>"
New-AzActivityLogAlert -Name "<activity log alert rule name>" `
-ResourceGroupName "<resource group name>" `
-Condition $conditions `
-Scope $scope `
-Location "global" `
-Action $actionObject `
-Subscription "<subscription ID>" `
-Enabled $true
Update all placeholders to match your deployment.
Exceptions
This check should not be bypassed. All production environments should monitor SQL Server firewall changes. If logging is managed via a third-party SIEM or CSPM, ensure the equivalent rule exists and is auditable.