Verify that Activity Log Alert exists for Delete SQL Server Firewall Rule
Why this matters
Firewall rules in Azure SQL Servers control which IP addresses can access your databases. Deleting a firewall rule can immediately expose a SQL Server instance to unauthorized access or disrupt access for legitimate users.
Monitoring for Microsoft.Sql/servers/firewallRules/delete
operations allows your team to detect and respond to unauthorized or accidental configuration changes. It also supports audit trails for change management and regulatory reporting.
What this check does
This Auto Check verifies whether an Activity Log Alert exists for the operation:
Microsoft.Sql/servers/firewallRules/delete
Check Logic:
Passes if:
At least one enabled alert rule exists with the following:
- Category set to
Administrative
- Operation name equal to
Microsoft.Sql/servers/firewallRules/delete
- No filters on
Level
,Status
, orCaller
- An Action Group assigned for notifications
Fails if:
- No matching rule is found or if the rule is disabled or improperly scoped.
- This check evaluates the current alert rules using Azure Monitorβs API and validates each condition explicitly.
How to fix it
You can create the required alert using Azure Portal, CLI, or PowerShell.
Azure Portal:
- Go to Monitor > Alerts > Alert rules.
- Click Create > Alert rule.
- Set the scope to your subscription.
- Under Condition, choose:
- Signal: Delete server firewall rule
- Operation:
Microsoft.Sql/servers/firewallRules/delete
- Category:
Administrative
- Under Actions, assign or create an Action Group to notify your team.
- Under Details, enter an alert name and select a resource group.
- Click Review + create, then Create.
Azure CLI:
az monitor activity-log alert create \
--name "<activity log rule name>" \
--resource-group "<resource group name>" \
--scope "/subscriptions/<subscription ID>" \
--condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/delete \
--action-group <action group ID> \
--enabled true
PowerShell:
$conditions = @()
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Sql/servers/firewallRules/delete" -Field "operationName"
$conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level"
$actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>"
$actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id
$scope = "/subscriptions/<subscription ID>"
New-AzActivityLogAlert -Name "<activity log alert rule name>" `
-ResourceGroupName "<resource group name>" `
-Condition $conditions `
-Scope $scope `
-Location "global" `
-Action $actionObject `
-Subscription "<subscription ID>" `
-Enabled $true
Update all placeholders with values from your Azure setup.
Exceptions
There are no valid exceptions. SQL Server firewall changes are sensitive and must be monitored. If an external monitoring solution is used in place of Azure Monitor, document the equivalency and ensure alerting is functionally equivalent.