Verify that Activity Log Alert exists for Delete SQL Server Firewall Rule

Why this matters

Firewall rules in Azure SQL Servers control which IP addresses can access your databases. Deleting a firewall rule can immediately expose a SQL Server instance to unauthorized access or disrupt access for legitimate users.

Monitoring for Microsoft.Sql/servers/firewallRules/delete operations allows your team to detect and respond to unauthorized or accidental configuration changes. It also supports audit trails for change management and regulatory reporting.

What this check does

This Auto Check verifies whether an Activity Log Alert exists for the operation:

Microsoft.Sql/servers/firewallRules/delete

Check Logic:
Passes if:

At least one enabled alert rule exists with the following:

• Category set to Administrative
• Operation name equal to Microsoft.Sql/servers/firewallRules/delete
• No filters on Level, Status, or Caller
• An Action Group assigned for notifications

Fails if:

• No matching rule is found or if the rule is disabled or improperly scoped.
• This check evaluates the current alert rules using Azure Monitor’s API and validates each condition explicitly.

How to fix it

You can create the required alert using Azure Portal, CLI, or PowerShell.

Azure Portal:

1. Go to Monitor > Alerts > Alert rules.
2. Click Create > Alert rule.
3. Set the scope to your subscription.
4. Under Condition, choose:
5. Signal: Delete server firewall rule
6. Operation: Microsoft.Sql/servers/firewallRules/delete
7. Category: Administrative
8. Under Actions, assign or create an Action Group to notify your team.
9. Under Details, enter an alert name and select a resource group.
10. Click Review + create, then Create.

Azure CLI:

az monitor activity-log alert create \  --name "<activity log rule name>" \  --resource-group "<resource group name>" \  --scope "/subscriptions/<subscription ID>" \  --condition category=Administrative and operationName=Microsoft.Sql/servers/firewallRules/delete \  --action-group <action group ID> \  --enabled true 

PowerShell:

$conditions = @() $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Administrative" -Field "category" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Microsoft.Sql/servers/firewallRules/delete" -Field "operationName" $conditions += New-AzActivityLogAlertAlertRuleAnyOfOrLeafConditionObject -Equal "Verbose" -Field "level" $actionGroup = Get-AzActionGroup -ResourceGroupName "<resource group name>" -Name "<action group name>" $actionObject = New-AzActivityLogAlertActionGroupObject -Id $actionGroup.Id $scope = "/subscriptions/<subscription ID>" New-AzActivityLogAlert -Name "<activity log alert rule name>" `  -ResourceGroupName "<resource group name>" `  -Condition $conditions `  -Scope $scope `  -Location "global" `  -Action $actionObject `  -Subscription "<subscription ID>" `  -Enabled $true

Update all placeholders with values from your Azure setup.

Exceptions

There are no valid exceptions. SQL Server firewall changes are sensitive and must be monitored. If an external monitoring solution is used in place of Azure Monitor, document the equivalency and ensure alerting is functionally equivalent.

Further resources

• Create Activity Log Alerts (Azure Monitor)
• REST API: Create or update Activity Log Alerts
• List Activity Log Alerts
• Azure Security Benchmark – Logging