Azure SQL Connector
Connect DB Audit to Azure SQL Database for comprehensive query monitoring, Azure AD authentication tracking, and compliance reporting with native Query Store integration.
Query Store Native
Built-in query performance tracking
Azure AD Support
MFA and Managed Identity auth
<1% Performance Impact
Read-only system view queries
What You Can Monitor
Query Monitoring
Track every T-SQL query with full query text, execution stats, and query store integration.
Authentication Tracking
Monitor Azure AD and SQL logins, MFA events, and conditional access policy enforcement.
Schema Change Detection
Detect and alert on DDL operations, permission changes, and security configuration modifications.
Threat Detection
Integrate with Azure Defender for SQL to correlate security alerts with audit events.
Requirements
Configuration Reference
Basic Connection
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | A unique name to identify this connection |
server | string | Yes | Azure SQL server name (e.g., server.database.windows.net) |
port | number | Yes | Azure SQL port |
database | string | Yes | Database name to connect to |
username | string | No | SQL username (for SQL auth) |
password | password | No | SQL password (stored encrypted) |
Azure AD Authentication
| Field | Type | Default | Description |
|---|---|---|---|
auth_type | select | sql | Authentication type |
tenant_id | string | - | Azure AD tenant ID (for Azure AD auth) |
client_id | string | - | Application (client) ID (for service principal auth) |
client_secret | password | - | Client secret (stored encrypted) |
Log Collection
| Field | Type | Default | Description |
|---|---|---|---|
log_collection_type | select | native_audit | Method for collecting audit logs |
polling_interval | number | 60 | Seconds between log collection polls |
use_query_store | boolean | true | Use Query Store for query history |
Log Collection Methods
DB Audit supports multiple methods for collecting audit data from Azure SQL Database.
SQL Audit & Extended Events
RecommendedQuery sys.fn_get_audit_file and Extended Events for comprehensive audit data.
Azure Monitor Diagnostic Logs
Collect audit events from Azure Monitor diagnostic settings for centralized logging.
Create Audit User
Create a dedicated read-only user with access to Query Store and system views.
-- Create a dedicated audit user in Azure SQL Database
-- Connect as admin
-- Option 1: SQL Authentication
CREATE LOGIN dbaudit_reader WITH PASSWORD = 'your_secure_password';
CREATE USER dbaudit_reader FOR LOGIN dbaudit_reader;
-- Grant minimum required permissions
GRANT VIEW DATABASE STATE TO dbaudit_reader;
GRANT SELECT ON sys.dm_exec_query_stats TO dbaudit_reader;
GRANT SELECT ON sys.dm_exec_sql_text TO dbaudit_reader;
GRANT SELECT ON sys.query_store_query TO dbaudit_reader;
GRANT SELECT ON sys.query_store_query_text TO dbaudit_reader;
GRANT SELECT ON sys.query_store_plan TO dbaudit_reader;
GRANT SELECT ON sys.query_store_runtime_stats TO dbaudit_reader;
GRANT VIEW ANY COLUMN MASTER KEY DEFINITION TO dbaudit_reader;
GRANT VIEW ANY COLUMN ENCRYPTION KEY DEFINITION TO dbaudit_reader;
-- For audit log access (if using SQL Audit)
GRANT CONTROL SERVER TO dbaudit_reader; -- Or specific audit permissions
-- Option 2: Azure AD Authentication (recommended)
-- Create user from Azure AD
CREATE USER [dbaudit-app@yourdomain.com] FROM EXTERNAL PROVIDER;
-- Or service principal:
CREATE USER [dbaudit-service-principal] FROM EXTERNAL PROVIDER;
-- Grant same permissions as above
GRANT VIEW DATABASE STATE TO [dbaudit-app@yourdomain.com];
-- ... (repeat other grants)Enable Query Store & Auditing
Enable Query Store and configure auditing for comprehensive query tracking.
-- Enable SQL Audit in Azure Portal or via T-SQL
-- This configures database-level auditing to Azure Blob Storage
-- Via Azure Portal:
-- 1. Navigate to your SQL Server/Database
-- 2. Security > Auditing
-- 3. Enable auditing and configure storage account
-- Via T-SQL (Server-level audit specification)
-- Note: Azure SQL Database uses Azure Auditing, not traditional SQL Audit
-- Enable Extended Events for detailed query tracking
CREATE EVENT SESSION [DBaudit_QueryTracking] ON DATABASE
ADD EVENT sqlserver.sql_statement_completed(
ACTION(sqlserver.database_name, sqlserver.username, sqlserver.client_app_name,
sqlserver.client_hostname, sqlserver.sql_text)
WHERE sqlserver.database_name = 'your_database'
),
ADD EVENT sqlserver.login(
ACTION(sqlserver.client_app_name, sqlserver.client_hostname)
),
ADD EVENT sqlserver.logout(
ACTION(sqlserver.client_app_name, sqlserver.client_hostname)
)
ADD TARGET package0.ring_buffer(SET max_memory=4096)
WITH (STARTUP_STATE=ON);
ALTER EVENT SESSION [DBaudit_QueryTracking] ON DATABASE STATE = START;
-- Enable Query Store (recommended)
ALTER DATABASE [your_database] SET QUERY_STORE = ON;
ALTER DATABASE [your_database] SET QUERY_STORE (
OPERATION_MODE = READ_WRITE,
DATA_FLUSH_INTERVAL_SECONDS = 900,
INTERVAL_LENGTH_MINUTES = 60,
MAX_STORAGE_SIZE_MB = 1000
);Configure DB Audit Collector
Add your Azure SQL Database to the DB Audit configuration.
databases:
- name: production-azure-sql
type: azure_sql
server: your-server.database.windows.net
port: 1433
database: your_database
# Authentication (choose one)
# Option 1: SQL Authentication
auth_type: sql
username: dbaudit_reader
password: ${AZURE_SQL_PASSWORD}
# Option 2: Azure AD Service Principal
# auth_type: azure_ad
# tenant_id: your-tenant-id
# client_id: your-app-client-id
# client_secret: ${AZURE_CLIENT_SECRET}
# Option 3: Managed Identity (when running in Azure)
# auth_type: managed_identity
# client_id: managed-identity-client-id # optional, for user-assigned MI
# Connection settings
connection:
encrypt: true
trust_server_certificate: false
connect_timeout: 30
# Monitoring options
options:
track_queries: true
track_connections: true
track_ddl: true
use_query_store: true
polling_interval: 60Test Connection
Verify your configuration before deploying.
# Test connection with sqlcmd
sqlcmd -S your-server.database.windows.net -d your_database \
-U dbaudit_reader -P 'your_password' \
-Q "SELECT @@VERSION;"
# Test with Azure AD authentication
sqlcmd -S your-server.database.windows.net -d your_database \
-G -U your-azure-ad-user@domain.com \
-Q "SELECT @@VERSION;"
# Test Query Store access
sqlcmd -S your-server.database.windows.net -d your_database \
-U dbaudit_reader -P 'your_password' \
-Q "SELECT COUNT(*) FROM sys.query_store_query;"
# Verify DB Audit collector can connect
dbaudit-collector test-connections --config /etc/dbaudit/config.yamlCompliance Support
DB Audit's Azure SQL connector helps you meet audit requirements for major compliance frameworks.
Troubleshooting
Connection timeout
Check that your IP is in the Azure SQL firewall rules. Verify the server name includes .database.windows.net.
Azure AD authentication failed
Verify the Azure AD admin is configured for the server. Check tenant ID and client ID are correct.
Query Store not returning data
Ensure Query Store is enabled: ALTER DATABASE [db] SET QUERY_STORE = ON;. Data may take a few minutes to populate.
Ready to Audit Your Azure SQL Database?
Start monitoring your Azure SQL databases in minutes with native Query Store integration.