Merge pull request #2563 from MicrosoftDocs/main

Auto Publish – main to live - 2026-02-26 12:00 UTC

Author: learn-build-service-prod[bot]

.openpublishing.redirection.defender-for-cloud.json

@@ -462,7 +462,7 @@
     },
     {
       "source_path_from_root": "/articles/defender-for-cloud/identify-sql-servers-protected-by-mma.md",
-      "redirect_url": "/azure/defender-for-cloud/defender-for-sql-servers-introduction",
+      "redirect_url": "/azure/defender-for-cloud/identify-sql-servers-protected-by-monitor-agent",
       "redirect_document_id": false
     },
     {

articles/defender-for-cloud/TOC.yml

@@ -145,6 +145,9 @@
                 - name: Update Defender for SQL Servers on Machines plan configuration
                   displayName: SQL, SQL servers, defender, machines
                   href: update-sql-machine-configuration.md
+                - name: Identify SQL Servers protected by Microsoft Monitoring Agent
+                  displayName: SQL, SQL servers, defender, machines, identify, Microsoft Monitoring Agent, MMA
+                  href: identify-sql-servers-protected-by-monitor-agent.md
                 - name: Verify SQL machine protection
                   displayName: SQL, SQL servers, defender, machines
                   href: verify-machine-protection.md

articles/defender-for-cloud/containers-permissions.md

@@ -44,45 +44,38 @@ The Azure Arc built-in role **Defender Kubernetes Agent Operator** to provision
 
 ## AWS Agentless threat protection permissions
 
-- AzureDefenderKubernetesRole:
-  - sts:AssumeRole
-  - sts:AssumeRoleWithWebIdentity
-  - logs:PutSubscriptionFilter
-  - logs:DescribeSubscriptionFilters
-  - logs:DescribeLogGroups
-  - logs:PutRetentionPolicy
-  - firehose:*
-  - iam:PassRole
-  - eks:UpdateClusterConfig
-  - eks:DescribeCluster
-  - eks:CreateAccessEntry
-  - eks:ListAccessEntries
-  - eks:AssociateAccessPolicy
-  - eks:ListAssociatedAccessPolicies
-  - sqs:*
-  - s3:*
+- AzureDefenderKubernetesRole (default role name: **MDCContainersK8sRole**): 
 
-- AzureDefenderKubernetesScubaReaderRole (default role name: **MDCContainersK8sDataCollectionRole**):
 - sts:AssumeRole
 - sts:AssumeRoleWithWebIdentity
-- sqs:ReceiveMessage
-- sqs:DeleteMessage
-- s3:GetObject
-- s3:GetBucketLocation
-
-- AzureDefenderCloudWatchToKinesisRole (default role name: **MDCContainersK8sCloudWatchToKinesisRole**):
-- sts:AssumeRole
+- logs:PutSubscriptionFilter
+- logs:DescribeSubscriptionFilters
+- logs:DescribeLogGroups
+- logs:PutRetentionPolicy
 - firehose:*
+- iam:PassRole
+- eks:UpdateClusterConfig
+- eks:DescribeCluster
+- eks:CreateAccessEntry
+- eks:ListAccessEntries
+- eks:AssociateAccessPolicy
+- eks:ListAssociatedAccessPolicies
+- sqs:*
+- s3:*
 
-- AzureDefenderKinesisToS3Role (default role name: **MDCContainersK8sKinesisToS3Role**):
-- sts:AssumeRole
-- s3:AbortMultipartUpload
-- s3:GetBucketLocation
-- s3:GetObject
-- s3:ListBucket
-- s3:ListBucketMultipartUploads
-- s3:PutObject
+- AzureDefenderKubernetesScubaReaderRole (default role name: **MDCContainersK8sDataCollectionRole**):
+  - sts:AssumeRole
+   - sts:AssumeRoleWithWebIdentity
+   - sqs:ReceiveMessage
+   - sqs:DeleteMessage
+   - s3:GetObject
+   - s3:GetBucketLocation
 
+- AzureDefenderCloudWatchToKinesisRole (default role name: **MDCContainersK8sCloudWatchToKinesisRole**):
+  - sts:AssumeRole
+  - firehose:*
+    
+- AzureDefenderKinesisToS3Role (default role name: **MDCContainersK8sKinesisToS3Role**):
 - MDCContainersAgentlessDiscoveryK8sRole
   - sts:AssumeRoleWithWebIdentity
   - eks:UpdateClusterConfig
@@ -179,4 +172,4 @@ The following tables show the permissions granted to certain Defender for Contai
 
 ## Next steps
 
-- [Containers support matrix in Defender for Cloud](support-matrix-defender-for-containers.md)
+- [Containers support matrix in Defender for Cloud](support-matrix-defender-for-containers.md)

articles/defender-for-cloud/identify-sql-servers-protected-by-monitor-agent.md

@@ -0,0 +1,54 @@
+---
+title: Identify SQL Servers protected by Microsoft Monitoring Agent
+description: Learn how to identify SQL servers protected by the Microsoft Monitoring Agent (MMA) in your environment without having Azure Arc installed
+ms.topic: how-to
+ms.date: 02/26/2026
+ms.author: Elkrieger
+author: ElazarK
+# customer intent: As a user, I want to learn how to identify SQL servers that are protected by Microsoft Monitoring Agent (MMA) in my environment so that I can assess their security posture.
+---
+
+# Identify SQL Servers protected by Microsoft Monitoring Agent
+
+Microsoft Defender for Cloud's Defender for SQL Server on Machines plan provides database security to protect SQL Server instances hosted on Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and on-premises machines. With the retirement of the Microsoft Monitoring Agent (MMA), on August 1,2024, the Defender for SQL Server on Machines plan requires meeting the [required perquisites](defender-for-sql-usage.md#prerequisites) and deploying Azure Arc on all non-Azure SQL Server instances.
+
+Once Azure Arc is deployed and following the [release on the updated agent](release-notes-archive.md#update-to-defender-for-sql-servers-on-machines-plan), your SQL Server instances will migrate automatically and seamlessly to the updated agent. To ensure your SQL servers are correctly protected, we recommend the [installation of Azure Arc](quickstart-onboard-machines.md#connect-on-premises-machines-by-using-azure-arc).
+
+> [!NOTE]
+>  This change might affect your pricing. For information regarding the plan pricing, review [Microsoft Defender for Cloud pricing](https://azure.microsoft.com/pricing/details/defender-for-cloud/).
+
+## Determine which SQL servers are protected by the legacy MMA
+
+You can identify SQL servers onboarded to the Defender for SQL Server on Machines plan with the legacy MMA in your environment without Azure Arc installed.
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+1. Search for and select **Azure Resource Graph Explorer**.
+
+1. Copy and paste the following query into the query window: 
+
+    ```kusto
+    securityresources 
+    | where type == "microsoft.security/assessments/subassessments" 
+    | extend assessmentKey = extract(@"(?i)providers/Microsoft.Security/assessments/([^/]*)", 1, id) 
+    | where assessmentKey == "f97aa83c-9b63-4f9a-99f6-b22c4398f936" 
+    | where tostring(properties.resourceDetails.source) == "OnPremiseSql" 
+    | extend lastScanTime = todatetime(properties.timeGenerated) 
+    | where lastScanTime > ago(30d) 
+    | extend machineName = tostring(properties.resourceDetails.machineName) 
+    | extend machineUuid = tostring(properties.resourceDetails.vmuuid) 
+    | distinct machineName, machineUuid
+    ```
+
+1. Select **Run query**.
+
+    :::image type="content" source="media/identify-sql-servers-protected-by-mma/run-query.png" alt-text="Screenshot that shows the pasted query and where to find the Run query button." lightbox="media/identify-sql-servers-protected-by-mma/run-query.png":::
+
+1. For any results returned, [connect hybrid machines with Azure Arc-enabled servers](/azure/azure-arc/servers/learn/quick-enable-hybrid-vm).
+
+## Related content
+
+- [Upcoming changes to Defender for SQL servers on Machines plan](release-notes-archive.md#update-to-defender-for-sql-servers-on-machines-plan)
+- [Enable Defender for SQL Servers on Machines](defender-for-sql-usage.md)
+- [Verify SQL machine protection](verify-machine-protection.md)
+- [Troubleshoot Defender for SQL on Machines configuration](troubleshoot-sql-machines-guide.md)

articles/defender-for-cloud/regional-availability.md

@@ -18,10 +18,10 @@ This article gives an overview of where you can use Microsoft Defender for Cloud
 ### Defender for Servers P2 (Agentless scanning)
 
 **Supported regions:**  
-Asia East, Asia Southeast, Australia Central 2, Australia East, Australia Southeast, Brazil South, Canada Central, Canada East, Central US, East US, East US 2, France Central, Germany West Central, India Central, India South, India West, Japan East, Japan West, Korea Central, Korea South, New Zealand North, North Central US, North Europe, Norway East, Poland Central, Qatar Central, South Africa North, South Central US, Spain Central, Sweden Central, Switzerland North, UAE North, UK South, UK West, US Gov East, US Gov South Central, US Gov Southwest, West Central US, West Europe, West US, West US 2, West US 3
+Asia East, Asia Southeast, Australia Central 2, Australia East, Australia Southeast, Austria East, Belgium Central, Brazil South, Brazil Southeast, Canada Central, Canada East, Central US, Chile Central, East US, East US 2, France Central, Germany West Central, India Central, India South, India West, Israel North West, Japan East, Japan West, Korea Central, Korea South, Malaysia South, New Zealand North, North Central US, North Europe, Norway East, Poland Central, Qatar Central, South Africa North, South Central US, South East US, South East US 3, Spain Central, Sweden Central, Sweden South, Switzerland North, Taiwan North, Taiwan North West, UAE North, UK South, UK West, US Gov East, US Gov South Central, US Gov Southwest, West Central US, West Europe, West US, West US 2, West US 3
 
 **Unsupported regions:**  
-Asia Northeast, Austria East, Belgium Central, Brazil Southeast, Central US (EU Access Program), Chile Central, China East, China East 2, China East 3, China North, China North 2, China North 3, East US 2 (EU Access Program), EU SSLV, France South, Germany North, Indonesia Central, Israel Central, Israel North West, Italy North, Jio India Central, Jio India West, Malaysia South, Mexico Central, Norway West, South Africa West, South East US, South East US 3, South US 2, Sweden South, Switzerland West, Taiwan North, Taiwan North West, UAE Central, US DoD Central, US DoD East
+Asia Northeast, Central US (EU Access Program), China East, China East 2, China East 3, China North, China North 2, China North 3, East US 2 (EU Access Program), EU SSLV, France South, Germany North, Indonesia Central, Israel Central, Italy North, Jio India Central, Jio India West, Mexico Central, Norway West, South Africa West, South US 2, Switzerland West, UAE Central, US DoD Central, US DoD East
 
 ### Defender for Servers P1
 
@@ -35,7 +35,7 @@ Asia East, Asia Southeast, Asia Northeast, Australia Central 2, Australia East,
 **Unsupported regions:**  
 Austria East, Belgium Central, Chile Central, China East 2, China North, China North 2, China North 3, EU SSLV, India West, Indonesia Central, Israel North West, Jio India Central, Jio India West, Malaysia South, South East US 3, South US 2, Taiwan North, Taiwan North West, UAE Central, US DoD Central, US DoD East
 
-****** Supported via API management only.
+***** Supported via API management only.
 
 ### Defender for Storage (Malware Scanning)