MicrosoftDocs
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/1-introduction.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/1-introduction.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/2-describe-azure-sql-auditing-capabilities.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/2-describe-azure-sql-auditing-capabilities.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/3-configure-audit-destinations.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/3-configure-audit-destinations.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/4-configure-auditing-sql-managed-instance.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/4-configure-auditing-sql-managed-instance.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/5-design-compliant-audit-strategy.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/5-design-compliant-audit-strategy.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/6-knowledge-check.yml‎
Lines changed: 60 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/6-knowledge-check.yml‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/7-summary.yml‎
Lines changed: 14 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/7-summary.yml‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/includes/1-introduction.md‎
Lines changed: 12 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/includes/1-introduction.md‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎learn-pr/wwl-sci/configure-azure-sql-auditing/includes/2-describe-azure-sql-auditing-capabilities.md‎
Lines changed: 58 additions & 0 deletions b/‎learn-pr/wwl-sci/configure-azure-sql-auditing/includes/2-describe-azure-sql-auditing-capabilities.md‎
Lines changed: 58 additions & 0 deletions
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-auditing.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: "Introduction to configuring audit logging for Azure SQL Database and SQL Managed Instance."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-auditing.describe-azure-sql-auditing-capabilities
+title: Describe Azure SQL auditing capabilities
+metadata:
+  title: Describe Azure SQL Auditing Capabilities
+  description: "Describe how Azure SQL auditing works, select audit action groups, compare server-level and database-level scope, and understand retention settings for compliance."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 4
+content: |
+  [!include[](includes/2-describe-azure-sql-auditing-capabilities.md)]
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-auditing.configure-audit-destinations
+title: Configure audit destinations for Azure SQL Database
+metadata:
+  title: Configure Audit Destinations for Azure SQL Database
+  description: "Configure audit log routing to Azure Blob Storage, Azure Monitor Log Analytics, and Event Hubs for Azure SQL Database, and enable immutable storage for tamper-resistant compliance records."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 4
+content: |
+  [!include[](includes/3-configure-audit-destinations.md)]
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-auditing.configure-auditing-sql-managed-instance
+title: Configure auditing for SQL Managed Instance
+metadata:
+  title: Configure Auditing for SQL Managed Instance
+  description: "Configure server-level auditing for SQL Managed Instance using T-SQL CREATE SERVER AUDIT syntax and diagnostic settings, and enable auditing of Microsoft support operations."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 3
+content: |
+  [!include[](includes/4-configure-auditing-sql-managed-instance.md)]
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-auditing.design-compliant-audit-strategy
+title: Design a compliant audit strategy
+metadata:
+  title: Design a Compliant Audit Strategy
+  description: "Design an audit strategy that combines immutable storage for tamper-resistant compliance records with Log Analytics for operational monitoring. Then you enforce coverage using Azure Policy."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 3
+content: |
+  [!include[](includes/5-design-compliant-audit-strategy.md)]
@@ -0,0 +1,60 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-auditing.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge Check
+  description: "Check your knowledge of configuring audit logging for Azure SQL Database and SQL Managed Instance."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  module_assessment: true
+  ai_generated_module_assessment: false
+durationInMinutes: 3
+content: |
+  [!include[](includes/6-knowledge-check.md)]
+quiz:
+  title: Check your knowledge
+  questions:
+  - content: "Contoso's Azure SQL Database server hosts a high-volume Online Transaction Processing (OLTP) banking application. The security team reports that server-level auditing is causing performance degradation during peak transaction hours. What change resolves this issue?"
+    choices:
+    - content: "Disable auditing temporarily during peak hours and re-enable it during off-peak windows"
+      isCorrect: false
+      explanation: "Incorrect. Disabling auditing creates compliance gaps and violates financial regulatory requirements. Temporary disabling isn't an acceptable solution for regulated workloads."
+    - content: "Route audit logs to Event Hubs instead of Azure Storage to reduce write latency"
+      isCorrect: false
+      explanation: "Incorrect. The audit log destination affects where logs are stored, not the performance challenge of audit logging on the database engine. Switching destinations doesn't resolve OLTP performance degradation."
+    - content: "Switch to database-level auditing so each database writes audit logs to its own folder independently"
+      isCorrect: true
+      explanation: "Correct. For high-volume OLTP environments, database-level auditing is recommended over server-level auditing. Each database manages its own extended event session and writes to a separate folder, reducing contention and improving query performance."
+    - content: "Increase the storage account performance tier to Premium to reduce audit log write times"
+      isCorrect: false
+      explanation: "Incorrect. Storage performance affects write latency for stored logs, but doesn't address the database engine overhead created by the audit extended event session processing at the server level."
+  - content: "A financial regulator requires that Contoso's database audit logs can't be altered or deleted after they're written. Which audit destination configuration meets this requirement?"
+    choices:
+    - content: "Azure Monitor Log Analytics workspace with a 365-day retention policy"
+      isCorrect: false
+      explanation: "Incorrect. Log Analytics workspaces store logs in a mutable format. Retention policies control how long logs are kept, but don't prevent modification of existing log records."
+    - content: "Azure Blob Storage with immutable blob storage (WORM) policies configured on the audit container"
+      isCorrect: true
+      explanation: "Correct. Immutable blob storage enforces write-once-read-many (WORM) policies that prevent modification or deletion of audit logs for a defined period. This provides tamper-resistant records suitable for financial regulatory compliance."
+    - content: "Event Hubs with a dedicated consumer group and 30-day message retention"
+      isCorrect: false
+      explanation: "Incorrect. Event Hubs is a streaming platform designed for real-time ingestion and forwarding. It doesn't provide the tamper-resistant, long-term storage required for regulatory compliance."
+    - content: "Azure Monitor diagnostic settings with a resource lock applied to the Log Analytics workspace"
+      isCorrect: false
+      explanation: "Incorrect. A resource lock prevents the workspace from being deleted, but doesn't make the log records themselves immutable. Logs in Log Analytics can still be purged or modified."
+  - content: "A cloud security engineer needs to configure SQL Managed Instance auditing to route logs to both Azure Monitor and an Event Hubs. Which configuration method is required for these nonstorage destinations?"
+    choices:
+    - content: "The SQL auditing screen in the Azure portal, selecting all three destinations simultaneously"
+      isCorrect: false
+      explanation: "Incorrect. The Azure portal auditing screen for SQL Managed Instance has different capabilities than SQL Database. For nonstorage destinations on SQL MI, T-SQL or diagnostic settings are required."
+    - content: "T-SQL CREATE SERVER AUDIT with TO EXTERNAL_MONITOR specified as the destination"
+      isCorrect: true
+      explanation: "Correct. SQL Managed Instance uses T-SQL CREATE SERVER AUDIT with TO EXTERNAL_MONITOR to send audit logs to Azure Monitor (Log Analytics) or Event Hubs. This is the required method for nonstorage audit destinations on SQL MI."
+    - content: "Enable the server audit through the Defender for Cloud recommendations panel"
+      isCorrect: false
+      explanation: "Incorrect. Defender for Cloud can surface a recommendation to enable auditing, but it doesn't configure the audit destinations. Destination configuration requires T-SQL or diagnostic settings on SQL Managed Instance."
+    - content: "Configure a Log Analytics workspace directly in the SQL Managed Instance auditing settings under the Security screen"
+      isCorrect: false
+      explanation: "Incorrect. SQL Managed Instance auditing settings in the portal support Azure Storage as a destination. For Log Analytics and Event Hubs, you must use T-SQL with TO EXTERNAL_MONITOR or configure diagnostic settings."
@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-azure-sql-auditing.summary
+title: Summary
+metadata:
+  title: Summary
+  description: "Summary of audit logging configuration for Azure SQL Database and SQL Managed Instance."
+  ms.date: 04/22/2026
+  author: r-c-stewart
+  ms.author: roberts
+  ms.topic: unit
+  ai-usage: ai-generated
+durationInMinutes: 1
+content: |
+  [!include[](includes/7-summary.md)]
@@ -0,0 +1,12 @@
+Contoso Financial Services secured their Azure SQL environment with Microsoft Entra authentication, private endpoints, and customer-managed encryption keys. But during a recent compliance audit, their financial regulator identified a critical gap: the organization can't prove who accessed the banking database, when they connected, or what queries they executed. There's no audit trail for any database activity.
+
+The problem affects both the Azure SQL Database server that processes daily transactions and the SQL Managed Instance that runs credit risk assessments. An AI fraud detection service makes hundreds of queries per minute using a managed identity. However, none of those operations are recorded anywhere the compliance team can review. Contoso needs auditing enable to meet regulatory requirements for financial data access tracking.
+
+In this module, you learn how Azure SQL auditing captures database activity with configurable action groups and scope settings. You explore how to send audit logs to blob storage with immutable retention, Log Analytics workspaces, or Event Hubs. You discover the configuration differences between Azure SQL Database and SQL Managed Instance, including T-SQL commands and diagnostic settings. Finally, you design a compliant audit strategy that combines multiple destinations and enforces coverage using Azure Policy.
+
+By the end of this module, you can:
+
+- Describe Azure SQL auditing capabilities and select appropriate audit action groups
+- Configure audit log destinations for Azure SQL Database
+- Configure auditing for SQL Managed Instance
+- Design a compliant audit strategy using multiple log destinations
@@ -0,0 +1,58 @@
+Azure SQL auditing tracks database events and writes them to an audit log, but it requires explicit configuration choices before it can satisfy regulatory requirements. Contoso Financial Services must determine which audit action groups meet their compliance finding and how to scope auditing for a high-volume transaction processing database.
+
+| Capability | What it provides |
+|------------|------------------|
+| Event tracking | Records database operations using SQL Server Extended Events |
+| Audit action groups | Preconfigured sets of events like authentication, queries, and schema changes |
+| Server and database scope | Flexibility to audit all databases or individual high-priority databases |
+| Retention control | Configurable retention periods for compliance (0 = unlimited, or specific days) |
+
+:::image type="content" source="../media/azure-sql-auditing-flow.png" alt-text="Diagram showing the three-stage Azure SQL auditing configuration flow: database scope, audit action groups, and retention settings writing logs to Azure Storage." lightbox="../media/azure-sql-auditing-flow.png":::
+
+## Choose audit action groups for compliance requirements
+
+Audit action groups determine what events Azure SQL auditing captures. The most important groups for financial compliance are BATCH_COMPLETED_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, and SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP.
+
+With BATCH_COMPLETED_GROUP enabled, Azure SQL auditing records every T-SQL statement after execution completes. This group provides the most comprehensive audit trail because it captures all query activity, including SELECT statements that read sensitive financial data. With FAILED_DATABASE_AUTHENTICATION_GROUP, the audit log records every failed sign-in attempt, which helps detect brute force attacks and unauthorized access patterns.
+
+For Contoso's regulatory compliance requirement, enabling all three groups—BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, and FAILED_DATABASE_AUTHENTICATION_GROUP—captures all query activity, successful logins, and failed access attempts. This three-group combination is the Microsoft-recommended default and is what the Azure portal configures automatically when auditing is enabled. It satisfies the financial regulator's requirement to prove who accessed the banking database, when they connected, and what queries they executed. Omitting SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP means you can detect denied access but can't prove who successfully logged in—a critical gap for compliance reviews.
+
+Other audit action groups provide more granular control:
+
+- **DATABASE_LOGOUT_GROUP**: Records when users disconnect from the database
+- **DATABASE_CHANGE_GROUP**: Tracks database configuration changes like altering compatibility levels
+- **SCHEMA_OBJECT_ACCESS_GROUP**: Records access to specific tables and views
+- **DATABASE_OBJECT_PERMISSION_CHANGE_GROUP**: Tracks permission changes on database objects
+- **DATABASE_PERMISSION_CHANGE_GROUP**: Records changes to database-level permissions
+
+Beyond these built-in groups, you can create custom audit specifications using T-SQL. Custom specifications let you audit specific tables, schemas, or statement types when the built-in groups are too broad or generate excessive log volume.
+
+## Decide between server-level and database-level scope
+
+Azure SQL auditing operates at two different scopes, and the choice affects both performance and log organization. Server-level auditing captures events from all databases on a logical server, while database-level auditing tracks events for a single database only.
+
+The key technical difference lies in how extended event sessions are created. Server-level auditing uses a single extended event session for all databases on the logical server, while database-level auditing creates a separate session for each audited database. This architectural difference has significant performance implications for high-volume Online Transaction Processing (OLTP) environments.
+
+| Aspect | Server-level | Database-level |
+|--------|-------------|----------------|
+| Scope | All databases on the logical server | Single database only |
+| Extended event sessions | Single session for all databases | Per-database session |
+| Folder structure (SQL Database) | All logs in main folder | Database-specific folder |
+| Performance challenge | Higher in high-volume OLTP | Better for transaction-heavy workloads |
+| T-SQL creation | `CREATE SERVER AUDIT` + `CREATE SERVER AUDIT SPECIFICATION` | `CREATE DATABASE AUDIT SPECIFICATION` |
+
+For Contoso's transaction processing database, database-level auditing is the recommended choice. The single extended event session used by server-level auditing can cause performance degradation when handling the high transaction volume typical of financial services workloads. Database-level auditing distributes the auditing overhead across separate sessions, reducing contention.
+
+The folder structure also differs between the two approaches. With server-level auditing in Azure SQL Database, all audit logs are stored in the main database's folder. With database-level auditing, each database gets its own folder, making it easier to organize and retain audit logs according to different compliance requirements.
+
+## Configure retention settings for regulatory requirements
+
+Retention settings control how long audit logs are preserved in storage. The default retention value is RETENTION_DAYS = 0, which means unlimited retention and never automatically deletes audit logs.
+
+You can set retention to any integer value representing days. For Contoso's financial compliance requirement, a typical retention period ranges from 90 to 365 days minimum. Setting RETENTION_DAYS = 90 ensures the audit logs meet the regulator's minimum retention requirement while controlling storage costs.
+
+An important behavior to understand is that retention applies only to logs written after the retention value is set. If you initially configure unlimited retention (zero days) and later change to 90 days, the logs written during the unlimited period are preserved and not automatically deleted. This behavior protects historical audit data from unintended deletion when retention policies change.
+
+When the admin combines SQL auditing with immutable storage (WORM), the SQL retention setting must be longer than the immutable storage lock period. For example, if immutable storage has a 90-day lock period, RETENTION_DAYS must be set to at least 90 days to ensure audit logs remain available for the entire immutability window.
+
+For AI workload queries, the audit logs capture important context. When Contoso's fraud detection AI service connects using a managed identity, the BATCH_COMPLETED_GROUP records every query attributed to the managed identity's principal name. The audit log includes the server name, database name, application name, client IP address, statement text, duration, and success or failure status for each query.