sql.azure.com/v1api20211101

"2021-11-01"

AdministratorType: Type of the sever administrator.

Login: Login name of the server administrator.

Sid: SID (object ID) of the server administrator.

TenantId: Tenant ID of the administrator.

"ActiveDirectory"

"ActiveDirectory"

AdministratorType: Type of the sever administrator.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

Login: Login name of the server administrator.

Sid: SID (object ID) of the server administrator.

TenantId: Tenant ID of the administrator.

State: Specifies the state of the Advanced Threat Protection, whether it is enabled or disabled or a state has not been applied yet on the specific database or server.

CreationTime: Specifies the UTC creation time of the policy.

State: Specifies the state of the Advanced Threat Protection, whether it is enabled or disabled or a state has not been applied yet on the specific database or server.

"Disabled"

"Enabled"

"New"

"Disabled"

"Enabled"

"New"

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

DiffBackupIntervalInHours: The differential backup interval in hours. This is how many interval hours between each differential backup will be supported. This is only applicable to live databases but not dropped databases.

RetentionDays: The backup retention period in days. This is how many days Point-in-Time Restore will be supported.

12

24

12

24

DiffBackupIntervalInHours: The differential backup interval in hours. This is how many interval hours between each differential backup will be supported. This is only applicable to live databases but not dropped databases.

RetentionDays: The backup retention period in days. This is how many days Point-in-Time Restore will be supported.

MonthlyRetention: The monthly retention policy for an LTR backup in an ISO 8601 format.

WeekOfYear: The week of year to take the yearly backup in an ISO 8601 format.

WeeklyRetention: The weekly retention policy for an LTR backup in an ISO 8601 format.

YearlyRetention: The yearly retention policy for an LTR backup in an ISO 8601 format.

MonthlyRetention: The monthly retention policy for an LTR backup in an ISO 8601 format.

WeekOfYear: The week of year to take the yearly backup in an ISO 8601 format.

WeeklyRetention: The weekly retention policy for an LTR backup in an ISO 8601 format.

YearlyRetention: The yearly retention policy for an LTR backup in an ISO 8601 format.

AuditActionsAndGroups: Specifies the Actions-Groups and Actions to audit. The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP. This above combination is also the set that is configured by default when enabling auditing from the Azure portal. The supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using unnecessary groups could lead to very large quantities of audit records): APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP DBCC_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_CHANGE_GROUP LEDGER_OPERATION_GROUP These are groups that cover all sql statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs. For more information, see Database-Level Audit Action Groups. For Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server auditing policy). The supported actions to audit are: SELECT UPDATE INSERT DELETE EXECUTE RECEIVE REFERENCES The general form for defining an action to be audited is: {action} ON {object} BY {principal} Note that

IsAzureMonitorTargetEnabled: Specifies whether audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’ and ‘IsAzureMonitorTargetEnabled’ as true. When using REST API to configure auditing, Diagnostic Settings with ‘SQLSecurityAuditEvents’ diagnostic logs category on the database should be also created. Note that for server level audit you should use the ‘master’ database as {databaseName}. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​{databaseName}/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsManagedIdentityInUse: Specifies whether Managed Identity is used to access blob storage

IsStorageSecondaryKeyInUse: Specifies whether storageAccountAccessKey value is the storage’s secondary key.

QueueDelayMs: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed. The default minimum value is 1000 (1 second). The maximum is 2,147,483,647.

RetentionDays: Specifies the number of days to keep in the audit logs in the storage account.

State: Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.

StorageAccountAccessKey: Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage. Prerequisites for using managed identity authentication: 1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD). 2. Grant SQL Server identity access to the storage account by adding ‘Storage Blob Data Contributor’ RBAC role to the server identity. For more information, see Auditing to storage using Managed Identity authentication

StorageAccountSubscriptionId: Specifies the blob storage subscription Id.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.

AuditActionsAndGroups: Specifies the Actions-Groups and Actions to audit. The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP. This above combination is also the set that is configured by default when enabling auditing from the Azure portal. The supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using unnecessary groups could lead to very large quantities of audit records): APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP DBCC_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_CHANGE_GROUP LEDGER_OPERATION_GROUP These are groups that cover all sql statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs. For more information, see Database-Level Audit Action Groups. For Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server auditing policy). The supported actions to audit are: SELECT UPDATE INSERT DELETE EXECUTE RECEIVE REFERENCES The general form for defining an action to be audited is: {action} ON {object} BY {principal} Note that

IsAzureMonitorTargetEnabled: Specifies whether audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’ and ‘IsAzureMonitorTargetEnabled’ as true. When using REST API to configure auditing, Diagnostic Settings with ‘SQLSecurityAuditEvents’ diagnostic logs category on the database should be also created. Note that for server level audit you should use the ‘master’ database as {databaseName}. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​{databaseName}/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsManagedIdentityInUse: Specifies whether Managed Identity is used to access blob storage

IsStorageSecondaryKeyInUse: Specifies whether storageAccountAccessKey value is the storage’s secondary key.

QueueDelayMs: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed. The default minimum value is 1000 (1 second). The maximum is 2,147,483,647.

RetentionDays: Specifies the number of days to keep in the audit logs in the storage account.

State: Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.

StorageAccountSubscriptionId: Specifies the blob storage subscription Id.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.

"Disabled"

"Enabled"

"Disabled"

"Enabled"

Type: The identity type

UserAssignedIdentities: The resource ids of the user assigned identities to use

Type: The identity type

TenantId: The Azure Active Directory tenant id.

Type: The identity type

UserAssignedIdentities: The resource ids of the user assigned identities to use

TenantId: The Azure Active Directory tenant id.

Type: The identity type

UserAssignedIdentities: The resource ids of the user assigned identities to use

"None"

"UserAssigned"

"None"

"UserAssigned"

AutoPauseDelay: Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled

CatalogCollation: Collation of the metadata catalog.

Collation: The collation of the database.

CreateMode: Specifies the mode of database creation. Default: regular database creation. Copy: creates a database as a copy of an existing database. sourceDatabaseId must be specified as the resource ID of the source database. Secondary: creates a database as a secondary replica of an existing database. sourceDatabaseId must be specified as the resource ID of the existing primary database. PointInTimeRestore: Creates a database by restoring a point in time backup of an existing database. sourceDatabaseId must be specified as the resource ID of the existing database, and restorePointInTime must be specified. Recovery: Creates a database by restoring a geo-replicated backup. sourceDatabaseId must be specified as the recoverable database resource ID to restore. Restore: Creates a database by restoring a backup of a deleted database. sourceDatabaseId must be specified. If sourceDatabaseId is the database’s original resource ID, then sourceDatabaseDeletionDate must be specified. Otherwise sourceDatabaseId must be the restorable dropped database resource ID and sourceDatabaseDeletionDate is ignored. restorePointInTime may also be specified to restore from an earlier point in time. RestoreLongTermRetentionBackup: Creates a database by restoring from a long term retention vault. recoveryServicesRecoveryPointResourceId must be specified as the recovery point resource ID. Copy, Secondary, and RestoreLongTermRetentionBackup are not supported for DataWarehouse edition.

FederatedClientId: The Client id used for cross tenant per database CMK scenario

HighAvailabilityReplicaCount: The number of secondary replicas associated with the database that are used to provide high availability. Not applicable to a Hyperscale database within an elastic pool.

IsLedgerOn: Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created.

LicenseType: The license type to apply for this database. LicenseIncluded if you need a license, or BasePrice if you have a license and are eligible for the Azure Hybrid Benefit.

MaintenanceConfigurationId: Maintenance configuration id assigned to the database. This configuration defines the period when the maintenance updates will occur.

MaxSizeBytes: The max size of the database expressed in bytes.

MinCapacity: Minimal capacity that database will always have allocated, if not paused

ReadScale: The state of read-only routing. If enabled, connections that have application intent set to readonly in their connection string may be routed to a readonly secondary replica in the same region. Not applicable to a Hyperscale database within an elastic pool.

RequestedBackupStorageRedundancy: The storage account type to be used to store backups for this database.

RestorePointInTime: Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database.

SampleName: The name of the sample schema to apply when creating this database.

SecondaryType: The secondary type of the database if it is a secondary. Valid values are Geo and Named.

SourceDatabaseDeletionDate: Specifies the time that the database was deleted.

ZoneRedundant: Whether or not this database is zone redundant, which means the replicas of this database will be spread across multiple availability zones.

"DATABASE_DEFAULT"

"SQL_Latin1_General_CP1_CI_AS"

"DATABASE_DEFAULT"

"SQL_Latin1_General_CP1_CI_AS"

"Copy"

"Default"

"OnlineSecondary"

"PointInTimeRestore"

"Recovery"

"Restore"

"RestoreExternalBackup"

"RestoreExternalBackupSecondary"

"RestoreLongTermRetentionBackup"

"Secondary"

"Copy"

"Default"

"OnlineSecondary"

"PointInTimeRestore"

"Recovery"

"Restore"

"RestoreExternalBackup"

"RestoreExternalBackupSecondary"

"RestoreLongTermRetentionBackup"

"Secondary"

"Geo"

"GeoZone"

"Local"

"Zone"

"BasePrice"

"LicenseIncluded"

"BasePrice"

"LicenseIncluded"

"Disabled"

"Enabled"

"Disabled"

"Enabled"

"Geo"

"GeoZone"

"Local"

"Zone"

"Geo"

"GeoZone"

"Local"

"Zone"

AutoPauseDelay: Time in minutes after which database is automatically paused. A value of -1 means that automatic pause is disabled

CatalogCollation: Collation of the metadata catalog.

Collation: The collation of the database.

CreateMode: Specifies the mode of database creation. Default: regular database creation. Copy: creates a database as a copy of an existing database. sourceDatabaseId must be specified as the resource ID of the source database. Secondary: creates a database as a secondary replica of an existing database. sourceDatabaseId must be specified as the resource ID of the existing primary database. PointInTimeRestore: Creates a database by restoring a point in time backup of an existing database. sourceDatabaseId must be specified as the resource ID of the existing database, and restorePointInTime must be specified. Recovery: Creates a database by restoring a geo-replicated backup. sourceDatabaseId must be specified as the recoverable database resource ID to restore. Restore: Creates a database by restoring a backup of a deleted database. sourceDatabaseId must be specified. If sourceDatabaseId is the database’s original resource ID, then sourceDatabaseDeletionDate must be specified. Otherwise sourceDatabaseId must be the restorable dropped database resource ID and sourceDatabaseDeletionDate is ignored. restorePointInTime may also be specified to restore from an earlier point in time. RestoreLongTermRetentionBackup: Creates a database by restoring from a long term retention vault. recoveryServicesRecoveryPointResourceId must be specified as the recovery point resource ID. Copy, Secondary, and RestoreLongTermRetentionBackup are not supported for DataWarehouse edition.

CreationDate: The creation date of the database (ISO8601 format).

CurrentBackupStorageRedundancy: The storage account type used to store backups for this database.

CurrentServiceObjectiveName: The current service level objective name of the database.

CurrentSku: The name and tier of the SKU.

DatabaseId: The ID of the database.

DefaultSecondaryLocation: The default secondary region for this database.

EarliestRestoreDate: This records the earliest start date and time that restore is available for this database (ISO8601 format).

ElasticPoolId: The resource identifier of the elastic pool containing this database.

FailoverGroupId: Failover Group resource identifier that this database belongs to.

FederatedClientId: The Client id used for cross tenant per database CMK scenario

HighAvailabilityReplicaCount: The number of secondary replicas associated with the database that are used to provide high availability. Not applicable to a Hyperscale database within an elastic pool.

IsInfraEncryptionEnabled: Infra encryption is enabled for this database.

IsLedgerOn: Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created.

LicenseType: The license type to apply for this database. LicenseIncluded if you need a license, or BasePrice if you have a license and are eligible for the Azure Hybrid Benefit.

LongTermRetentionBackupResourceId: The resource identifier of the long term retention backup associated with create operation of this database.

MaintenanceConfigurationId: Maintenance configuration id assigned to the database. This configuration defines the period when the maintenance updates will occur.

MaxLogSizeBytes: The max log size for this database.

MaxSizeBytes: The max size of the database expressed in bytes.

MinCapacity: Minimal capacity that database will always have allocated, if not paused

PausedDate: The date when database was paused by user configuration or action(ISO8601 format). Null if the database is ready.

ReadScale: The state of read-only routing. If enabled, connections that have application intent set to readonly in their connection string may be routed to a readonly secondary replica in the same region. Not applicable to a Hyperscale database within an elastic pool.

RecoverableDatabaseId: The resource identifier of the recoverable database associated with create operation of this database.

RecoveryServicesRecoveryPointId: The resource identifier of the recovery point associated with create operation of this database.

RequestedBackupStorageRedundancy: The storage account type to be used to store backups for this database.

RequestedServiceObjectiveName: The requested service level objective name of the database.

RestorableDroppedDatabaseId: The resource identifier of the restorable dropped database associated with create operation of this database.

RestorePointInTime: Specifies the point in time (ISO8601 format) of the source database that will be restored to create the new database.

ResumedDate: The date when database was resumed by user action or database login (ISO8601 format). Null if the database is paused.

SampleName: The name of the sample schema to apply when creating this database.

SecondaryType: The secondary type of the database if it is a secondary. Valid values are Geo and Named.

SourceDatabaseDeletionDate: Specifies the time that the database was deleted.

SourceDatabaseId: The resource identifier of the source database associated with create operation of this database.

SourceResourceId: The resource identifier of the source associated with the create operation of this database. This property is only supported for DataWarehouse edition and allows to restore across subscriptions. When sourceResourceId is specified, sourceDatabaseId, recoverableDatabaseId, restorableDroppedDatabaseId and sourceDatabaseDeletionDate must not be specified and CreateMode must be PointInTimeRestore, Restore or Recover. When createMode is PointInTimeRestore, sourceResourceId must be the resource ID of the existing database or existing sql pool, and restorePointInTime must be specified. When createMode is Restore, sourceResourceId must be the resource ID of restorable dropped database or restorable dropped sql pool. When createMode is Recover, sourceResourceId must be the resource ID of recoverable database or recoverable sql pool. When source subscription belongs to a different tenant than target subscription, “x-ms-authorization-auxiliary” header must contain authentication token for the source tenant. For more details about “x-ms-authorization-auxiliary” header see https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant

Status: The status of the database.

ZoneRedundant: Whether or not this database is zone redundant, which means the replicas of this database will be spread across multiple availability zones.

"AdventureWorksLT"

"WideWorldImportersFull"

"WideWorldImportersStd"

"AdventureWorksLT"

"WideWorldImportersFull"

"WideWorldImportersStd"

"Geo"

"Named"

"Geo"

"Named"

"AutoClosed"

"Copying"

"Creating"

"Disabled"

"EmergencyMode"

"Inaccessible"

"Offline"

"OfflineChangingDwPerformanceTiers"

"OfflineSecondary"

"Online"

"OnlineChangingDwPerformanceTiers"

"Paused"

"Pausing"

"Recovering"

"RecoveryPending"

"Restoring"

"Resuming"

"Scaling"

"Shutdown"

"Standby"

"Starting"

"Stopped"

"Stopping"

"Suspect"

DisabledAlerts: Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force

EmailAccountAdmins: Specifies that the alert is sent to the account administrators.

EmailAddresses: Specifies an array of e-mail addresses to which the alert is sent.

RetentionDays: Specifies the number of days to keep in the Threat Detection audit logs.

State: Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database.

StorageAccountAccessKey: Specifies the identifier key of the Threat Detection audit storage account.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.

CreationTime: Specifies the UTC creation time of the policy.

DisabledAlerts: Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force

EmailAccountAdmins: Specifies that the alert is sent to the account administrators.

EmailAddresses: Specifies an array of e-mail addresses to which the alert is sent.

RetentionDays: Specifies the number of days to keep in the Threat Detection audit logs.

State: Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.

"Disabled"

"Enabled"

"Disabled"

"Enabled"

ClientId: The Azure Active Directory client id.

PrincipalId: The Azure Active Directory principal id.

ClientId: The Azure Active Directory client id.

PrincipalId: The Azure Active Directory principal id.

RecurringScans: The recurring scans settings

StorageAccountAccessKey: Specifies the identifier key of the storage account for vulnerability assessment scan results. If ‘StorageContainerSasKey’ isn’t specified, storageAccountAccessKey is required. Applies only if the storage account is not behind a Vnet or a firewall

StorageContainerPath: A blob storage container path to hold the scan results (e.g. https://myStorage.blob.core.windows.net/VaScans/). It is required if server level vulnerability assessment policy doesn’t set

StorageContainerSasKey: A shared access signature (SAS Key) that has write access to the blob container specified in ‘storageContainerPath’ parameter. If ‘storageAccountAccessKey’ isn’t specified, StorageContainerSasKey is required. Applies only if the storage account is not behind a Vnet or a firewall

RecurringScans: The recurring scans settings

StorageContainerPath: A blob storage container path to hold the scan results (e.g. https://myStorage.blob.core.windows.net/VaScans/). It is required if server level vulnerability assessment policy doesn’t set

MaxCapacity: The maximum capacity any one database can consume.

MinCapacity: The minimum capacity all databases are guaranteed.

MaxCapacity: The maximum capacity any one database can consume.

MinCapacity: The minimum capacity all databases are guaranteed.

MaxCapacity: The maximum capacity any one database can consume.

MinCapacity: The minimum capacity all databases are guaranteed.

MaxCapacity: The maximum capacity any one database can consume.

MinCapacity: The minimum capacity all databases are guaranteed.

HighAvailabilityReplicaCount: The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools.

LicenseType: The license type to apply for this elastic pool.

MaintenanceConfigurationId: Maintenance configuration id assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur.

MaxSizeBytes: The storage limit for the database elastic pool in bytes.

MinCapacity: Minimal capacity that serverless pool will not shrink below, if not paused

PerDatabaseSettings: The per database settings for the elastic pool.

ZoneRedundant: Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones.

"BasePrice"

"LicenseIncluded"

"BasePrice"

"LicenseIncluded"

CreationDate: The creation date of the elastic pool (ISO8601 format).

HighAvailabilityReplicaCount: The number of secondary replicas associated with the elastic pool that are used to provide high availability. Applicable only to Hyperscale elastic pools.

LicenseType: The license type to apply for this elastic pool.

MaintenanceConfigurationId: Maintenance configuration id assigned to the elastic pool. This configuration defines the period when the maintenance updates will will occur.

MaxSizeBytes: The storage limit for the database elastic pool in bytes.

MinCapacity: Minimal capacity that serverless pool will not shrink below, if not paused

PerDatabaseSettings: The per database settings for the elastic pool.

State: The state of the elastic pool.

ZoneRedundant: Whether or not this elastic pool is zone redundant, which means the replicas of this elastic pool will be spread across multiple availability zones.

"Creating"

"Disabled"

"Ready"

PartnerServers: List of partner server information for the failover group.

ReadOnlyEndpoint: Read-only endpoint of the failover group instance.

ReadWriteEndpoint: Read-write endpoint of the failover group instance.

"Primary"

"Secondary"

Databases: List of databases in the failover group.

PartnerServers: List of partner server information for the failover group.

ReadOnlyEndpoint: Read-only endpoint of the failover group instance.

ReadWriteEndpoint: Read-write endpoint of the failover group instance.

ReplicationRole: Local replication role of the failover group instance.

ReplicationState: Replication state of the failover group instance.

FailoverPolicy: Failover policy of the read-only endpoint for the failover group.

FailoverPolicy: Failover policy of the read-only endpoint for the failover group.

"Disabled"

"Enabled"

"Disabled"

"Enabled"

FailoverPolicy: Failover policy of the read-only endpoint for the failover group.

FailoverPolicy: Failover policy of the read-only endpoint for the failover group.

FailoverPolicy: Failover policy of the read-write endpoint for the failover group. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required.

FailoverWithDataLossGracePeriodMinutes: Grace period before failover with data loss is attempted for the read-write endpoint. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required.

FailoverPolicy: Failover policy of the read-write endpoint for the failover group. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required.

FailoverWithDataLossGracePeriodMinutes: Grace period before failover with data loss is attempted for the read-write endpoint. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required.

"Automatic"

"Manual"

"Automatic"

"Manual"

FailoverPolicy: Failover policy of the read-write endpoint for the failover group. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required.

FailoverWithDataLossGracePeriodMinutes: Grace period before failover with data loss is attempted for the read-write endpoint. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required.

FailoverPolicy: Failover policy of the read-write endpoint for the failover group. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required.

FailoverWithDataLossGracePeriodMinutes: Grace period before failover with data loss is attempted for the read-write endpoint. If failoverPolicy is Automatic then failoverWithDataLossGracePeriodMinutes is required.

EndIPv6Address: The end IP address of the firewall rule. Must be IPv6 format. Must be greater than or equal to startIpAddress.

StartIPv6Address: The start IP address of the firewall rule. Must be IPv6 format.

EndIPv6Address: The end IP address of the firewall rule. Must be IPv6 format. Must be greater than or equal to startIpAddress.

StartIPv6Address: The start IP address of the firewall rule. Must be IPv6 format.

ProvisioningState: The state of the outbound rule.

Reference: Resource identifier of the partner server.

"Primary"

"Secondary"

Id: Resource identifier of the partner server.

Location: Geo location of the partner server.

ReplicationRole: Replication role of the partner server.

Id: Resource identifier of the partner server.

Location: Geo location of the partner server.

ReplicationRole: Replication role of the partner server.

"Approving"

"Dropping"

"Failed"

"Ready"

"Rejecting"

GroupIds: Group IDs.

PrivateEndpoint: Private endpoint which the connection belongs to.

PrivateLinkServiceConnectionState: Connection state of the private endpoint connection.

ProvisioningState: State of the private endpoint connection.

GroupIds: Group IDs.

PrivateEndpoint: Private endpoint which the connection belongs to.

PrivateLinkServiceConnectionState: Connection state of the private endpoint connection.

ProvisioningState: State of the private endpoint connection.

Id: Resource id of the private endpoint.

Id: Resource id of the private endpoint.

"None"

ActionsRequired: The actions required for private link service connection.

Description: The private link service connection description.

Status: The private link service connection status.

ActionsRequired: The actions required for private link service connection.

Description: The private link service connection description.

Status: The private link service connection status.

"Approved"

"Disconnected"

"Pending"

"Rejected"

Type: The identity type. Set this to ‘SystemAssigned’ in order to automatically create and assign an Azure Active Directory principal for the resource.

UserAssignedIdentities: The resource ids of the user assigned identities to use

Type: The identity type. Set this to ‘SystemAssigned’ in order to automatically create and assign an Azure Active Directory principal for the resource.

PrincipalId: The Azure Active Directory principal id.

TenantId: The Azure Active Directory tenant id.

Type: The identity type. Set this to ‘SystemAssigned’ in order to automatically create and assign an Azure Active Directory principal for the resource.

UserAssignedIdentities: The resource ids of the user assigned identities to use

PrincipalId: The Azure Active Directory principal id.

TenantId: The Azure Active Directory tenant id.

Type: The identity type. Set this to ‘SystemAssigned’ in order to automatically create and assign an Azure Active Directory principal for the resource.

UserAssignedIdentities: The resource ids of the user assigned identities to use

"None"

"SystemAssigned"

"SystemAssigned,UserAssigned"

"UserAssigned"

"None"

"SystemAssigned"

"SystemAssigned,UserAssigned"

"UserAssigned"

AuditActionsAndGroups: Specifies the Actions-Groups and Actions to audit. The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP. This above combination is also the set that is configured by default when enabling auditing from the Azure portal. The supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using unnecessary groups could lead to very large quantities of audit records): APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP DBCC_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_CHANGE_GROUP LEDGER_OPERATION_GROUP These are groups that cover all sql statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs. For more information, see Database-Level Audit Action Groups. For Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server auditing policy). The supported actions to audit are: SELECT UPDATE INSERT DELETE EXECUTE RECEIVE REFERENCES The general form for defining an action to be audited is: {action} ON {object} BY {principal} Note that

IsAzureMonitorTargetEnabled: Specifies whether audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’ and ‘IsAzureMonitorTargetEnabled’ as true. When using REST API to configure auditing, Diagnostic Settings with ‘SQLSecurityAuditEvents’ diagnostic logs category on the database should be also created. Note that for server level audit you should use the ‘master’ database as {databaseName}. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​{databaseName}/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsDevopsAuditEnabled: Specifies the state of devops audit. If state is Enabled, devops logs will be sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’, ‘IsAzureMonitorTargetEnabled’ as true and ‘IsDevopsAuditEnabled’ as true When using REST API to configure auditing, Diagnostic Settings with ‘DevOpsOperationsAudit’ diagnostic logs category on the master database should also be created. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​master/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsManagedIdentityInUse: Specifies whether Managed Identity is used to access blob storage

IsStorageSecondaryKeyInUse: Specifies whether storageAccountAccessKey value is the storage’s secondary key.

QueueDelayMs: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed. The default minimum value is 1000 (1 second). The maximum is 2,147,483,647.

RetentionDays: Specifies the number of days to keep in the audit logs in the storage account.

State: Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.

StorageAccountAccessKey: Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage. Prerequisites for using managed identity authentication: 1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD). 2. Grant SQL Server identity access to the storage account by adding ‘Storage Blob Data Contributor’ RBAC role to the server identity. For more information, see Auditing to storage using Managed Identity authentication

StorageAccountSubscriptionId: Specifies the blob storage subscription Id.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.

AuditActionsAndGroups: Specifies the Actions-Groups and Actions to audit. The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP. This above combination is also the set that is configured by default when enabling auditing from the Azure portal. The supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using unnecessary groups could lead to very large quantities of audit records): APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP DBCC_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_CHANGE_GROUP LEDGER_OPERATION_GROUP These are groups that cover all sql statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs. For more information, see Database-Level Audit Action Groups. For Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server auditing policy). The supported actions to audit are: SELECT UPDATE INSERT DELETE EXECUTE RECEIVE REFERENCES The general form for defining an action to be audited is: {action} ON {object} BY {principal} Note that

IsAzureMonitorTargetEnabled: Specifies whether audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’ and ‘IsAzureMonitorTargetEnabled’ as true. When using REST API to configure auditing, Diagnostic Settings with ‘SQLSecurityAuditEvents’ diagnostic logs category on the database should be also created. Note that for server level audit you should use the ‘master’ database as {databaseName}. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​{databaseName}/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsDevopsAuditEnabled: Specifies the state of devops audit. If state is Enabled, devops logs will be sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’, ‘IsAzureMonitorTargetEnabled’ as true and ‘IsDevopsAuditEnabled’ as true When using REST API to configure auditing, Diagnostic Settings with ‘DevOpsOperationsAudit’ diagnostic logs category on the master database should also be created. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​master/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsManagedIdentityInUse: Specifies whether Managed Identity is used to access blob storage

IsStorageSecondaryKeyInUse: Specifies whether storageAccountAccessKey value is the storage’s secondary key.

QueueDelayMs: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed. The default minimum value is 1000 (1 second). The maximum is 2,147,483,647.

RetentionDays: Specifies the number of days to keep in the audit logs in the storage account.

State: Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.

StorageAccountSubscriptionId: Specifies the blob storage subscription Id.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.

"Disabled"

"Enabled"

"Disabled"

"Enabled"

ConnectionType: The server connection type.

"Default"

"Proxy"

"Redirect"

"Default"

"Proxy"

"Redirect"

ConnectionType: The server connection type.

AdministratorType: Type of the sever administrator.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

Login: Login name of the server administrator.

PrincipalType: Principal Type of the sever administrator.

Sid: SID (object ID) of the server administrator.

TenantId: Tenant ID of the administrator.

AdministratorType: Type of the sever administrator.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

Login: Login name of the server administrator.

PrincipalType: Principal Type of the sever administrator.

Sid: SID (object ID) of the server administrator.

TenantId: Tenant ID of the administrator.

"ActiveDirectory"

"ActiveDirectory"

"Application"

"Group"

"User"

"Application"

"Group"

"User"

AdministratorType: Type of the sever administrator.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

Login: Login name of the server administrator.

PrincipalType: Principal Type of the sever administrator.

Sid: SID (object ID) of the server administrator.

TenantId: Tenant ID of the administrator.

AdministratorType: Type of the sever administrator.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

Login: Login name of the server administrator.

PrincipalType: Principal Type of the sever administrator.

Sid: SID (object ID) of the server administrator.

TenantId: Tenant ID of the administrator.

EndIpAddress: The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value ‘0.0.0.0’ for all Azure-internal IP addresses.

StartIpAddress: The start IP address of the firewall rule. Must be IPv4 format. Use value ‘0.0.0.0’ for all Azure-internal IP addresses.

EndIpAddress: The end IP address of the firewall rule. Must be IPv4 format. Must be greater than or equal to startIpAddress. Use value ‘0.0.0.0’ for all Azure-internal IP addresses.

StartIpAddress: The start IP address of the firewall rule. Must be IPv4 format. Use value ‘0.0.0.0’ for all Azure-internal IP addresses.

FullyQualifiedDomainName: indicates where the FullyQualifiedDomainName config map should be placed. If omitted, no config map will be created.

ConfigMaps: configures where to place operator written ConfigMaps.

Id: Resource ID.

Properties: Private endpoint connection properties

Id: Resource ID.

Properties: Private endpoint connection properties

AdministratorLogin: Administrator username for the server. Once created it cannot be changed.

AdministratorLoginPassword: The administrator login password (required for server creation).

Administrators: The Azure Active Directory administrator of the server.

FederatedClientId: The Client id used for cross tenant CMK scenario

KeyId: A CMK URI of the key to use for encryption.

MinimalTlsVersion: Minimal TLS version. Allowed values: ‘1.0’, ‘1.1’, ‘1.2’

PublicNetworkAccess: Whether or not public endpoint access is allowed for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

RestrictOutboundNetworkAccess: Whether or not to restrict outbound network access for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

Version: The version of the server.

"Disabled"

"Enabled"

"Disabled"

"Enabled"

"Disabled"

"Enabled"

"Disabled"

"Enabled"

AdministratorLogin: Administrator username for the server. Once created it cannot be changed.

Administrators: The Azure Active Directory administrator of the server.

FederatedClientId: The Client id used for cross tenant CMK scenario

FullyQualifiedDomainName: The fully qualified domain name of the server.

KeyId: A CMK URI of the key to use for encryption.

MinimalTlsVersion: Minimal TLS version. Allowed values: ‘1.0’, ‘1.1’, ‘1.2’

PrimaryUserAssignedIdentityId: The resource id of a user assigned identity to be used by default.

PrivateEndpointConnections: List of private endpoint connections on a server

PublicNetworkAccess: Whether or not public endpoint access is allowed for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

RestrictOutboundNetworkAccess: Whether or not to restrict outbound network access for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

State: The state of the server.

Version: The version of the server.

WorkspaceFeature: Whether or not existing server has a workspace created and if it allows connection from workspace

"Connected"

"Disconnected"

DisabledAlerts: Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force

EmailAccountAdmins: Specifies that the alert is sent to the account administrators.

EmailAddresses: Specifies an array of e-mail addresses to which the alert is sent.

RetentionDays: Specifies the number of days to keep in the Threat Detection audit logs.

State: Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database.

StorageAccountAccessKey: Specifies the identifier key of the Threat Detection audit storage account.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.

CreationTime: Specifies the UTC creation time of the policy.

DisabledAlerts: Specifies an array of alerts that are disabled. Allowed values are: Sql_Injection, Sql_Injection_Vulnerability, Access_Anomaly, Data_Exfiltration, Unsafe_Action, Brute_Force

EmailAccountAdmins: Specifies that the alert is sent to the account administrators.

EmailAddresses: Specifies an array of e-mail addresses to which the alert is sent.

RetentionDays: Specifies the number of days to keep in the Threat Detection audit logs.

State: Specifies the state of the policy, whether it is enabled or disabled or a policy has not been applied yet on the specific database.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). This blob storage will hold all Threat Detection audit logs.

"Disabled"

"Enabled"

"Disabled"

"Enabled"

RecurringScans: The recurring scans settings

StorageAccountAccessKey: Specifies the identifier key of the storage account for vulnerability assessment scan results. If ‘StorageContainerSasKey’ isn’t specified, storageAccountAccessKey is required. Applies only if the storage account is not behind a Vnet or a firewall

StorageContainerPath: A blob storage container path to hold the scan results (e.g. https://myStorage.blob.core.windows.net/VaScans/).

StorageContainerSasKey: A shared access signature (SAS Key) that has write access to the blob container specified in ‘storageContainerPath’ parameter. If ‘storageAccountAccessKey’ isn’t specified, StorageContainerSasKey is required. Applies only if the storage account is not behind a Vnet or a firewall

RecurringScans: The recurring scans settings

StorageContainerPath: A blob storage container path to hold the scan results (e.g. https://myStorage.blob.core.windows.net/VaScans/).

AdministratorLogin: Administrator username for the server. Once created it cannot be changed.

Administrators: The Azure Active Directory administrator of the server.

Conditions: The observed state of the resource

FederatedClientId: The Client id used for cross tenant CMK scenario

FullyQualifiedDomainName: The fully qualified domain name of the server.

Id: Resource ID.

Identity: The Azure Active Directory identity of the server.

KeyId: A CMK URI of the key to use for encryption.

Kind: Kind of sql server. This is metadata used for the Azure portal experience.

Location: Resource location.

MinimalTlsVersion: Minimal TLS version. Allowed values: ‘1.0’, ‘1.1’, ‘1.2’

Name: Resource name.

PrimaryUserAssignedIdentityId: The resource id of a user assigned identity to be used by default.

PrivateEndpointConnections: List of private endpoint connections on a server

PublicNetworkAccess: Whether or not public endpoint access is allowed for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

RestrictOutboundNetworkAccess: Whether or not to restrict outbound network access for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

State: The state of the server.

Tags: Resource tags.

Type: Resource type.

Version: The version of the server.

WorkspaceFeature: Whether or not existing server has a workspace created and if it allows connection from workspace

Id: Resource ID.

Identity: The Azure Active Directory identity of the server.

Kind: Kind of sql server. This is metadata used for the Azure portal experience.

Location: Resource location.

Name: Resource name.

Properties: Resource properties.

Tags: Resource tags.

Type: Resource type.

AdministratorLogin: Administrator username for the server. Once created it cannot be changed.

AdministratorLoginPassword: The administrator login password (required for server creation).

Administrators: The Azure Active Directory administrator of the server.

AzureName: The name of the resource in Azure. This is often the same as the name of the resource in Kubernetes but it doesn’t have to be.

FederatedClientId: The Client id used for cross tenant CMK scenario

Identity: The Azure Active Directory identity of the server.

KeyId: A CMK URI of the key to use for encryption.

Location: Resource location.

MinimalTlsVersion: Minimal TLS version. Allowed values: ‘1.0’, ‘1.1’, ‘1.2’

OperatorSpec: The specification for configuring operator behavior. This field is interpreted by the operator and not passed directly to Azure

Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also controls the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a reference to a resources.azure.com/ResourceGroup resource

PrimaryUserAssignedIdentityReference: The resource id of a user assigned identity to be used by default.

PublicNetworkAccess: Whether or not public endpoint access is allowed for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

RestrictOutboundNetworkAccess: Whether or not to restrict outbound network access for this server. Value is optional but if passed in, must be ‘Enabled’ or ‘Disabled’

Tags: Resource tags.

Version: The version of the server.

Identity: The Azure Active Directory identity of the server.

Location: Resource location.

Properties: Resource properties.

Tags: Resource tags.

AdministratorType: Type of the sever administrator.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

Conditions: The observed state of the resource

Id: Resource ID.

Login: Login name of the server administrator.

Name: Resource name.

Sid: SID (object ID) of the server administrator.

TenantId: Tenant ID of the administrator.

Type: Resource type.

Id: Resource ID.

Name: Resource name.

Properties: Resource properties.

Type: Resource type.

AdministratorType: Type of the sever administrator.

Login: Login name of the server administrator.

Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also controls the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a reference to a sql.azure.com/Server resource

Sid: SID (object ID) of the server administrator.

SidFromConfig: SID (object ID) of the server administrator.

TenantId: Tenant ID of the administrator.

TenantIdFromConfig: Tenant ID of the administrator.

Properties: Resource properties.

Conditions: The observed state of the resource

CreationTime: Specifies the UTC creation time of the policy.

Id: Resource ID.

Name: Resource name.

State: Specifies the state of the Advanced Threat Protection, whether it is enabled or disabled or a state has not been applied yet on the specific database or server.

SystemData: SystemData of AdvancedThreatProtectionResource.

Type: Resource type.

Id: Resource ID.

Name: Resource name.

Properties: Resource properties.

SystemData: SystemData of AdvancedThreatProtectionResource.

Type: Resource type.

Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also controls the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a reference to a sql.azure.com/Server resource

State: Specifies the state of the Advanced Threat Protection, whether it is enabled or disabled or a state has not been applied yet on the specific database or server.

Properties: Resource properties.

AuditActionsAndGroups: Specifies the Actions-Groups and Actions to audit. The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP. This above combination is also the set that is configured by default when enabling auditing from the Azure portal. The supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using unnecessary groups could lead to very large quantities of audit records): APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP DBCC_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_CHANGE_GROUP LEDGER_OPERATION_GROUP These are groups that cover all sql statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs. For more information, see Database-Level Audit Action Groups. For Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server auditing policy). The supported actions to audit are: SELECT UPDATE INSERT DELETE EXECUTE RECEIVE REFERENCES The general form for defining an action to be audited is: {action} ON {object} BY {principal} Note that

Conditions: The observed state of the resource

Id: Resource ID.

IsAzureMonitorTargetEnabled: Specifies whether audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’ and ‘IsAzureMonitorTargetEnabled’ as true. When using REST API to configure auditing, Diagnostic Settings with ‘SQLSecurityAuditEvents’ diagnostic logs category on the database should be also created. Note that for server level audit you should use the ‘master’ database as {databaseName}. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​{databaseName}/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsDevopsAuditEnabled: Specifies the state of devops audit. If state is Enabled, devops logs will be sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’, ‘IsAzureMonitorTargetEnabled’ as true and ‘IsDevopsAuditEnabled’ as true When using REST API to configure auditing, Diagnostic Settings with ‘DevOpsOperationsAudit’ diagnostic logs category on the master database should also be created. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​master/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsManagedIdentityInUse: Specifies whether Managed Identity is used to access blob storage

IsStorageSecondaryKeyInUse: Specifies whether storageAccountAccessKey value is the storage’s secondary key.

Name: Resource name.

QueueDelayMs: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed. The default minimum value is 1000 (1 second). The maximum is 2,147,483,647.

RetentionDays: Specifies the number of days to keep in the audit logs in the storage account.

State: Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.

StorageAccountSubscriptionId: Specifies the blob storage subscription Id.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.

Type: Resource type.

Id: Resource ID.

Name: Resource name.

Properties: Resource properties.

Type: Resource type.

AuditActionsAndGroups: Specifies the Actions-Groups and Actions to audit. The recommended set of action groups to use is the following combination - this will audit all the queries and stored procedures executed against the database, as well as successful and failed logins: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP. This above combination is also the set that is configured by default when enabling auditing from the Azure portal. The supported action groups to audit are (note: choose only specific groups that cover your auditing needs. Using unnecessary groups could lead to very large quantities of audit records): APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP DBCC_GROUP DATABASE_OWNERSHIP_CHANGE_GROUP DATABASE_CHANGE_GROUP LEDGER_OPERATION_GROUP These are groups that cover all sql statements and stored procedures executed against the database, and should not be used in combination with other groups as this will result in duplicate audit logs. For more information, see Database-Level Audit Action Groups. For Database auditing policy, specific Actions can also be specified (note that Actions cannot be specified for Server auditing policy). The supported actions to audit are: SELECT UPDATE INSERT DELETE EXECUTE RECEIVE REFERENCES The general form for defining an action to be audited is: {action} ON {object} BY {principal} Note that

IsAzureMonitorTargetEnabled: Specifies whether audit events are sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’ and ‘IsAzureMonitorTargetEnabled’ as true. When using REST API to configure auditing, Diagnostic Settings with ‘SQLSecurityAuditEvents’ diagnostic logs category on the database should be also created. Note that for server level audit you should use the ‘master’ database as {databaseName}. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​{databaseName}/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsDevopsAuditEnabled: Specifies the state of devops audit. If state is Enabled, devops logs will be sent to Azure Monitor. In order to send the events to Azure Monitor, specify ‘State’ as ‘Enabled’, ‘IsAzureMonitorTargetEnabled’ as true and ‘IsDevopsAuditEnabled’ as true When using REST API to configure auditing, Diagnostic Settings with ‘DevOpsOperationsAudit’ diagnostic logs category on the master database should also be created. Diagnostic Settings URI format: PUT https:/​/​management.azure.com/​subscriptions/​{subscriptionId}/​resourceGroups/​{resourceGroup}/​providers/​Microsoft.Sql/​servers/​{serverName}/​databases/​master/​providers/​microsoft.insights/​diagnosticSettings/​{settingsName}?api-version=2017-05-01-preview For more information, see Diagnostic Settings REST API or Diagnostic Settings PowerShell

IsManagedIdentityInUse: Specifies whether Managed Identity is used to access blob storage

IsStorageSecondaryKeyInUse: Specifies whether storageAccountAccessKey value is the storage’s secondary key.

Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also controls the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a reference to a sql.azure.com/Server resource

QueueDelayMs: Specifies the amount of time in milliseconds that can elapse before audit actions are forced to be processed. The default minimum value is 1000 (1 second). The maximum is 2,147,483,647.

RetentionDays: Specifies the number of days to keep in the audit logs in the storage account.

State: Specifies the state of the audit. If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled are required.

StorageAccountAccessKey: Specifies the identifier key of the auditing storage account. If state is Enabled and storageEndpoint is specified, not specifying the storageAccountAccessKey will use SQL server system-assigned managed identity to access the storage. Prerequisites for using managed identity authentication: 1. Assign SQL Server a system-assigned managed identity in Azure Active Directory (AAD). 2. Grant SQL Server identity access to the storage account by adding ‘Storage Blob Data Contributor’ RBAC role to the server identity. For more information, see Auditing to storage using Managed Identity authentication

StorageAccountSubscriptionId: Specifies the blob storage subscription Id.

StorageEndpoint: Specifies the blob storage endpoint (e.g. https://MyAccount.blob.core.windows.net). If state is Enabled, storageEndpoint or isAzureMonitorTargetEnabled is required.

Properties: Resource properties.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

Conditions: The observed state of the resource

Id: Resource ID.

Name: Resource name.

Type: Resource type.

Id: Resource ID.

Name: Resource name.

Properties: Resource properties.

Type: Resource type.

AzureADOnlyAuthentication: Azure Active Directory only Authentication enabled.

Owner: The owner of the resource. The owner controls where the resource goes when it is deployed. The owner also controls the resources lifecycle. When the owner is deleted the resource will also be deleted. Owner is expected to be a reference to a sql.azure.com/Server resource

Properties: Resource properties.