The built-in Azure Policy: "Configure Microsoft Defender for SQL to be enabled on Synapse workspaces" uses built-in Azure RBAC role: SQL Security Manager for deployIfNotexist effect. The role does not seem to have required permissions to remediate Synapse resources and make the necessary changes.

Details of the scenario you tried and the problem that is occurring

Use built-in Azure Policy: "Configure Microsoft Defender for SQL to be enabled on Synapse workspaces"
(https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/TdOnSynapseWorkspaces_Deploy.json)
to ensure that Microsoft Defender for SQL is enabled on Synapse workspaces. When the Azure Policy is trying to remediate Synapse workspaces error occurs which is stating that the managed identity that is used by the Policy does not have required permissions to
perform action 'Microsoft.Synapse/workspaces/securityAlertPolicies/write'. Indeed the built-in RBAC role used by the Policy: SQL Security Manager
(https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#sql-security-manager) does not have write permissions to Synapse workspaces.

Verbose logs showing the problem

Error from deployIfNotExist Policy action:
"The template deployment failed with error: 'Authorization failed for template resource 'resourcename/Default' of type 'Microsoft.Synapse/workspaces/securityAlertPolicies'. The client 'identityname' with object id 'identityid' does not have permission to perform action 'Microsoft.Synapse/workspaces/securityAlertPolicies/write' at scope '/subscriptions/subscriptionid/resourceGroups/resourcegroupname/providers/Microsoft.Synapse/workspaces/resourcename/securityAlertPolicies/Default'.'."

Suggested solution to the issue

Change Azure RBAC role defined in the Azure Policy to a one that has necessary permissions to perform actions required by the deployIfNoExist effect.

If policy is Guest Configuration - details about target node

No Guest Configuration related.