Add SQL Server 2022+ on Azure VM to Entra guest users article (#36592)

* docs: Add SQL Server 2022+ on Azure VM to Entra guest users article

* Document guest user creation and admin setup in SQL Server

Added steps for creating a guest user in SQL Server and setting them as a server admin.

* docs: Restructure SQL Server guest user section and fix style issues

* docs: Refactor guest user sections to tabbed layout

* docs: Fix broken bookmark to guest user heading

---------

Co-authored-by: Pratim Dasgupta <111895613+PratimDasgupta@users.noreply.github.com>

Author: VanMSFT

azure-sql/database/authentication-aad-guest-users.md

@@ -5,7 +5,7 @@ description: How to create Microsoft Entra guest users and set them as Microsoft
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: wiassaf, vanto, mathoma, randolphwest
-ms.date: 06/10/2025
+ms.date: 02/23/2026
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: how-to
@@ -15,7 +15,10 @@ monikerRange: "=azuresql || =azuresql-db || =azuresql-mi"
 ---
 # Create Microsoft Entra guest users and set them as a Microsoft Entra admin
 
-[!INCLUDE [appliesto-sqldb-sqlmi](../includes/appliesto-sqldb-sqlmi.md)]
+[!INCLUDE [appliesto-sqldb-sqlmi-sqlvm](../includes/appliesto-sqldb-sqlmi-sqlvm.md)]
+
+> [!NOTE]
+> This feature applies to SQL Server 2022 and later on Azure Virtual Machines and Arc enabled SQL Server.
 
 [Guest users](/entra/external-id/user-properties) with Microsoft Entra B2B collaboration are users that have accounts in an external Microsoft Entra organization or an external identity provider (for example, Outlook, Windows Live Mail, or Gmail), which isn't managed within your Microsoft Entra tenant. Guest user accounts are created when those individuals are invited to collaborate within your tenant, while still performing authentication against their identity provider.
 
@@ -35,7 +38,7 @@ Azure SQL Database, SQL Managed Instance, and Azure Synapse Analytics support cr
 
 Follow these steps to create a database user using a Microsoft Entra guest user. In this section, replace `<guest_user>` with a valid email address, for example `guest_user@example.com`.
 
-### Create guest user in SQL Database and Azure Synapse
+### [SQL Database and Azure Synapse](#tab/sql-database)
 
 1. Ensure that the guest user is already added into your Microsoft Entra ID and a Microsoft Entra admin has been set for the database server. Having a Microsoft Entra admin is required for Microsoft Entra authentication.
 
@@ -55,10 +58,10 @@ Follow these steps to create a database user using a Microsoft Entra guest user.
 
 1. Disconnect and sign into the database as the guest user using [SQL Server Management Studio (SSMS)](/ssms/sql-server-management-studio-ssms) using the authentication method **Azure Active Directory - Universal with MFA**. For more information, see [Using Microsoft Entra multifactor authentication](authentication-mfa-ssms-overview.md).
 
-### Create guest user in SQL Managed Instance
+### [SQL Managed Instance](#tab/sql-managed-instance)
 
 > [!NOTE]  
-> SQL Managed Instance supports logins for Microsoft Entra users, as well as Microsoft Entra ID contained database users. The following steps show how to create a login and user for a Microsoft Entra guest user in SQL Managed Instance. You can also choose to create a [contained database user](/sql/relational-databases/security/contained-database-users-making-your-database-portable) in SQL Managed Instance by using the method in the [Create guest user in SQL Database and Azure Synapse](#create-guest-user-in-sql-database-and-azure-synapse) section.
+> SQL Managed Instance supports logins for Microsoft Entra users, as well as Microsoft Entra ID contained database users. The following steps show how to create a login and user for a Microsoft Entra guest user in SQL Managed Instance. You can also choose to create a [contained database user](/sql/relational-databases/security/contained-database-users-making-your-database-portable) in SQL Managed Instance by using the method in the **SQL Database and Azure Synapse** tab.
 
 1. Ensure that the guest user is already added into your Microsoft Entra tenant and a Microsoft Entra admin has been set for the SQL Managed Instance. Having a Microsoft Entra admin is required for Microsoft Entra authentication.
 
@@ -86,6 +89,69 @@ Follow these steps to create a database user using a Microsoft Entra guest user.
 
 1. Disconnect and sign into the database as the guest user using [SQL Server Management Studio (SSMS)](/ssms/sql-server-management-studio-ssms) using the authentication method **Azure Active Directory - Universal with MFA**. For more information, see [Using Microsoft Entra multifactor authentication](authentication-mfa-ssms-overview.md).
 
+### [SQL Server](#tab/sql-server)
+
+> [!NOTE]
+> Use this section after Microsoft Entra authentication is enabled for your SQL Server on Azure VMs or Arc-enabled SQL Server.
+
+1. Verify that Microsoft Entra authentication is enabled for the SQL Server.
+
+1. Make sure the guest user is already added to your Microsoft Entra tenant.
+
+1. Verify that the managed identity selected for enabling Microsoft Entra authentication has either the **Directory Readers** role or these Microsoft Graph app roles: **User.Read.All**, **GroupMember.Read.All**, and **Application.Read.All**.
+
+1. Connect to the SQL Server instance as a Microsoft Entra admin (sysadmin).
+
+1. Create the guest user using one of the following options:
+
+**Option A: Create a login first (server principal), then create a database user from that login**
+
+```sql
+-- Run in master
+CREATE LOGIN [<guest_user>] FROM EXTERNAL PROVIDER;
+GO
+```
+
+```sql
+-- Run in the target user database
+CREATE USER [<guest_user>] FROM LOGIN [<guest_user>];
+GO
+```
+
+**Option B: Create a contained database user (no server login)**
+
+```sql
+-- Run in the target user database
+CREATE USER [<guest_user>] FROM EXTERNAL PROVIDER;
+GO
+```
+
+#### Set a guest user as a server admin
+
+In this section, replace `<guest_user>` with a valid email address, for example `guest_user@example.com`.
+
+```sql
+USE [master];
+GO
+```
+
+```sql
+-- Create the Microsoft Entra login for the guest user
+CREATE LOGIN [<guest_user>] FROM EXTERNAL PROVIDER;
+GO
+```
+
+```sql
+-- Grant full server admin rights
+ALTER SERVER ROLE [sysadmin] ADD MEMBER [<guest_user>];
+GO
+```
+
+> [!NOTE]
+> If you want guest users to be able to create other Microsoft Entra logins or users, they must have permissions to read other identities in the Microsoft Entra directory. This permission is configured at the directory-level. For more information, see [guest access permissions in Microsoft Entra ID](/entra/identity/users/users-restrict-guest-permissions).
+
+---
+
 ## Set a guest user as a Microsoft Entra admin
 
 Set the Microsoft Entra admin using either the Azure portal, Azure PowerShell, or the Azure CLI. In this section, replace `<guest_user>` with a valid email address, for example `guest_user@example.com`.
@@ -149,3 +215,5 @@ You can also use the Azure CLI command [az sql mi ad-admin](/cli/azure/sql/mi/ad
 - [Configure and manage Microsoft Entra authentication with Azure SQL](authentication-aad-configure.md)
 - [Using Microsoft Entra multifactor authentication](authentication-mfa-ssms-overview.md)
 - [CREATE USER (Transact-SQL)](/sql/t-sql/statements/create-user-transact-sql)
+- [Microsoft Entra authentication for Arc-enabled SQL Server](/sql/sql-server/azure-arc/microsoft-entra-authentication-with-managed-identity)
+- [Configure Microsoft Entra authentication for SQL Server on Azure VMs](/azure/azure-sql/virtual-machines/windows/configure-azure-ad-authentication-for-sql-vm)

azure-sql/database/authentication-aad-overview.md

@@ -206,7 +206,7 @@ To get started, review [Configure Microsoft Entra multifactor authentication](au
 
 ## Microsoft Entra B2B support
 
-Microsoft Entra authentication in all SQL products also supports [Microsoft Entra B2B collaboration](/entra/external-id/what-is-b2b), which enables businesses to invite guest users to collaborate with their organization. Guest users can connect to databases either as individual users or members of a Microsoft Entra group. For more information, see [Create guest user](authentication-aad-guest-users.md#create-guest-user-in-sql-database-and-azure-synapse).
+Microsoft Entra authentication in all SQL products also supports [Microsoft Entra B2B collaboration](/entra/external-id/what-is-b2b), which enables businesses to invite guest users to collaborate with their organization. Guest users can connect to databases either as individual users or members of a Microsoft Entra group. For more information, see [Create database user for Microsoft Entra guest user](authentication-aad-guest-users.md#create-database-user-for-microsoft-entra-guest-user).
 
 ## Trust architecture for Microsoft Entra federation to Active Directory