Merge pull request #36708 from VanMSFT/vanmsft/uuf-security-batch4

v-shils · web-flow · commit 3c5ca21669c1 · 2026-02-25T10:51:46.000-08:00
Address 5 UUF items: ledger digest, query store permissions, audit cross-refs, login failed applicability
diff --git a/docs/relational-databases/event-classes/audit-login-failed-event-class.md b/docs/relational-databases/event-classes/audit-login-failed-event-class.md
@@ -1,46 +1,51 @@
 ---
-title: "Audit Login Failed Event Class"
-description: "Audit Login Failed Event Class"
+title: "Audit Login Failed event class"
+description: "Audit Login Failed event class"
 author: WilliamDAssafMSFT
 ms.author: wiassaf
-ms.date: "03/14/2017"
+ms.date: 02/25/2026
 ms.service: sql
 ms.subservice: supportability
 ms.topic: reference
 helpviewer_keywords:
   - "Audit Login Failed event class"
-monikerRange: "=azuresqldb-current||>=sql-server-2016||>=sql-server-linux-2017||=azuresqldb-mi-current"
+monikerRange: ">=sql-server-2016||>=sql-server-linux-2017||=azuresqldb-mi-current"
 ---
-# Audit Login Failed Event Class
-[!INCLUDE [SQL Server Azure SQL Database Azure SQL Managed Instance](../../includes/applies-to-version/sql-asdb-asdbmi.md)]
-  The **Audit Login Failed** event class indicates that a user tried to log in to [!INCLUDE[msCoName](../../includes/msconame-md.md)] [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] and failed. Events in this class are fired by new connections or by connections that are reused from a connection pool.  
-  
-## Audit Login Failed Event Class Data Columns  
-  
-|Data column name|Data type|Description|Column ID|Filterable|  
-|----------------------|---------------|-----------------|---------------|----------------|  
-|**ApplicationName**|**nvarchar**|Name of the client application that created the connection to an instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. This column is populated with the values passed by the application rather than the displayed name of the program.|10|Yes|  
-|**ClientProcessID**|**int**|ID assigned by the host computer to the process where the client application is running. This data column is populated if the client process ID is provided by the client.|9|Yes|  
-|**DatabaseID**|**int**|ID of the database specified by the USE *database* statement or the default database if no USE *database* statement has been issued for a given instance. [!INCLUDE[ssSqlProfiler](../../includes/sssqlprofiler-md.md)] displays the name of the database if the **ServerName** data column is captured in the trace and the server is available. Determine the value for a database by using the DB_ID function.|3|Yes|  
-|**DatabaseName**|**nvarchar**|Name of the database in which the user statement is running.|35|Yes|  
-|**Error**|**int**|Error number of a given event. Often this is the error number stored in the **sys.messages** catalog view.|31|Yes|  
-|**EventClass**|**int**|Type of event = 20.|27|No|  
-|**EventSequence**|**int**|The sequence of a given event within the request.|51|No|  
-|**HostName**|**nvarchar**|Name of the computer on which the client is running. This data column is populated if the host name is provided by the client. To determine the host name, use the HOST_NAME function.|8|Yes|  
-|**IsSystem**|**int**|Indicates whether the event occurred on a system process or a user process. 1 = system, 0 = user.|60|Yes|  
-|**LoginName**|**nvarchar**|Name of the login of the user (either [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] security login or the Windows login credentials in the form of DOMAIN\username).|11|Yes|  
-|**NTDomainName**|**nvarchar**|Windows domain to which the user belongs.|7|Yes|  
-|**NTUserName**|**nvarchar**|Windows user name.|6|Yes|  
-|**RequestID**|**int**|The ID of the request containing the statement.|49|Yes|  
-|**ServerName**|**nvarchar**|Name of the instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] being traced.|26|No|  
-|**SessionLoginName**|**nvarchar**|Login name of the user who originated the session. For example, if you connect to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] using Login1 and execute a statement as Login2, **SessionLoginName** shows Login1 and **LoginName** shows Login2. This column displays both [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] and Windows logins.|64|Yes|  
-|**SPID**|**int**|ID of the session on which the event occurred.|12|Yes|  
-|**StartTime**|**datetime**|Time at which the event started, if available.|14|Yes|  
-|**Success**|**int**|1 = success. 0 = failure. This event will always show failure.|23|Yes|  
-|**TextData**|**ntext**|Text value dependent on the event class captured in the trace.|1|Yes|  
-  
-## See Also  
- [Extended Events](../../relational-databases/extended-events/extended-events.md)   
- [sp_trace_setevent &#40;Transact-SQL&#41;](../../relational-databases/system-stored-procedures/sp-trace-setevent-transact-sql.md)  
-  
-  
+# Audit Login Failed event class
+
+[!INCLUDE [SQL Server Azure SQL Managed Instance](../../includes/applies-to-version/sql-asdbmi.md)]
+
+The **Audit Login Failed** event class indicates that a user tried to sign in to [!INCLUDE [msCoName](../../includes/msconame-md.md)] [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] and failed. Events in this class are fired by new connections or by connections that are reused from a connection pool.
+
+This event class is part of [SQL Trace](../sql-trace/sql-trace.md), which is deprecated. For Azure SQL Database, use [auditing for Azure SQL Database](/azure/azure-sql/database/auditing-overview) instead.
+
+## Audit Login Failed event class data columns
+
+|Data column name|Data type|Description|Column ID|Filterable|
+|---|---|---|---|---|
+|**ApplicationName**|**nvarchar**|Name of the client application that created the connection to an instance of [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)]. This column is populated with the values passed by the application instead of the displayed name of the program.|10|Yes|
+|**ClientProcessID**|**int**|ID assigned by the host computer to the process where the client application is running. This data column is populated if the client process ID is provided by the client.|9|Yes|
+|**DatabaseID**|**int**|ID of the database specified by the USE *database* statement or the default database if no USE *database* statement has been issued for a given instance. [!INCLUDE [ssSqlProfiler](../../includes/sssqlprofiler-md.md)] displays the name of the database if the **ServerName** data column is captured in the trace and the server is available. Determine the value for a database by using the DB_ID function.|3|Yes|
+|**DatabaseName**|**nvarchar**|Name of the database in which the user statement is running.|35|Yes|
+|**Error**|**int**|Error number of a given event. Often this is the error number stored in the **sys.messages** catalog view.|31|Yes|
+|**EventClass**|**int**|Type of event = 20.|27|No|
+|**EventSequence**|**int**|The sequence of a given event within the request.|51|No|
+|**HostName**|**nvarchar**|Name of the computer on which the client is running. This data column is populated if the host name is provided by the client. To determine the host name, use the HOST_NAME function.|8|Yes|
+|**IsSystem**|**int**|Indicates whether the event occurred on a system process or a user process. 1 = system, 0 = user.|60|Yes|
+|**LoginName**|**nvarchar**|Name of the login of the user (either [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] security login or the Windows login credentials in the form of DOMAIN\username).|11|Yes|
+|**NTDomainName**|**nvarchar**|Windows domain to which the user belongs.|7|Yes|
+|**NTUserName**|**nvarchar**|Windows user name.|6|Yes|
+|**RequestID**|**int**|The ID of the request containing the statement.|49|Yes|
+|**ServerName**|**nvarchar**|Name of the instance of [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] being traced.|26|No|
+|**SessionLoginName**|**nvarchar**|Login name of the user who originated the session. For example, if you connect to [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] using Login1 and execute a statement as Login2, **SessionLoginName** shows Login1 and **LoginName** shows Login2. This column displays both [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] and Windows logins.|64|Yes|
+|**SPID**|**int**|ID of the session on which the event occurred.|12|Yes|
+|**StartTime**|**datetime**|Time at which the event started, if available.|14|Yes|
+|**Success**|**int**|1 = success. 0 = failure. This event always shows failure.|23|Yes|
+|**TextData**|**ntext**|Text value dependent on the event class captured in the trace.|1|Yes|
+
+## Related content
+
+- [Extended Events overview](../extended-events/extended-events.md)
+- [sp_trace_setevent (Transact-SQL)](../system-stored-procedures/sp-trace-setevent-transact-sql.md)
+- [SQL Trace](../sql-trace/sql-trace.md)
+- [Auditing for Azure SQL Database and Azure Synapse Analytics](/azure/azure-sql/database/auditing-overview)
diff --git a/docs/relational-databases/security/auditing/sql-server-audit-database-engine.md b/docs/relational-databases/security/auditing/sql-server-audit-database-engine.md
@@ -4,7 +4,7 @@ description: Learn about server audits for the SQL Server Database Engine or an
 author: sravanisaluru
 ms.author: srsaluru
 ms.reviewer: vanto, randolphwest
-ms.date: 06/11/2025
+ms.date: 02/25/2026
 ms.service: sql
 ms.subservice: security
 ms.topic: concept-article
@@ -51,7 +51,7 @@ The server audit specification collects many server-level action groups raised b
 Server-level audit action groups are described in the article [SQL Server Audit action groups and actions](sql-server-audit-action-groups-and-actions.md).
 
 > [!NOTE]  
-> Due to performance constraints, we don't audit the `tempdb` and temporary tables. While the batch completed action group captures statements against temporary tables, it might not correctly populate the object names. However, the source table is always audited, ensuring that all inserts from the source table to temporary tables are recorded.
+> Due to performance constraints, `tempdb` and temporary tables aren't audited. While the batch completed action group captures statements against temporary tables, it might not correctly populate the object names. However, the source table is always audited, ensuring that all inserts from the source table to temporary tables are recorded.
 
 ### Database Audit Specification
 
@@ -80,7 +80,7 @@ When you're saving audit information to a file, to help prevent tampering, you c
 
 Even when the [!INCLUDE [ssDE](../../../includes/ssde-md.md)] is writing to a file, other Windows users can read the audit file if they have permission. The [!INCLUDE [ssDE](../../../includes/ssde-md.md)] doesn't take an exclusive lock that prevents read operations.
 
-Because the [!INCLUDE [ssDE](../../../includes/ssde-md.md)] can access the file, [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] logins that have `CONTROL SERVER` permission can use the [!INCLUDE [ssDE](../../../includes/ssde-md.md)] to access the audit files. To record any user that is reading the audit file, define an audit on `master.sys.fn_get_audit_file`. This records the logins with `CONTROL SERVER` permission that have accessed the audit file through [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)].
+Because the [!INCLUDE [ssDE](../../../includes/ssde-md.md)] can access the file, [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)] logins that have `CONTROL SERVER` permission can use the [!INCLUDE [ssDE](../../../includes/ssde-md.md)] to access the audit files. In [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)] and later versions, the `VIEW SERVER SECURITY AUDIT` permission is sufficient to read audit files using `fn_get_audit_file`. To record any user that is reading the audit file, define an audit on `master.sys.fn_get_audit_file`. This records the logins with `CONTROL SERVER` permission that have accessed the audit file through [!INCLUDE [ssNoVersion](../../../includes/ssnoversion-md.md)]. For more information about `fn_get_audit_file` permissions, see [sys.fn_get_audit_file](../../system-functions/sys-fn-get-audit-file-transact-sql.md).
 
 If an Audit Administrator copies the file to a different location (for archive purposes, and so on), the access control lists (ACLs) on the new location should be reduced to the following permissions:
 
@@ -193,6 +193,8 @@ To create, alter, or drop a Server Audit or Server Audit Specification, server p
 
 The `VIEW ANY DEFINITION` permission provides access to view the server level audit views and `VIEW DEFINITION` provides access to view the database level audit views. Denial of these permissions overrides the ability to view the catalog views, even if the principal has the `ALTER ANY SERVER AUDIT` or `ALTER ANY DATABASE AUDIT` permissions.
 
+To read audit data using `fn_get_audit_file`, [!INCLUDE [sssql19-md](../../../includes/sssql19-md.md)] and earlier versions require `CONTROL SERVER` permission on the server, while [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)] and later versions require `VIEW SERVER SECURITY AUDIT` permission. For more information, see [sys.fn_get_audit_file](../../system-functions/sys-fn-get-audit-file-transact-sql.md).
+
 For more information about how to grant rights and permissions, see [GRANT](../../../t-sql/statements/grant-transact-sql.md).
 
 > [!CAUTION]  
diff --git a/docs/relational-databases/security/ledger/ledger-limits.md b/docs/relational-databases/security/ledger/ledger-limits.md
@@ -4,7 +4,7 @@ description: Limitations and considerations for the ledger feature
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: mathoma
-ms.date: 11/28/2023
+ms.date: 02/25/2026
 ms.service: sql
 ms.subservice: security
 ms.custom:
@@ -25,9 +25,9 @@ There are some considerations and limitations to be aware of when working with l
 Consider the following when working with ledger.
 
 - A [ledger database](ledger-database-ledger.md), a database with the ledger property set to on, can't be converted to a regular database, with the ledger property set to off.
-- Automatic generation and storage of database digests is currently available in Azure SQL Database, but not supported on SQL Server.
+- Automatic generation and storage of database digests is available in Azure SQL Database and SQL Server 2022. In SQL Server, you can configure automatic digest storage using `ALTER DATABASE SCOPED CONFIGURATION`. For more information, see [Enable automatic digest storage](ledger-how-to-enable-automatic-digest-storage.md).
 - Automated digest management with ledger tables by using [Azure Storage immutable blobs](/azure/storage/blobs/immutable-storage-overview) doesn't offer the ability for users to use [locally redundant storage (LRS)](/azure/storage/common/storage-redundancy#locally-redundant-storage) accounts.
-- When a ledger database is created, all new tables created by default (without specifying the `APPEND_ONLY = ON` clause) in the database will be [updatable ledger tables](ledger-updatable-ledger-tables.md). To create [append-only ledger tables](ledger-append-only-ledger-tables.md), use the `APPEND_ONLY = ON` clause in the [CREATE TABLE (Transact-SQL)](../../../t-sql/statements/create-table-transact-sql.md) statements.
+- When a ledger database is created, all new tables created by default (without specifying the `APPEND_ONLY = ON` clause) in the database are [updatable ledger tables](ledger-updatable-ledger-tables.md). To create [append-only ledger tables](ledger-append-only-ledger-tables.md), use the `APPEND_ONLY = ON` clause in the [CREATE TABLE (Transact-SQL)](../../../t-sql/statements/create-table-transact-sql.md) statements.
 - A transaction can update up to 200 ledger tables.
 
 ## Ledger table considerations and limitations
@@ -42,7 +42,7 @@ Consider the following when working with ledger.
 - SWITCH IN/OUT partition isn't supported.
 - DBCC CLONEDATABASE isn't supported.
 - Ledger tables can't have full-text indexes.
-- Ledger tables can't be graph table.
+- Ledger tables can't be a graph table.
 - Ledger tables can't be FileTables.
 - Ledger tables can't have a rowstore non-clustered index when they have a clustered columnstore index.
 - Change tracking isn't allowed on the history table but is allowed on ledger tables.
@@ -64,7 +64,7 @@ Consider the following when working with ledger.
 
 ### Temporal table limitations
 
-Updatable ledger tables are based on the technology of [temporal tables](../../tables/temporal-tables.md) and inherit most of the [limitations](../../tables/temporal-table-considerations-and-limitations.md) but not all of them. Below is a list of limitations that is inherited from temporal tables.
+Updatable ledger tables are based on the technology of [temporal tables](../../tables/temporal-tables.md) and inherit most of the [limitations](../../tables/temporal-table-considerations-and-limitations.md) but not all of them. The following list describes limitations inherited from temporal tables.
 
 - If the name of a history table is specified during history table creation, you must specify the schema and table name and also the name of the ledger view.
 - By default, the history table is PAGE compressed.
@@ -75,7 +75,7 @@ Updatable ledger tables are based on the technology of [temporal tables](../../t
 - The history table must be created in the same database as the current table. Temporal querying over Linked Server isn't supported.
 - The history table can't have constraints (Primary Key, Foreign Key, table, or column constraints).
 - Online option (`WITH (ONLINE = ON`) has no effect on `ALTER TABLE ALTER COLUMN` in case of system-versioned temporal table. `ALTER COLUMN` isn't performed as online regardless of which value was specified for the `ONLINE` option.
-- `INSERT` and `UPDATE` statements can't reference the [GENERATED ALWAYS](../../../t-sql/statements/create-table-transact-sql.md#generate-always-columns) columns. Attempts to insert values directly into these columns will be blocked.
+- `INSERT` and `UPDATE` statements can't reference the [GENERATED ALWAYS](../../../t-sql/statements/create-table-transact-sql.md#generate-always-columns) columns. Attempts to insert values directly into these columns are blocked.
 - `UPDATETEXT` and `WRITETEXT` aren't supported.
 - Triggers on the history table aren't allowed.
 - Usage of replication technologies is limited:
@@ -97,7 +97,7 @@ Updatable ledger tables are based on the technology of [temporal tables](../../t
 
 ### Adding columns
 
-Adding nullable columns is supported. Adding non-nullable columns is not supported. Ledger is designed to ignore NULL values when computing the hash of a row version. Based on that, when a nullable column is added, ledger will modify the schema of the ledger and history tables to include the new column, however, this doesn't impact the hashes of existing rows. Adding columns in ledger tables is captured in [sys.ledger_column_history](../../system-catalog-views/sys-ledger-column-history-transact-sql.md).
+Adding nullable columns is supported. Adding non-nullable columns isn't supported. Ledger is designed to ignore NULL values when computing the hash of a row version. Based on that, when a nullable column is added, ledger modifies the schema of the ledger and history tables to include the new column, however, this doesn't impact the hashes of existing rows. Adding columns in ledger tables is captured in [sys.ledger_column_history](../../system-catalog-views/sys-ledger-column-history-transact-sql.md).
 
 ### Dropping columns and tables
 
@@ -110,7 +110,7 @@ Normally, dropping a column or table completely erases the underlying data from
 > [!NOTE]  
 > The name of dropped ledger tables, history tables and ledger views might be truncated if the length of the renamed table or view exceeds 128 characters. 
 
-### Altering Columns
+### Altering columns
 
 Any changes that don't impact the underlying data of a ledger table are supported without any special handling as they don't impact the hashes being captured in the ledger. These changes include:
 
diff --git a/docs/relational-databases/system-catalog-views/sys-database-query-store-options-transact-sql.md b/docs/relational-databases/system-catalog-views/sys-database-query-store-options-transact-sql.md
@@ -4,7 +4,7 @@ description: sys.database_query_store_options returns the Query Store options fo
 author: rwestMSFT
 ms.author: randolphwest
 ms.reviewer: wiassaf, randolphwest
-ms.date: 05/23/2024
+ms.date: 02/25/2026
 ms.service: sql
 ms.subservice: system-objects
 ms.topic: "reference"
@@ -55,7 +55,9 @@ Returns the Query Store options for this database.
 
 ## Permissions
 
-Requires the `VIEW DATABASE STATE` permission.
+Requires the `VIEW DATABASE PERFORMANCE STATE` permission, or a greater permission such as `VIEW DATABASE STATE`.
+
+In [!INCLUDE [sssql16-md](../../includes/sssql16-md.md)] through [!INCLUDE [sssql19-md](../../includes/sssql19-md.md)], requires the `VIEW DATABASE STATE` permission. In [!INCLUDE [sssql22-md](../../includes/sssql22-md.md)] and later versions, requires the `VIEW DATABASE PERFORMANCE STATE` permission on the database, or a greater permission such as `VIEW DATABASE STATE`.
 
 ## Remarks
 
