Add Block T-SQL CRUD for managed instances to what's new (#36947)

Co-authored-by: Bogdan Gavrilovic <bgavrilovic@microsoft.com>

Author: MashaMSFT

azure-sql/database/block-crud-tsql.md

@@ -1,111 +1,251 @@
 ---
-title: Block T-SQL Commands To Create Or Modify Azure SQL Resources
+title: "Block T-SQL Commands to Create or Modify Azure SQL Resources"
+titleSuffix: Azure SQL Database & Azure SQL Managed Instance
 description: This article details features allowing Azure administrators to block T-SQL commands to create or modify Azure SQL Database and Azure SQL Managed Instance resources.
 author: WilliamDAssafMSFT
 ms.author: wiassaf
-ms.reviewer: wiassaf, mathoma
-ms.date: 03/10/2026
+ms.reviewer: mathoma
+ms.date: 03/27/2026
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: how-to
-ROBOTS: NOINDEX
-monikerRange: "=azuresql || =azuresql-db "
-ms.custom: sfi-image-nochange
+ms.custom:
+  - sfi-image-nochange
+monikerRange: "=azuresql || =azuresql-db || = azuresql-mi"
 ---
 
-# What is Block T-SQL CRUD?
+# How to block T-SQL CRUD
 
-[!INCLUDE[appliesto-sqldb-sqlmi](../includes/appliesto-sqldb-sqlmi.md)]
+[!INCLUDE [appliesto-sqldb-sqlmi](../includes/appliesto-sqldb-sqlmi.md)]
 
-The Block T-SQL CRUD features allow Azure administrators to block the creation or modification of Azure SQL resources through T-SQL. Two separate subscription-level preview feature flags are available:
+This article teaches you how to use the block T-SQL CRUD feature for Azure SQL resources. By using this feature, Azure administrators can block the creation or modification of Azure SQL resources through T-SQL.
 
-| Preview feature flag | Scope |
-| --- | --- |
-| **Block T-SQL CRUD for logical servers** (`block-tsql-crud`) | Azure SQL Database (logical server) |
-| **Block T-SQL CRUD for managed instances** (`block-tsql-mi-crud`) | Azure SQL Managed Instance |
-
-Each flag is registered independently per subscription. You can enable one or both depending on which Azure SQL services you need to govern.
+You can block T-SQL CRUD operations at the subscription level for the following resources:
+- The [logical server](logical-servers.md) in Azure
+- [Azure SQL Managed Instance](../managed-instance/sql-managed-instance-paas-overview.md)
 
 ## Overview
 
-To block creation or modification of resources through T-SQL and enforce resource management through an Azure Resource Manager template (ARM template) for a given subscription, the subscription-level preview features in the Azure portal can be used. This is particularly useful when you are using [Azure Policies](/azure/governance/policy/overview) to enforce organizational standards through ARM templates. Since T-SQL does not adhere to Azure Policies, a block on T-SQL create or modify operations can be applied.
-
-T-SQL CRUD operations can be blocked via the Azure portal, [PowerShell](/powershell/module/az.resources/register-azproviderfeature), or [Azure CLI](/cli/azure/feature#az-feature-register).
-
-## Blocked statements for Azure SQL Database
-
-When the **Block T-SQL CRUD for logical servers** (`block-tsql-crud`) preview feature is registered, the following T-SQL statements are blocked for Azure SQL Database resources:
-
-1. `CREATE DATABASE`
-1. `DROP DATABASE`
-1. `CREATE DATABASE ... AS COPY OF`
-1. `ALTER DATABASE` (edition, service objective, max size, etc.)
-1. `ALTER DATABASE ... ADD SECONDARY ON SERVER`
-1. `ALTER DATABASE ... REMOVE SECONDARY ON SERVER`
-1. `ALTER DATABASE ... FAILOVER`
-
-## Blocked statements for Azure SQL Managed Instance
-
-When the **Block T-SQL CRUD for managed instances** (`block-tsql-mi-crud`) preview feature is registered, the following T-SQL statements are blocked for Azure SQL Managed Instance resources:
-
-1. `CREATE DATABASE`
-1. `DROP DATABASE`
-1. Cancel in-progress `CREATE DATABASE`
-1. `RESTORE DATABASE ... FROM URL`
-1. `ALTER DATABASE ... ADD FILE`
-1. `ALTER DATABASE ... MODIFY FILE`
-1. `ALTER DATABASE ... REMOVE FILE` (on geo-replicated file)
-1. `ALTER DATABASE tempdb ADD FILE`
-1. `ALTER DATABASE tempdb MODIFY FILE`
-1. `ALTER DATABASE tempdb REMOVE FILE`
-1. `ALTER DATABASE ... SET` (compatibility level, collation, etc.)
-1. `ALTER DATABASE ... SET ENCRYPTION ON/OFF`
-1. `ALTER AVAILABILITY GROUP ... FAILOVER` (MI Link / Failover Group)
-1. Failover stored procedure configuration
-1. `DBCC TRACEON` / `DBCC TRACEOFF` (global trace flags)
-1. `sp_configure` (SQL Agent enable/disable)
-1. `sp_configure` / MSDTC transition to primary
-1. MSDTC network settings (XA, LU, inbound/outbound)
-1. Vulnerability Assessment scan trigger via T-SQL
+To block creation or modification of resources through T-SQL and enforce resource management through an Azure Resource Manager template (ARM template) for a given subscription, use the subscription-level preview features in the Azure portal. This approach is particularly useful when you're using [Azure Policies](/azure/governance/policy/overview) to enforce organizational standards through ARM templates. Since T-SQL doesn't adhere to Azure Policies, you can block T-SQL create or modify operations.
+
+You can block T-SQL CRUD operations through the Azure portal, [PowerShell](/powershell/module/az.resources/register-azproviderfeature), or [Azure CLI](/cli/azure/feature#az-feature-register).
+
+## Blocked statements
+
+Blocked statements differ between the logical server and SQL managed instance.
+
+### [Logical server](#tab/sqldb)
+
+When you register the **Block T-SQL CRUD for logical servers** (`block-tsql-crud`) feature, the feature blocks the following T-SQL statements for resources associated with the logical server:
+
+- `CREATE DATABASE`
+- `DROP DATABASE`
+- `CREATE DATABASE ... AS COPY OF`
+- `ALTER DATABASE` (edition, service objective, max size, and other settings)
+- `ALTER DATABASE ... ADD SECONDARY ON SERVER`
+- `ALTER DATABASE ... REMOVE SECONDARY ON SERVER`
+- `ALTER DATABASE ... FAILOVER`
+
+### [SQL managed instance](#tab/sqlmi)
+
+When you register the **Block T-SQL CRUD for managed instances** (`block-tsql-mi-crud`) feature, the feature blocks the following T-SQL statements for Azure SQL Managed Instance resources:
+
+- `CREATE DATABASE`
+- `DROP DATABASE`
+- Cancel in-progress `CREATE DATABASE`
+- `RESTORE DATABASE ... FROM URL`
+- `ALTER DATABASE ... ADD FILE`
+- `ALTER DATABASE ... MODIFY FILE`
+- `ALTER DATABASE ... REMOVE FILE` (on geo-replicated file)
+- `ALTER DATABASE tempdb ADD FILE`
+- `ALTER DATABASE tempdb MODIFY FILE`
+- `ALTER DATABASE tempdb REMOVE FILE`
+- `ALTER DATABASE ... SET` (compatibility level, collation, and other settings)
+- `ALTER DATABASE ... SET ENCRYPTION ON/OFF`
+- `ALTER AVAILABILITY GROUP ... FAILOVER` (MI Link / Failover Group)
+- Failover stored procedure configuration
+- `DBCC TRACEON` / `DBCC TRACEOFF` (global trace flags)
+- `sp_configure` (SQL Agent enable/disable)
+- `sp_configure` / MSDTC transition to primary
+- MSDTC network settings (XA, LU, inbound/outbound)
+- Vulnerability Assessment scan trigger via T-SQL
+
+---
 
 ## Permissions
 
-In order to register or remove either feature, the Azure user must be a member of the Owner or Contributor role of the subscription.
+To register or remove either feature, you must be a member of the **Owner** or **Contributor** role for the subscription.
+
+<a id="register-a-block-t-sq;-crud-feature"></a>
+
+## Enable blocking T-SQL CRUD features
+
+You can enable the feature for the associated Azure SQL resource by using the Azure portal, PowerShell, or the Azure CLI.
+
+The following table lists the name of the feature for the associated Azure SQL resource:
+
+| Feature name | Scope |
+| --- | --- |
+| **Block T-SQL CRUD for logical servers** (`block-tsql-crud`) | The [logical server in Azure](logical-servers.md) |
+| **Block T-SQL CRUD for SQL managed instances** (`block-tsql-mi-crud`) | Azure SQL Managed Instance |
+
+Each feature is registered independently per subscription. You can enable one or both features depending on which Azure SQL services you need to govern.
+
+> [!NOTE]
+> Although you can enable and disable T-SQL CRUD blocking by using the **Preview feature** functionality in the Azure portal, the block T-SQL CRUD feature is generally available for both Azure SQL Database and Azure SQL Managed Instance.
+
+### [Azure portal](#tab/azure-portal)
+
+To enable the feature for your subscription in the Azure portal, follow these steps:
+
+1. Go to your [subscription](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) in the Azure portal.
+1. Under **Settings**, select **Preview Features** to open the **Preview features** pane.
+1. On the **Preview features** pane,
+   1. Enter `CRUD` in the search box.
+   1. Select the checkbox for the features you want to register for the associated resource. The two features related to blocking T-SQL CRUD operations for Azure SQL resources are:
+      - **Block T-SQL CRUD for logical servers** — for Azure SQL Database
+      - **Block T-SQL CRUD for managed instances** — for Azure SQL Managed Instance
+   1. Select **Register** on the command bar to register the feature to your subscription.
+
+   :::image type="content" source="media/block-crud-tsql/block-tsql-crud-register.png" alt-text="Screenshot from the Azure portal of With Block T-SQL CRUD checked, select Register.":::
+
+### [PowerShell](#tab/powershell)
+
+Use [Register-AzProviderFeature](/powershell/module/az.resources/register-azproviderfeature) to register the feature for your subscription.
+
+The following example registers the block T-SQL CRUD feature for logical servers:
+
+```powershell
+Register-AzProviderFeature -FeatureName "block-tsql-crud" -ProviderNamespace "Microsoft.Sql"
+```
+
+The following example registers the block T-SQL CRUD feature for SQL managed instances:
+
+```powershell
+Register-AzProviderFeature -FeatureName "block-tsql-mi-crud" -ProviderNamespace "Microsoft.Sql"
+```
+
+To check the registration status, use [Get-AzProviderFeature](/powershell/module/az.resources/get-azproviderfeature):
+
+```powershell
+Get-AzProviderFeature -FeatureName "block-tsql-crud" -ProviderNamespace "Microsoft.Sql"
+```
+
+### [Azure CLI](#tab/azure-cli)
 
-## Examples
+Use [az feature register](/cli/azure/feature#az-feature-register) to register the feature for your subscription.
 
-The following section describes how you can register or unregister a preview feature with the Microsoft.Sql resource provider in the Azure portal.
+The following example registers the block T-SQL CRUD feature for logical servers:
 
-### Register a Block T-SQL CRUD feature
+```azurecli
+az feature register --name block-tsql-crud --namespace Microsoft.Sql
+```
 
-1. Go to your subscription in the Azure portal.
-1. Select the **Preview Features** tab.
-1. Select the feature flag you want to enable:
-   - **Block T-SQL CRUD for logical servers** — for Azure SQL Database
-   - **Block T-SQL CRUD for managed instances** — for Azure SQL Managed Instance
-1. In the window that opens, select **Register** to register this block with the Microsoft.Sql resource provider.
+The following example registers the block T-SQL CRUD feature for SQL managed instances:
 
-:::image type="content" source="media/block-crud-tsql/block-tsql-crud-register.png" alt-text="With 'Block T-SQL CRUD' checked, select Register." lightbox="media/block-crud-tsql/block-tsql-crud-register.png":::
+```azurecli
+az feature register --name block-tsql-mi-crud --namespace Microsoft.Sql
+```
 
-### Re-register Microsoft.Sql resource provider
+To check the registration status, use [az feature show](/cli/azure/feature#az-feature-show):
 
-After you register either block feature with the Microsoft.Sql resource provider, you must re-register the Microsoft.Sql resource provider for the changes to take effect. To re-register the Microsoft.Sql resource provider:
+```azurecli
+az feature show --name block-tsql-crud --namespace Microsoft.Sql --output table
+```
 
-1. Go to your subscription in the Azure portal.
+---
+
+## Re-register the Microsoft.Sql resource provider
+
+After you register either block feature with the Microsoft.Sql resource provider, you must re-register the Microsoft.Sql resource provider for the changes to take effect.
+
+> [!NOTE]  
+> The re-registration step is mandatory for the T-SQL block to be applied to your subscription.
+
+### [Azure portal](#tab/azure-portal)
+
+To re-register the Microsoft.Sql resource provider in the Azure portal, follow these steps:
+
+1. Go to your [subscription](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) in the Azure portal.
 1. Select the **Resource Providers** tab.
-1. Search and select **Microsoft.Sql** resource provider.
+1. Search for and select the **Microsoft.Sql** resource provider.
 1. Select **Re-register**.
 
-> [!NOTE]
-> The re-registration step is mandatory for the T-SQL block to be applied to your subscription.
+:::image type="content" source="media/block-crud-tsql/block-tsql-crud-re-register.png" alt-text="Screenshot of the Azure portal showing how to re-register the Microsoft.Sql resource provider.":::
+
+### [PowerShell](#tab/powershell)
+
+Use [Register-AzResourceProvider](/powershell/module/az.resources/register-azresourceprovider) to re-register the Microsoft.Sql resource provider:
+
+```powershell
+Register-AzResourceProvider -ProviderNamespace "Microsoft.Sql"
+```
+
+### [Azure CLI](#tab/azure-cli)
+
+Use [az provider register](/cli/azure/provider#az-provider-register) to re-register the Microsoft.Sql resource provider:
+
+```azurecli
+az provider register --namespace Microsoft.Sql
+```
+
+---
 
-:::image type="content" source="media/block-crud-tsql/block-tsql-crud-re-register.png" alt-text="Screenshot of the Azure portal showing how to re-register the Microsoft.Sql resource provider." lightbox="media/block-crud-tsql/block-tsql-crud-re-register.png":::
+## Remove Block T-SQL CRUD
 
-<a id="removing-block-t-sql-crud"></a>
+To remove the block on T-SQL create or modify operations from your subscription, first unregister the previously registered T-SQL block feature. Then, [re-register](#re-register-the-microsoftsql-resource-provider) the Microsoft.Sql resource provider for the removal to take effect.
 
-### Remove Block T-SQL CRUD
+### [Azure portal](#tab/azure-portal)
 
-To remove the block on T-SQL create or modify operations from your subscription, first unregister the previously registered T-SQL block. Then, re-register the Microsoft.Sql resource provider as shown above for the removal of T-SQL block to take effect. 
+To unregister the feature in the Azure portal:
+
+1. Go to your [subscription](https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBladeV2) in the Azure portal.
+1. Under **Settings**, select **Preview Features**.
+1. Select the feature you want to unregister.
+1. Select **Unregister**.
+
+### [PowerShell](#tab/powershell)
+
+Use [Unregister-AzProviderFeature](/powershell/module/az.resources/unregister-azproviderfeature) to unregister the feature:
+
+```powershell
+Unregister-AzProviderFeature -FeatureName "block-tsql-crud" -ProviderNamespace "Microsoft.Sql"
+```
+
+For SQL managed instances:
+
+```powershell
+Unregister-AzProviderFeature -FeatureName "block-tsql-mi-crud" -ProviderNamespace "Microsoft.Sql"
+```
+
+After unregistering, re-register the resource provider:
+
+```powershell
+Register-AzResourceProvider -ProviderNamespace "Microsoft.Sql"
+```
+
+### [Azure CLI](#tab/azure-cli)
+
+Use [az feature unregister](/cli/azure/feature#az-feature-unregister) to unregister the feature.
+
+The following example unregisters the feature for logical servers:
+
+```azurecli
+az feature unregister --name block-tsql-crud --namespace Microsoft.Sql
+```
+The following example unregisters the feature for SQL managed instances:
+
+```azurecli
+az feature unregister --name block-tsql-mi-crud --namespace Microsoft.Sql
+```
+
+After unregistering the feature, use the following command to re-register the resource provider:
+
+```azurecli
+az provider register --namespace Microsoft.Sql
+```
+
+---
 
 ## Related content
 

azure-sql/database/media/block-crud-tsql/block-tsql-crud-re-register.png

@@ -5,7 +5,7 @@ description: Learn about the new features and documentation improvements for Azu
 author: MashaMSFT
 ms.author: mathoma
 ms.reviewer: wiassaf, randolphwest
-ms.date: 03/18/2026
+ms.date: 03/27/2026
 ms.service: azure-sql-managed-instance
 ms.subservice: service-overview
 ms.topic: whats-new
@@ -51,6 +51,7 @@ The following table lists features of Azure SQL Managed Instance that have been
 
 | Feature | GA Month | Details |
 | ---| --- |--- |
+|[Block T-SQL CRUD commands](../database/block-crud-tsql.md) | March 2026 | Azure administrators can block T-SQL commands to create or modify Azure SQL resources. |
 |[SQL Server 2025 update policy](update-policy.md#sql-server-2025-update-policy) | March 2026 | Align your SQL managed instance database format with the SQL Server 2025 database engine. | 
 |[Regular expression functions](/sql/relational-databases/regular-expressions/overview) | November 2025 | Regular expression (REGEX) functions return text based on values in a search pattern. |
 |[Flexible memory](resource-limits.md#flexible-memory) | November 2025 | Save on cost by choosing the memory allocation for your [Next-gen General Purpose](service-tiers-next-gen-general-purpose-use.md) instance based on your workload needs.|
@@ -79,6 +80,7 @@ Learn about significant changes to the Azure SQL Managed Instance documentation.
 | Changes | Details |
 | --- | --- |
 | **Automatic index compaction preview** | Automatic index compaction helps you reduce the consumption of storage space, disk I/O, memory, and improve workload performance without investing time and effort into index maintenance jobs. This feature is now in preview. To learn more, review [Automatic index compaction](/sql/relational-databases/indexes/automatic-index-compaction). |
+| **Block T-SQL CRUD GA** | Allow Azure administrators to block the creation or modification of Azure SQL Managed Instance resources through T-SQL. This is enforced at the subscription level to block T-SQL commands from affecting SQL managed instance resources. This feature is generally available for Azure SQL Managed Instance. To learn more, review [Block T-SQL CRUD](../database/block-crud-tsql.md). |
 | **Change event streaming preview** | Capture and publish incremental DML changes of data (such as updates, inserts, and deletes) in near real-time. Change event streaming sends details of data changes such as the schema, previous values, and new values to Azure Event Hubs in a simple CloudEvent, serialized as either native JSON or Avro Binary. This feature is now in preview for Azure SQL Managed Instance configured with the SQL Server 2025 and Always-up-to-date update policy. To learn more, review [Change event streaming](/sql/relational-databases/track-changes/change-event-streaming/overview).
 | **Deploy free instance with command line tools** | You can now create your free SQL managed instance by using [Azure PowerShell](free-offer.md?tabs=powershell#create-a-free-sql-managed-instance), the [Azure CLI](free-offer.md?tabs=azure-cli#create-a-free-sql-managed-instance), and the [REST API](free-offer.md?tabs=rest-api#create-a-free-sql-managed-instance). |
 | **Easily upgrade your free instance** | You can now easily upgrade your free SQL managed instance to a paid offer in the Azure portal. To upgrade, navigate to the **Overview** page for your instance and select **Upgrade** from the navigation bar to open the **Compute + storage** page, where you can choose the paid offer under **Offer type**. For more information, see [Free SQL Managed Instance](free-offer.md#upgrade-to-paid-instance). |