MicrosoftDocs
diff --git a/‎docs/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server.md‎
Lines changed: 212 additions & 223 deletions b/‎docs/database-engine/availability-groups/windows/enable-and-disable-always-on-availability-groups-sql-server.md‎
Lines changed: 212 additions & 223 deletions
diff --git a/‎docs/relational-databases/security/permissions-hierarchy-database-engine.md‎
Lines changed: 30 additions & 29 deletions b/‎docs/relational-databases/security/permissions-hierarchy-database-engine.md‎
Lines changed: 30 additions & 29 deletions
diff --git a/‎docs/relational-databases/security/protecting-your-sql-server-intellectual-property.md‎
Lines changed: 15 additions & 12 deletions b/‎docs/relational-databases/security/protecting-your-sql-server-intellectual-property.md‎
Lines changed: 15 additions & 12 deletions
diff --git a/‎docs/relational-databases/security/sql-data-discovery-and-classification.md‎
Lines changed: 5 additions & 5 deletions b/‎docs/relational-databases/security/sql-data-discovery-and-classification.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎docs/relational-databases/security/surface-area-configuration.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/relational-databases/security/surface-area-configuration.md‎
Lines changed: 2 additions & 2 deletions
@@ -3,7 +3,7 @@ title: "Permissions Hierarchy (Database Engine)"
 description: Learn about the hierarchy of entities that can be secured with permissions, known as securables, in SQL Server Database Engine.
 author: VanMSFT
 ms.author: vanto
-ms.date: "03/23/2016"
+ms.date: 02/27/2026
 ms.service: sql
 ms.subservice: security
 ms.topic: concept-article
@@ -24,33 +24,34 @@ monikerRange: ">=aps-pdw-2016 || =azuresqldb-current || =azure-sqldw-latest || >
 # Permissions Hierarchy (Database Engine)
 [!INCLUDE [SQL Server Azure SQL Database Synapse Analytics PDW FabricSQLDB](../../includes/applies-to-version/sql-asdb-asdbmi-asa-pdw-fabricsqldb.md)]
 
-  The [!INCLUDE[ssDE](../../includes/ssde-md.md)] manages a hierarchical collection of entities that can be secured with permissions. These entities are known as *securables*. The most prominent securables are servers and databases, but discrete permissions can be set at a much finer level. [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] regulates the actions of principals on securables by verifying that they have been granted appropriate permissions.  
-  
- The following illustration shows the relationships among the [!INCLUDE[ssDE](../../includes/ssde-md.md)] permissions hierarchies.  
-  
- The permissions system works the same in all versions of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)], [!INCLUDE[ssSDS](../../includes/sssds-md.md)], [!INCLUDE [fabric-sqldb](../../includes/fabric-sqldb.md)], [!INCLUDE[ssazuresynapse-md](../../includes/ssazuresynapse-md.md)], [!INCLUDE[ssAPS](../../includes/ssaps-md.md)], however some features are not available in all versions. For example, server-level permission cannot be configured in Azure products.  
-  
- ![Diagram of Database Engine permissions hierarchies](../../relational-databases/security/media/wj-security-layers.gif "Diagram of Database Engine permissions hierarchies")  
-  
-## Chart of SQL Server Permissions  
- For a poster sized chart of all [!INCLUDE [ssDE](../../includes/ssde-md.md)] permissions in PDF format, see <https://aka.ms/sql-permissions-poster>.
-  
-## Working with Permissions  
- Permissions can be manipulated with the familiar [!INCLUDE[tsql](../../includes/tsql-md.md)] queries GRANT, DENY, and REVOKE. Information about permissions is visible in the [sys.server_permissions](../../relational-databases/system-catalog-views/sys-server-permissions-transact-sql.md) and [sys.database_permissions](../../relational-databases/system-catalog-views/sys-database-permissions-transact-sql.md) catalog views. There is also support for querying permissions information by using built-in functions.  
-  
- For information about designing a permissions system, see [Getting Started with Database Engine Permissions](../../relational-databases/security/authentication-access/getting-started-with-database-engine-permissions.md).  
-  
-## See Also  
- [Securing SQL Server](../../relational-databases/security/securing-sql-server.md)   
- [Permissions &#40;Database Engine&#41;](../../relational-databases/security/permissions-database-engine.md)   
- [Securables](../../relational-databases/security/securables.md)   
- [Principals &#40;Database Engine&#41;](../../relational-databases/security/authentication-access/principals-database-engine.md)   
- [GRANT &#40;Transact-SQL&#41;](../../t-sql/statements/grant-transact-sql.md)   
- [REVOKE &#40;Transact-SQL&#41;](../../t-sql/statements/revoke-transact-sql.md)   
- [DENY &#40;Transact-SQL&#41;](../../t-sql/statements/deny-transact-sql.md)   
- [HAS_PERMS_BY_NAME &#40;Transact-SQL&#41;](../../t-sql/functions/has-perms-by-name-transact-sql.md)   
- [sys.fn_builtin_permissions &#40;Transact-SQL&#41;](../../relational-databases/system-functions/sys-fn-builtin-permissions-transact-sql.md)   
- [sys.server_permissions &#40;Transact-SQL&#41;](../../relational-databases/system-catalog-views/sys-server-permissions-transact-sql.md)   
- [sys.database_permissions &#40;Transact-SQL&#41;](../../relational-databases/system-catalog-views/sys-database-permissions-transact-sql.md)  
+The [!INCLUDE[ssDE](../../includes/ssde-md.md)] manages a hierarchical collection of entities that can be secured with permissions. These entities are known as *securables*. The most prominent securables are servers and databases, but discrete permissions can be set at a much finer level. [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] regulates the actions of principals on securables by verifying that they've been granted appropriate permissions.
+
+The following illustration shows the relationships among the [!INCLUDE[ssDE](../../includes/ssde-md.md)] permissions hierarchies.
+
+The permissions system works the same in all versions of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)], [!INCLUDE[ssSDS](../../includes/sssds-md.md)], [!INCLUDE [fabric-sqldb](../../includes/fabric-sqldb.md)], [!INCLUDE[ssazuresynapse-md](../../includes/ssazuresynapse-md.md)], [!INCLUDE[ssAPS](../../includes/ssaps-md.md)], however some features aren't available in all versions. For example, server-level permission can't be configured in Azure products.
+
+![Diagram of Database Engine permissions hierarchies](../../relational-databases/security/media/wj-security-layers.gif "Diagram of Database Engine permissions hierarchies")
 
+## Chart of SQL Server permissions
+
+For a poster sized chart of all [!INCLUDE [ssDE](../../includes/ssde-md.md)] permissions in PDF format, see <https://aka.ms/sql-permissions-poster>.
+
+## Working with permissions
+
+You can manipulate permissions with the familiar [!INCLUDE[tsql](../../includes/tsql-md.md)] queries GRANT, DENY, and REVOKE. Information about permissions is visible in the [sys.server_permissions](../../relational-databases/system-catalog-views/sys-server-permissions-transact-sql.md) and [sys.database_permissions](../../relational-databases/system-catalog-views/sys-database-permissions-transact-sql.md) catalog views. There's also support for querying permissions information by using built-in functions.
+
+For information about designing a permissions system, see [Getting Started with Database Engine Permissions](../../relational-databases/security/authentication-access/getting-started-with-database-engine-permissions.md).
 
+## Related content
+
+- [Securing SQL Server](../../relational-databases/security/securing-sql-server.md)
+- [Permissions (Database Engine)](../../relational-databases/security/permissions-database-engine.md)
+- [Securables](../../relational-databases/security/securables.md)
+- [Principals (Database Engine)](../../relational-databases/security/authentication-access/principals-database-engine.md)
+- [GRANT (Transact-SQL)](../../t-sql/statements/grant-transact-sql.md)
+- [REVOKE (Transact-SQL)](../../t-sql/statements/revoke-transact-sql.md)
+- [DENY (Transact-SQL)](../../t-sql/statements/deny-transact-sql.md)
+- [HAS_PERMS_BY_NAME (Transact-SQL)](../../t-sql/functions/has-perms-by-name-transact-sql.md)
+- [sys.fn_builtin_permissions (Transact-SQL)](../../relational-databases/system-functions/sys-fn-builtin-permissions-transact-sql.md)
+- [sys.server_permissions (Transact-SQL)](../../relational-databases/system-catalog-views/sys-server-permissions-transact-sql.md)
+- [sys.database_permissions (Transact-SQL)](../../relational-databases/system-catalog-views/sys-database-permissions-transact-sql.md)
@@ -3,32 +3,35 @@ title: "Protecting Your SQL Server Intellectual Property"
 description: Understand your options for protecting the intellectual property in a SQL Server data application that is distributed to customers.
 author: VanMSFT
 ms.author: vanto
-ms.date: "01/31/2017"
+ms.date: 02/27/2026
 ms.service: sql
 ms.subservice: security
 ms.topic: concept-article
 helpviewer_keywords:
   - "protecting intellectual property"
   - "intellectual property"
 ---
-# Protecting Your SQL Server Intellectual Property
- [!INCLUDE [SQL Server](../../includes/applies-to-version/sqlserver.md)]
+# Protecting your SQL Server intellectual property
 
-Software developers often ask how to distribute their [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] data application to customers, and yet prevent customers from analyzing and deconstructing their application. The key principal here, is that protecting your intellectual property, is a legal issue, and the protection rests in your license agreement. When [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] is installed on a computer that others administer, you inherently lose some aspects of control. 
+[!INCLUDE [SQL Server](../../includes/applies-to-version/sqlserver.md)]
 
-## Nature of the Problem
-The owner/administrator of a computer can always access the instance of [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] that is installed on that computer. If you deploy your application to a customer's computer, since they are administrators, they can connect to the [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] as members of the **sysadmin** fixed server role. This includes the ability to grant permissions, manage backups (including restoring backups to other computers), decrypt and move data files, etc. For more information, see [Connect to SQL Server When System Administrators Are Locked Out](../../database-engine/configure-windows/connect-to-sql-server-when-system-administrators-are-locked-out.md). 
+Software developers often ask how to distribute their [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] data application to customers while preventing customers from analyzing and deconstructing their application. The key principle here is that protecting your intellectual property is a legal issue, and the protection rests in your license agreement. When [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] is installed on a computer that others administer, you inherently lose some aspects of control.
 
-Stored procedures and data can be encrypted, but the data structure cannot be hidden and users who can attach a debugger to the server process can retrieve decrypted procedures and data from memory at runtime.
+## Nature of the problem
 
-If the clients are not administrators on the computers, you can prevent access by the clients. You can use [Transparent Data Encryption](../../relational-databases/security/encryption/transparent-data-encryption.md) to encrypt the data files, you can encrypt backups, and you can audit the actions of all users. But [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] administrators and admins of the [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] computer can reverse these actions.
+The owner or administrator of a computer can always access the instance of [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] that is installed on that computer. If you deploy your application to a customer's computer, since they're administrators, they can connect to the [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] as members of the **sysadmin** fixed server role. This includes the ability to grant permissions, manage backups (including restoring backups to other computers), decrypt and move data files, and more. For more information, see [Connect to SQL Server When System Administrators Are Locked Out](../../database-engine/configure-windows/connect-to-sql-server-when-system-administrators-are-locked-out.md).
+
+Stored procedures and data can be encrypted, but the data structure can't be hidden, and users who can attach a debugger to the server process can retrieve decrypted procedures and data from memory at runtime.
+
+If the clients aren't administrators on the computers, you can prevent access by the clients. You can use [Transparent Data Encryption](../../relational-databases/security/encryption/transparent-data-encryption.md) to encrypt the data files, you can encrypt backups, and you can audit the actions of all users. But [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] administrators and admins of the [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] computer can reverse these actions.
 
 ## Solution
-There are various ways to configure client data access without installing [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] on your clients computer. The easiest is probably using [!INCLUDE [ssazure-sqldb](../../includes/ssazure-sqldb.md)] so the clients are not admins, perhaps in combination with [Always Encrypted](../../relational-databases/security/encryption/always-encrypted-database-engine.md). For more information about getting started with [!INCLUDE[ssSDS_md](../../includes/sssds-md.md)], see [What is SQL Database? Introduction to SQL Database](/azure/sql-database/sql-database-technical-overview).  
+
+There are various ways to configure client data access without installing [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] on your client's computer. The easiest is probably using [!INCLUDE [ssazure-sqldb](../../includes/ssazure-sqldb.md)] so the clients aren't admins, perhaps in combination with [Always Encrypted](../../relational-databases/security/encryption/always-encrypted-database-engine.md). For more information about getting started with [!INCLUDE[ssSDS_md](../../includes/sssds-md.md)], see [What is Azure SQL Database?](/azure/azure-sql/database/sql-database-paas-overview).
 
 You can also host a [!INCLUDE[ssNoVersion_md](../../includes/ssnoversion-md.md)] on your own network, and allow clients to access data through your network, either directly or through a web application.
 
-## See Also
+## Related content
 
-[Security Center for SQL Server Database Engine and Azure SQL Database](../../relational-databases/security/security-center-for-sql-server-database-engine-and-azure-sql-database.md)  
-[Securing SQL Server](../../relational-databases/security/securing-sql-server.md)
+- [Security Center for SQL Server Database Engine and Azure SQL Database](../../relational-databases/security/security-center-for-sql-server-database-engine-and-azure-sql-database.md)
+- [Securing SQL Server](../../relational-databases/security/securing-sql-server.md)
@@ -4,7 +4,7 @@ description: SQL Data Discovery & Classification
 author: Madhumitatripathy
 ms.author: matripathy
 ms.reviewer: vanto
-ms.date: 03/09/2022
+ms.date: 02/27/2026
 ms.service: sql
 ms.topic: how-to
 ms.custom:
@@ -20,7 +20,7 @@ Discovering and classifying your most sensitive data (business, financial, healt
 * Monitoring access to databases/columns containing highly sensitive data.
 
 > [!NOTE]
-> Data Discovery & Classification is **supported for SQL Server 2012 and later, and can be used with [SSMS 17.5](/ssms/sql-server-management-studio-ssms) or later**. For Azure SQL Database, see [Azure SQL Database Data Discovery & Classification](/azure/sql-database/sql-database-data-discovery-and-classification/).
+> Data Discovery & Classification is **supported for SQL Server 2012 and later, and can be used with [SSMS 17.5](/ssms/sql-server-management-studio-ssms) or later**. For Azure SQL Database, see [Azure SQL Database Data Discovery & Classification](/azure/azure-sql/database/data-discovery-and-classification-overview).
 
 ## <a id="Overview"></a>Overview
 Data Discovery & Classification forms a new information-protection paradigm for SQL Database, SQL Managed Instance, and Azure Synapse, aimed at protecting the data and not just the database. Currently it supports the following capabilities:
@@ -138,7 +138,7 @@ To reset the Information Protection Policy to default or SQL Information Protect
 To enable Information Protection Policy from a custom JSON file, go to the SSMS **Object Explorer**, right-click on the database and choose **Tasks** > **Data Discovery and Classification** > **Set Information Protection Policy File**.
 
 > [!NOTE]
-> A warning icon indicates that the column was previously classified using a different Information Protection Policy than the currently selected policy mode. For example, if you are currently in the Microsoft Information Protection mode, and one of the columns was previously classified using SQL Information Protection Policy or Information Protection Policy from a custom policy file, you will see a warning icon against that column. You can decide whether you want to change the classification of the column to any of the sensitivity labels available in current policy mode or leave it as it is.
+> A warning icon indicates that the column was previously classified using a different Information Protection Policy than the currently selected policy mode. For example, if you're currently in the Microsoft Information Protection mode, and one of the columns was previously classified using SQL Information Protection Policy or Information Protection Policy from a custom policy file, you'll see a warning icon against that column. You can decide whether you want to change the classification of the column to any of the sensitivity labels available in current policy mode or leave it as it is.
 > :::image type="content" source="media/sql-data-discovery-and-classification/data-classification-warning-icon.png" alt-text="Screenshot of Data Classification warning of mismatched policies":::
 
 
@@ -161,8 +161,8 @@ You can manage the Information Protection Policy using the latest version of [SQ
 * **Reset Information Protection Policy**: resets the Information Protection Policy to the default SQL Information Protection Policy.
 
 > [!IMPORTANT]
-> Information protection policy file is not stored in the SQL Server.
-> SSMS uses a default Information Protection Policy. If an Information Protection Policy customized fails, SSMS cannot use the default policy. Data classification fails. To resolve, click **Reset Information Protection Policy** to use the default policy and re-enable data classification.
+> Information protection policy file isn't stored in the SQL Server.
+> SSMS uses a default Information Protection Policy. If an Information Protection Policy customized fails, SSMS can't use the default policy. Data classification fails. To resolve, click **Reset Information Protection Policy** to use the default policy and re-enable data classification.
 
 ## <a id="sAccessing-the-classification-metadata"></a>Accessing the classification metadata
 
 
@@ -4,7 +4,7 @@ description: Learn how to change feature defaults for SQL Server installation an
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: randolphwest
-ms.date: 05/26/2023
+ms.date: 02/27/2026
 ms.service: sql
 ms.subservice: security
 ms.topic: how-to
@@ -20,7 +20,7 @@ helpviewer_keywords:
 
 [!INCLUDE [SQL Server](../../includes/applies-to-version/sqlserver.md)]
 
-In the default configuration of new installations of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)], many features are not enabled. [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] selectively installs and starts only key services and features, to minimize the number of features that can be attacked by a malicious user. A system administrator can change these defaults at installation time and also selectively enable or disable features of a running instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. Additionally, some components may not be available when connecting from other computers until protocols are configured.
+In the default configuration of new installations of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)], many features aren't enabled. [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] selectively installs and starts only key services and features, to minimize the number of features that can be attacked by a malicious user. A system administrator can change these defaults at installation time and also selectively enable or disable features of a running instance of [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. Additionally, some components might not be available when connecting from other computers until protocols are configured.
 
 > [!NOTE]  
 > Unlike new installations, no existing services or features are turned off during an upgrade, but additional surface area configuration options can be applied after the upgrade is completed.