MicrosoftDocs
diff --git a/‎docs/database-engine/configure-windows/server-properties-security-page.md‎
Lines changed: 54 additions & 2 deletions b/‎docs/database-engine/configure-windows/server-properties-security-page.md‎
Lines changed: 54 additions & 2 deletions
diff --git a/‎docs/sql-server/failover-clusters/troubleshoot-orphaned-users-sql-server.md‎
Lines changed: 26 additions & 13 deletions b/‎docs/sql-server/failover-clusters/troubleshoot-orphaned-users-sql-server.md‎
Lines changed: 26 additions & 13 deletions
@@ -3,7 +3,7 @@ title: "Server Properties (Security page)"
 description: Become familiar with server security settings in SQL Server. Learn about options that control server authentication, proxy accounts, and other features.
 author: rwestMSFT
 ms.author: randolphwest
-ms.date: 08/26/2025
+ms.date: 02/23/2026
 ms.service: sql
 ms.subservice: configuration
 ms.topic: concept-article
@@ -29,9 +29,59 @@ Uses Windows Authentication to validate attempted connections. If the `sa` passw
 
 Uses mixed mode authentication to verify attempted connections, for backward compatibility with earlier versions of [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)]. If the `sa` password is blank when the security mode is being changed, the user is prompted to enter an `sa` password.
 
-> [!NOTE]  
+> [!NOTE]
 > Changing the security configuration requires a restart of the service. When changing the Server Authentication to SQL Server and Windows Authentication mode the SA account isn't automatically enabled. To use the SA account, execute [ALTER LOGIN](../../t-sql/statements/alter-login-transact-sql.md) with the `ENABLE` option.
 
+## Authentication modes explained
+
+Choosing the right authentication mode affects the security, manageability, and application compatibility of your [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] instance.
+
+### Windows Authentication
+
+Windows Authentication uses the security credentials of the Windows operating system to validate user connections. [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] doesn't store or manage passwords directly — it relies on the Windows domain controller (Active Directory or local accounts) for credential validation.
+
+Key characteristics:
+
+- Uses Kerberos or NTLM protocols for credential validation.
+- Supports centralized password policies including complexity requirements, expiration, and account lockout through Active Directory Group Policy.
+- Enables single sign-on (SSO) — users don't need to enter separate SQL Server credentials.
+- Provides built-in auditing through the Windows Security Event Log.
+- Supports Windows group-based access, which simplifies permission management for large numbers of users.
+
+### SQL Server Authentication
+
+SQL Server Authentication uses login accounts stored in the `master` database. Each login has its own username and password that [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] manages independently from Windows credentials.
+
+Key characteristics:
+
+- Credentials are stored directly in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)], separate from the Windows domain.
+- Requires users to provide a username and password in every connection string.
+- Doesn't support Kerberos delegation or centralized domain password policies by default.
+- Useful when clients aren't part of a Windows domain, such as internet-facing applications or cross-platform environments.
+
+### Comparison of authentication modes
+
+| Feature | Windows Authentication | SQL Server and Windows Authentication (mixed mode) |
+|---|---|---|
+| **Protocol** | Kerberos or NTLM | Kerberos, NTLM, or SQL password |
+| **Password management** | Managed by Active Directory | SQL logins managed by SQL Server; Windows logins managed by Active Directory |
+| **Single sign-on** | Yes | Only for Windows logins |
+| **Centralized password policy** | Yes (Active Directory Group Policy) | SQL Server enforces its own password policy for SQL logins |
+| **Supports non-domain clients** | No | Yes |
+| **Best suited for** | Enterprise and intranet environments | Internet-facing applications, cross-platform environments, or mixed scenarios |
+
+### Choose the right authentication mode
+
+Use the following guidelines when you select an authentication mode:
+
+- **Use Windows Authentication mode** when all clients are domain-joined Windows machines, you want centralized credential management through Active Directory, and you don't need to support non-Windows clients.
+- **Use SQL Server and Windows Authentication mode** when you need to support applications that can't use Windows Authentication, clients that run on non-Windows operating systems, or legacy applications that require SQL Server logins.
+
+> [!IMPORTANT]
+> Even when you use mixed mode, prefer Windows Authentication logins for administrative accounts and internal applications. Reserve SQL Server Authentication for scenarios where Windows Authentication isn't possible.
+
+For more information, see [Choose an authentication mode](../../relational-databases/security/choose-an-authentication-mode.md).
+
 ## Login auditing
 
 #### None
@@ -82,4 +132,6 @@ Select to allow the database to be the source or target of a cross-database owne
 
 ## Related content
 
+- [Choose an authentication mode](../../relational-databases/security/choose-an-authentication-mode.md)
 - [Server configuration options](server-configuration-options-sql-server.md)
+- [ALTER LOGIN (Transact-SQL)](../../t-sql/statements/alter-login-transact-sql.md)
@@ -3,7 +3,7 @@ title: "Troubleshoot Orphaned Users"
 description: Orphaned users occur when a database user login no longer exists in the `master` database. This article discusses how to identify and resolve orphaned users.
 author: MashaMSFT
 ms.author: mathoma
-ms.date: 08/25/2025
+ms.date: 02/23/2026
 ms.service: sql
 ms.subservice: high-availability
 ms.topic: troubleshooting
@@ -21,16 +21,19 @@ monikerRange: ">=aps-pdw-2016 || =azuresqldb-current || =azure-sqldw-latest || >
 
 [!INCLUDE [SQL Server Azure SQL Database Synapse Analytics PDW](../../includes/applies-to-version/sql-asdb-asdbmi-asa-pdw.md)]
 
-Users are orphaned in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] when a database user is based on  a login in the `master` database but the login no longer exists in `master`. This can occur when the login is deleted or when the database is moved to another server on which the login doesn't exist. This article describes how to find orphaned users and remap them to logins.
+Users are orphaned in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] when a database user is based on a login in the `master` database but the login no longer exists in `master`. This can occur when the login is deleted or when the database is moved to another server on which the login doesn't exist. This article describes how to find orphaned users and remap them to logins.
 
-> [!NOTE]  
+> [!NOTE]
 > Reduce the possibility of orphaned users by using contained database users for databases that might be moved. For more information, see [Make your database portable by using contained databases](../../relational-databases/security/contained-database-users-making-your-database-portable.md).
 
+> [!IMPORTANT]
+> The `sp_change_users_login` stored procedure was previously used to fix orphaned users but is now deprecated. Use `ALTER USER ... WITH LOGIN` instead, as described in the [Resolve an orphaned user](#resolve-an-orphaned-user) section. For more information, see [sp_change_users_login (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-change-users-login-transact-sql.md).
+
 ## Background
 
  For connections to a database on an instance of [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] that use a security principal (database user identity) based on a login, the principal must have a valid login in the `master` database. This login is used in the authentication process that verifies the principal's identity and determines whether the principal is allowed to connect to the instance of [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)]. The [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] logins on a server instance are visible in the [sys.server_principals](../../relational-databases/system-catalog-views/sys-server-principals-transact-sql.md) catalog view and the [sys.sql_logins](../../relational-databases/system-catalog-views/sys-sql-logins-transact-sql.md) compatibility view.
 
- [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] logins access individual databases  as a "database user" that's mapped to the [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] login. There are three exceptions to this rule:
+ [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] logins access individual databases as a "database user" that's mapped to the [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] login. There are three exceptions to this rule:
 
 -   Contained database users
 
@@ -46,7 +49,7 @@ Users are orphaned in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)]
 
  Information about the mapping of a [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] login to a database user is stored in the database. It includes the name of the database user and the security identifier (`SID`) of the corresponding [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] login. The permissions of this database user are applied for authorization in the database.
 
- A database user (based on a login) for which the corresponding [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] login is undefined or is incorrectly defined on a server instance can't sign in to the instance. Such a user is said to be an *orphaned user* of the database on that server instance. Orphaning can happen if the database user is mapped to a login `SID` that's not present in the `master` database. A database user can become orphaned after a database is restored or attached to a different instance of [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] where the login was never created. A database user can also become orphaned if the corresponding [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] login is dropped. Even if the login is re-created, it will have a different `SID`, so the database user will still be orphaned.
+ A database user (based on a login) for which the corresponding [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] login is undefined or is incorrectly defined on a server instance can't sign in to the instance. Such a user is an *orphaned user* of the database on that server instance. Orphaning can happen if the database user is mapped to a login `SID` that's not present in the `master` database. A database user can become orphaned after a database is restored or attached to a different instance of [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] where the login was never created. A database user can also become orphaned if the corresponding [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] login is dropped. Even if the login is re-created, it has a different `SID`, so the database user is still orphaned.
 
 ## Detect orphaned users
 
@@ -67,7 +70,7 @@ WHERE sp.sid IS NULL
 
 **For Azure SQL Database and Azure Synapse Analytics**
 
-The [sys.server_principals](../../relational-databases/system-catalog-views/sys-server-principals-transact-sql.md) table isn't available in SQL Database or Azure Synapse Analytics. Identify orphaned users in those environments by completing these steps:
+The [sys.server_principals](../../relational-databases/system-catalog-views/sys-server-principals-transact-sql.md) table isn't available in SQL Database or Azure Synapse Analytics. To identify orphaned users in those environments, complete these steps:
 
 1. Connect to the `master` database and select the SIDs for the logins by using the following query:
 
@@ -111,20 +114,30 @@ ALTER USER <user_name> WITH Login = <login_name>;
 ALTER LOGIN <login_name> WITH PASSWORD = '<enterStrongPasswordHere>';
 ```
 
-> [!IMPORTANT]  
+> [!IMPORTANT]
 > Any login can change its own password. Only logins with the `ALTER ANY LOGIN` permission can change the password of another user's login. However, only members of the **sysadmin** role can modify passwords of **sysadmin** role members.
 
+## Deprecated methods
+
+In earlier versions of [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)], the `sp_change_users_login` stored procedure was used to resolve orphaned users. This procedure is deprecated and might be removed in a future version. Use `ALTER USER` instead.
+
+The following table shows the equivalent modern syntax for common `sp_change_users_login` operations:
+
+| Deprecated syntax | Recommended replacement |
+|---|---|
+| `EXEC sp_change_users_login 'Report'` | `SELECT dp.name FROM sys.database_principals dp LEFT JOIN sys.server_principals sp ON dp.sid = sp.sid WHERE sp.sid IS NULL AND dp.authentication_type_desc = 'INSTANCE'` |
+| `EXEC sp_change_users_login 'Auto_Fix', '<user>'` | `ALTER USER <user> WITH LOGIN = <user>` |
+| `EXEC sp_change_users_login 'Update_One', '<user>', '<login>'` | `ALTER USER <user> WITH LOGIN = <login>` |
+
+For more information, see [sp_change_users_login (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-change-users-login-transact-sql.md).
+
 ## Related content
 
 - [CREATE LOGIN (Transact-SQL)](../../t-sql/statements/create-login-transact-sql.md)
 - [ALTER USER (Transact-SQL)](../../t-sql/statements/alter-user-transact-sql.md)
 - [CREATE USER (Transact-SQL)](../../t-sql/statements/create-user-transact-sql.md)
 - [sys.database_principals (Transact-SQL)](../../relational-databases/system-catalog-views/sys-database-principals-transact-sql.md)
 - [sys.server_principals (Transact-SQL)](../../relational-databases/system-catalog-views/sys-server-principals-transact-sql.md)
-- [sp_change_users_login (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-change-users-login-transact-sql.md)
-- [sp_addlogin (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-addlogin-transact-sql.md)
-- [sp_grantlogin (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-grantlogin-transact-sql.md)
-- [sp_password (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-password-transact-sql.md)
-- [sys.sysusers (Transact-SQL)](../../relational-databases/system-compatibility-views/sys-sysusers-transact-sql.md)
 - [sys.sql_logins (Transact-SQL)](../../relational-databases/system-catalog-views/sys-sql-logins-transact-sql.md)
-- [sys.syslogins (Transact-SQL)](../../relational-databases/system-compatibility-views/sys-syslogins-transact-sql.md)
+- [sp_change_users_login (Transact-SQL)](../../relational-databases/system-stored-procedures/sp-change-users-login-transact-sql.md)
+- [Make your database portable by using contained databases](../../relational-databases/security/contained-database-users-making-your-database-portable.md)