Merge pull request #36773 from MicrosoftDocs/main

Auto Publish – main to live - 2026-03-04 23:30 UTC

Author: learn-build-service-prod[bot]

azure-sql/database/auditing-analyze-audit-logs.md

@@ -5,7 +5,7 @@ description: Use Auditing to analyze logs in Log Analytics, Event Hubs, or throu
 author: sravanisaluru
 ms.author: srsaluru
 ms.reviewer: mathoma, vanto
-ms.date: 07/09/2025
+ms.date: 03/03/2026
 ms.service: azure-sql-database
 ms.subservice: security
 ms.topic: how-to
@@ -24,18 +24,32 @@ This article provides an overview of analyzing audit logs using Auditing for [Az
 
 If you chose to write audit logs to Log Analytics:
 
-1. Use the [Azure portal](https://portal.azure.com).
-1. Go to the relevant database resource.
-1. At the top of the database's **Auditing** page, select **View audit logs** to display a sample of audit logs with a limited set of fields that cover activity from up to 2 hours prior to the selected **End Time** (which defaults to 'now'):
+1. In the [Azure portal](https://portal.azure.com), search for **SQL databases** and select your database, or search for **SQL servers** and select your server.
+1. On the resource menu under **Security**, select **Auditing**.
+1. At the top of the **Auditing** page, select **View audit logs**.
 
    :::image type="content" source="media/auditing-analyze-audit-logs/view-audit-logs.png" alt-text="Screenshot of the Auditing menu in the Azure portal where you can select the View audit logs option." lightbox="media/auditing-analyze-audit-logs/view-audit-logs.png":::
 
-You have two ways to view the logs:
+> [!NOTE]
+> The **View audit logs** button appears on both server-level and database-level **Auditing** pages. When you select it from the **database** resource, you see audit records specific to that database. When you select it from the **server** resource, you see audit records for all databases on that server. Make sure you navigate to the correct resource level based on the scope of audit logs you need to review.
 
-- Select **Log Analytics** at the top of the **Audit records** page to open the logs view in the Log Analytics workspace, where you can customize the time range and the search query.
-- Select **View dashboard** at the top of the **Audit records** page to open a dashboard displaying audit logs information, where you can drill down into **Security Insights** or **Access to Sensitive Data**. This dashboard is designed to help you gain security insights for your data. You can also customize the time range and search query.
+You have two ways to view the logs from the **Audit records** page:
 
-- Alternatively, you can also access the audit logs from the **Log Analytics** menu. Open your **Log Analytics** workspace and under the **General** section, and select **Logs**. You can start with a simple query, such as: *search "SQLSecurityAuditEvents"* to view the audit logs. From here, you can also use [Azure Monitor logs](/azure/azure-monitor/logs/log-query-overview) to run advanced searches on your audit log data. Azure Monitor logs gives you real-time operational insights using integrated search and custom dashboards to readily analyze millions of records across all your workloads and servers. For extra useful information about Azure Monitor logs search language and commands, see [Azure Monitor logs search reference](/azure/azure-monitor/logs/log-query-overview).
+- Select **Log Analytics** at the top of the page to open the logs view in the Log Analytics workspace, where you can customize the time range and the search query.
+- Select **View dashboard** at the top of the page to open a dashboard displaying audit logs information, where you can drill down into **Security Insights** or **Access to Sensitive Data**. This dashboard helps you gain security insights for your data. You can also customize the time range and search query.
+
+> [!TIP]
+> The **View dashboard** option is available only when you access audit records from a **database-level** Auditing page that has database-level auditing enabled. If you configured server-level auditing only, you can still query the audit data directly in your Log Analytics workspace using the steps in the following section.
+
+### Query audit logs directly in Log Analytics
+
+You can also access audit logs directly from your Log Analytics workspace without navigating through the Auditing page. This approach is useful when you have server-level auditing only, or when you want to run custom queries across multiple databases.
+
+1. In the Azure portal, open your **Log Analytics** workspace.
+1. Under the **General** section, select **Logs**.
+1. Start with a simple query, such as `search "SQLSecurityAuditEvents"` to view the audit logs.
+
+From here, you can use [Azure Monitor logs](/azure/azure-monitor/logs/log-query-overview) to run advanced searches on your audit log data. Azure Monitor logs give you real-time operational insights using integrated search and custom dashboards to readily analyze millions of records across all your workloads and servers. For more information about Azure Monitor logs search language and commands, see [Azure Monitor logs search reference](/azure/azure-monitor/logs/log-query-overview).
 
 ## Analyze logs using Event Hubs
 
@@ -50,9 +64,9 @@ If you chose to write audit logs to an Azure storage account, there are several
 
 - Audit logs are aggregated in the account you chose during setup. You can explore audit logs by using a tool such as [Azure Storage Explorer](https://azure.microsoft.com/products/storage/storage-explorer). In Azure storage, auditing logs are saved as a collection of blob files within a container named **sqldbauditlogs**. For more information about the hierarchy of the storage folders, naming conventions, and log format, see the [SQL Database audit log format](audit-log-format.md).
 
-  1. Use the [Azure portal](https://portal.azure.com).
-  1. Open the relevant database resource.
-  1. At the top of the database's **Auditing** page, select **View audit logs**. The **Audit records** page opens, and you're able to view the logs.
+  1. In the [Azure portal](https://portal.azure.com), search for **SQL databases** and select your database, or search for **SQL servers** and select your server.
+  1. On the resource menu under **Security**, select **Auditing**.
+  1. At the top of the **Auditing** page, select **View audit logs**. The **Audit records** page opens, and you can view the logs.
   1. You can view specific dates by selecting **Filter** at the top of the **Audit records** page.
   1. You can switch between audit records that were created by the *server audit policy* and the *database audit policy* by toggling **Audit Source**.
 - Use the system function `sys.fn_get_audit_file` (T-SQL) to return the audit log data in tabular format. For more information on using this function, see [sys.fn_get_audit_file](/sql/relational-databases/system-functions/sys-fn-get-audit-file-transact-sql).
@@ -82,6 +96,5 @@ If you chose to write audit logs to an Azure storage account, there are several
 ## Related content
 
 - [Auditing for Azure SQL Database and Azure Synapse Analytics](auditing-overview.md)
-- [What's New in Azure SQL Auditing](/Shows/Data-Exposed/Whats-New-in-Azure-SQL-Auditing)
 - [Get started with Azure SQL Managed Instance auditing](../managed-instance/auditing-configure.md)
 - [Auditing for SQL Server](/sql/relational-databases/security/auditing/sql-server-audit-database-engine)

azure-sql/database/authentication-aad-configure.md

@@ -5,7 +5,7 @@ description: Learn how to connect to Azure SQL Database, Azure SQL Managed Insta
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: wiassaf, mathoma, maghan
-ms.date: 11/18/2025
+ms.date: 03/03/2026
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: how-to
@@ -325,13 +325,26 @@ SQL Managed Instance needs permissions to read Microsoft Entra ID for scenarios
 
 For some operations, Azure SQL Database and Azure Synapse Analytics also require permissions to query Microsoft Graph, explained in [Microsoft Graph permissions](./authentication-aad-overview.md#microsoft-graph-permissions). Azure SQL Database and Azure Synapse Analytics support fine-grained Graph permissions for these scenarios, whereas SQL Managed Instance requires the **Directory Readers** role. Fine-grained permissions and their assignment are described in detail in [enable service principals to create Microsoft Entra users](authentication-aad-service-principal.md#enable-service-principals-to-create-azure-ad-users).
 
+> [!IMPORTANT]
+> **Azure SQL Database** and **SQL Managed Instance** use different permission models for Microsoft Graph access:
+>
+> - **Azure SQL Database and Azure Synapse Analytics**: Support fine-grained Microsoft Graph API permissions (such as `User.Read.All`, `GroupMember.Read.All`, and `Application.Read.All`) assigned directly to the server identity. This approach follows the principle of least privilege and is recommended. For step-by-step instructions, see [Enable service principals to create Microsoft Entra users](authentication-aad-service-principal.md#enable-service-principals-to-create-azure-ad-users). The Directory Readers role can also be used as a broader alternative.
+> - **SQL Managed Instance**: Requires the **Directory Readers** role or equivalent [fine-grained Microsoft Graph permissions](authentication-aad-directory-readers-role.md) assigned to the instance identity. The Azure portal provides a convenient banner on the **Microsoft Entra ID** page that prompts you to grant the Directory Readers role. Follow the steps in the [Directory Readers role](#directory-readers-role) section.
+>
+> If you're configuring **Azure SQL Database**, you don't need to assign the Directory Readers role for basic Microsoft Entra admin setup. Instead, assign the fine-grained Microsoft Graph permissions to the server identity as described in [Managed identities in Microsoft Entra for Azure SQL](authentication-azure-ad-user-assigned-managed-identity.md).
+
 ### Directory Readers role
 
+The **Directory Readers** role and the portal banner described in this section apply primarily to **SQL Managed Instance**. For Azure SQL Database, you can assign [fine-grained Microsoft Graph permissions](authentication-aad-service-principal.md#enable-service-principals-to-create-azure-ad-users) instead, or optionally use Directory Readers as a broader alternative.
+
 #### [Azure portal](#tab/azure-portal)
 
 The **Microsoft Entra ID** page for SQL Managed Instance in the Azure portal displays a convenient banner when the instance isn't assigned the Directory Reader permissions.
 
-1. Select the banner on top of the **Microsoft Entra ID** page and grant permission to the system-assigned or user-assigned managed identity that represents your instance. Only a Privileged Role Administrator or higher role in your tenant can perform this operation.
+1. Select the banner on top of the **Microsoft Entra ID** page and grant permission to the system-assigned or user-assigned managed identity that represents your instance. Only a **Privileged Role Administrator** or higher role in your tenant can perform this operation.
+
+   > [!NOTE]
+   > If you don't see the banner, the instance might already have the Directory Readers role assigned, or you might not have the required **Privileged Role Administrator** role. If you don't have this role, ask your tenant administrator to grant the permission, or use the PowerShell method on the **PowerShell** tab.
 
    :::image type="content" source="media/authentication-aad-configure/grant-permissions.png" alt-text="Screenshot of the dialog for granting permissions to a SQL managed instance for accessing Microsoft Entra ID with the Grant permissions button selected.":::
 
@@ -508,6 +521,8 @@ For guidance on troubleshooting issues, see [Blog: Troubleshooting problems rela
 ## Related content
 
 - [Authorize database access to SQL Database, SQL Managed Instance, and Azure Synapse Analytics](logins-create-manage.md)
+- [Managed identities in Microsoft Entra for Azure SQL](authentication-azure-ad-user-assigned-managed-identity.md)
+- [Microsoft Entra service principals with Azure SQL](authentication-aad-service-principal.md)
 - [Principals](/sql/relational-databases/security/authentication-access/principals-database-engine)
 - [Database roles](/sql/relational-databases/security/authentication-access/database-level-roles)
 - [Azure SQL Database and Azure Synapse IP firewall rules](firewall-configure.md)

azure-sql/database/authentication-aad-service-principal.md

@@ -5,7 +5,7 @@ description: Use Microsoft Entra service principals and managed identities in Az
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: wiassaf, mathoma
-ms.date: 09/11/2025
+ms.date: 03/03/2026
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: how-to
@@ -115,6 +115,25 @@ This error indicates that the server identity hasn't been created or hasn't been
 
 - [Az.Sql 2.9.0](https://www.powershellgallery.com/packages/Az.Sql/2.9.0) module or higher is required to set a Microsoft Entra application as the Microsoft Entra admin for Azure SQL. Ensure you're upgraded to the latest module.
 
+## Connect to Azure SQL with a service principal
+
+To connect an application to Azure SQL Database using a service principal, you need:
+
+1. **An app registration** in Microsoft Entra ID with an Application (client) ID and either a client secret or certificate. For production workloads, use a [managed identity](/entra/identity/managed-identities-azure-resources/overview) instead — managed identities eliminate the need for developer-managed credentials.
+
+1. **A contained database user** mapped to the service principal. Connect as the Microsoft Entra admin and run:
+
+   ```sql
+   CREATE USER [my-sql-app] FROM EXTERNAL PROVIDER;
+   ALTER ROLE db_datareader ADD MEMBER [my-sql-app];
+   ```
+
+   Replace `my-sql-app` with the display name of your app registration. Assign appropriate database roles based on the application's access needs.
+
+1. **A connection string** that specifies `Active Directory Service Principal` authentication. Use the **Application (client) ID** as the username and the **client secret** as the password.
+
+For a complete walkthrough including app registration and permission setup, see [Tutorial: Create Microsoft Entra users using Microsoft Entra applications](authentication-aad-service-principal-tutorial.md). For driver-specific connection examples, see [Connect to Azure SQL with Microsoft Entra authentication and SqlClient](/sql/connect/ado-net/sql/azure-active-directory-authentication).
+
 ## Related content
 
 - [Tutorial: Create Microsoft Entra users using Microsoft Entra applications](authentication-aad-service-principal-tutorial.md)

azure-sql/database/firewall-configure.md

@@ -5,7 +5,7 @@ description: Configure server-level IP firewall rules for a database in Azure SQ
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: wiassaf, mathoma
-ms.date: 06/30/2025
+ms.date: 03/03/2026
 ms.service: azure-sql-database
 ms.subservice: security
 ms.topic: how-to
@@ -57,7 +57,7 @@ Database-level IP firewall rules enable clients to access certain (secure) datab
 
 ### Recommendations for how to set firewall rules
 
-We recommend that you use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.
+Use database-level IP firewall rules whenever possible. This practice enhances security and makes your database more portable. Use server-level IP firewall rules for administrators. Also use them when you have many databases that have the same access requirements, and you don't want to configure each database individually.
 
 > [!NOTE]  
 > For information about portable databases in the context of business continuity, see [Configure and manage Azure SQL Database security for geo-restore or failover](active-geo-replication-security-configure.md).
@@ -101,16 +101,27 @@ When a computer tries to connect to your server from the internet, the firewall
 
 ### Connections from inside Azure
 
-To allow applications hosted inside Azure to connect to your SQL server, Azure connections must be enabled. To enable Azure connections, there must be a firewall rule with starting and ending IP addresses set to 0.0.0.0. This recommended rule is only applicable to Azure SQL Database.
+To allow applications hosted inside Azure to connect to your SQL server, you need to enable Azure connections. To do this, create a firewall rule with starting and ending IP addresses set to 0.0.0.0. This rule applies only to Azure SQL Database.
 
 When an application from Azure tries to connect to the server, the firewall checks that Azure connections are allowed by verifying this firewall rule exists. This can be turned on directly from the Azure portal pane by switching the **Allow Azure Services and resources to access this server** to **ON** in the **Firewalls and virtual networks** settings. Switching the setting to ON creates an inbound firewall rule for IP 0.0.0.0 - 0.0.0.0 named **AllowAllWindowsAzureIps**. The rule can be viewed in your `master` database [sys.firewall_rules](/sql/relational-databases/system-catalog-views/sys-firewall-rules-azure-sql-database) view. Use PowerShell or the Azure CLI to create a firewall rule with start and end IP addresses set to 0.0.0.0 if you're not using the portal.
 
-> [!IMPORTANT]  
-> This option configures the firewall to allow all connections from Azure, including connections from the subscriptions of other customers. If you select this option, make sure that your login and user permissions limit access to authorized users only.
+> [!WARNING]
+> Enabling this option allows connections from **all** Azure services, **including services running in other customers' subscriptions**. This rule doesn't restrict access to your subscription or resource group — any Azure resource with outbound connectivity to Azure SQL Database can connect. When you enable this setting, make sure your login and user permissions limit access to authorized users only.
+
+The following Azure services commonly use this rule to connect to Azure SQL Database:
+
+- Azure App Service and Azure Functions
+- Azure Data Factory
+- Azure Stream Analytics
+- Azure Logic Apps
+- Azure Power BI
+- Azure AI services
+
+For enhanced security, consider using [virtual network service endpoints](vnet-service-endpoint-rule-overview.md) or [private endpoints](private-endpoint-overview.md) instead of the **AllowAllWindowsAzureIps** rule. These alternatives limit connectivity to specific subnets or private networks instead of allowing all Azure IP addresses.
 
 ## Permissions
 
-To be able to create and manage IP firewall rules for the Azure SQL Server, you'll need to either be:
+To create and manage IP firewall rules for the Azure SQL Server, you need to have one of the following roles:
 
 - in the [SQL Server Contributor](/azure/role-based-access-control/built-in-roles#sql-server-contributor) role
 - in the [SQL Security Manager](/azure/role-based-access-control/built-in-roles#sql-security-manager) role
@@ -275,7 +286,7 @@ The following table describes the latency of security settings changes based on
 
 ## Manually refreshing firewall rules
 
-If you need to see firewall rules updated more quickly than the 5 minute latency, you can manually refresh the firewall rules. Log into the database instance that needs its rules updated, and run DBCC FLUSHAUTHCACHE.  This will cause the database instance to flush its local cache and refresh firewall rules.
+If you need to see firewall rules updated more quickly than the 5 minute latency, you can manually refresh the firewall rules. Log in to the database instance that needs its rules updated, and run DBCC FLUSHAUTHCACHE.  This will cause the database instance to flush its local cache and refresh firewall rules.
 ```syntaxsql
 DBCC FLUSHAUTHCACHE[;]
 ```