Merge pull request #177093 from VanMSFT/aadlimitations

Adding limitations for AAD-only

Author: PRMerger12

articles/azure-sql/database/authentication-aad-service-principal-tutorial.md

@@ -7,7 +7,7 @@ ms.topic: tutorial
 author: GithubMirek
 ms.author: mireks
 ms.reviewer: vanto
-ms.date: 05/10/2021 
+ms.date: 10/21/2021 
 ms.custom: devx-track-azurepowershell
 ---
 
@@ -111,7 +111,7 @@ if ($role -eq $null) {
     $role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq $roleName}
 }
  
-# Get service principal for managed instance
+# Get service principal for server
 $roleMember = Get-AzureADServicePrincipal -SearchString $AssignIdentityName
 $roleMember.Count
 if ($roleMember -eq $null) {

articles/azure-sql/database/authentication-aad-service-principal.md

@@ -7,7 +7,7 @@ ms.topic: conceptual
 author: GithubMirek
 ms.author: mireks
 ms.reviewer: vanto
-ms.date: 05/11/2021
+ms.date: 10/21/2021
 ---
 
 # Azure Active Directory service principal with Azure SQL
@@ -46,22 +46,22 @@ Supporting this functionality is useful in Azure AD application automation proce
 
 To enable an Azure AD object creation in SQL Database on behalf of an Azure AD application, the following settings are required:
 
-1. Assign the server identity. The assigned server identity represents the Managed Service Identity (MSI). Currently, the server identity for Azure SQL does not support User Managed Identity (UMI).
+1. Assign the server identity. The assigned server identity represents the Managed Service Identity (MSI). Currently, the server identity for Azure SQL does not support user-assigned managed identities (UMI).
     - For a new Azure SQL logical server, execute the following PowerShell command:
 
     ```powershell
     New-AzSqlServer -ResourceGroupName <resource group> -Location <Location name> -ServerName <Server name> -ServerVersion "12.0" -SqlAdministratorCredentials (Get-Credential) -AssignIdentity
     ```
 
-    For more information, see the [New-AzSqlServer](/powershell/module/az.sql/new-azsqlserver) command.
+    For more information, see the [New-AzSqlServer](/powershell/module/az.sql/new-azsqlserver) command, or [New-AzSqlInstance](/powershell/module/az.sql/new-azsqlinstance) command for SQL Managed Instance.
 
     - For existing Azure SQL Logical servers, execute the following command:
     
     ```powershell
     Set-AzSqlServer -ResourceGroupName <resource group> -ServerName <Server name> -AssignIdentity
     ```
 
-    For more information, see the [Set-AzSqlServer](/powershell/module/az.sql/set-azsqlserver) command.
+    For more information, see the [Set-AzSqlServer](/powershell/module/az.sql/set-azsqlserver) command, or [Set-AzSqlInstance](/powershell/module/az.sql/set-azsqlinstance) command for SQL Managed Instance.
 
     - To check if the server identity is assigned to the server, execute the Get-AzSqlServer command.
 

articles/azure-sql/database/authentication-azure-ad-only-authentication.md

@@ -8,7 +8,7 @@ ms.topic: conceptual
 author: GithubMirek
 ms.author: mireks
 ms.reviewer: vanto
-ms.date: 10/19/2021
+ms.date: 10/21/2021
 ---
 
 # Azure AD-only authentication with Azure SQL
@@ -392,13 +392,26 @@ SELECT SERVERPROPERTY('IsExternalAuthenticationOnly')
 - Azure AD users with proper permissions can impersonate existing SQL users.
     - Impersonation continues working between SQL authentication users even when the Azure AD-only authentication feature is enabled.
 
-### Limitations for Azure AD-only authentication in managed instance
+### Limitations for Azure AD-only authentication in SQL Database
 
-When Azure AD-only authentication is enabled for managed instance, the following features aren't supported:
+When Azure AD-only authentication is enabled for SQL Database, the following features aren't supported:
 
-- Transactional replication 
+- [Azure SQL Database server roles](security-server-roles.md)
+- [Elastic jobs](job-automation-overview.md)
+- [SQL Data Sync](sql-data-sync-data-sql-server-sql-database.md)
+- [Change data capture (CDC)](/sql/relational-databases/track-changes/about-change-data-capture-sql-server)
+- [Transactional replication](/azure/azure-sql/managed-instance/replication-transactional-overview) - Since SQL authentication is required for connectivity between replication participants, when Azure AD-only authentication is enabled, transactional replication is not supported for SQL Database for scenarios where transactional replication is used to push changes made in an Azure SQL Managed Instance, on-premises SQL Server, or an Azure VM SQL Server instance to a database in Azure SQL Database
+- [SQL insights](/azure/azure-monitor/insights/sql-insights-overview)
+- EXEC AS statement for Azure AD group member accounts
+
+### Limitations for Azure AD-only authentication in Managed Instance
+
+When Azure AD-only authentication is enabled for Managed Instance, the following features aren't supported:
+
+- [Transactional replication](/azure/azure-sql/managed-instance/replication-transactional-overview) 
+- [SQL Agent Jobs in Managed Instance](../managed-instance/job-automation-managed-instance.md) supports Azure AD-only authentication. However, the Azure AD user who is a member of an Azure AD group that has access to the managed instance cannot own SQL Agent Jobs
+- [SQL insights](/azure/azure-monitor/insights/sql-insights-overview)
 - EXEC AS statement for Azure AD group member accounts
-- [SQL Agent Jobs in Managed Instance](../managed-instance/job-automation-managed-instance.md) supports Azure AD-only authentication. However, the Azure AD user who is a member of an Azure AD group that has access to the managed instance cannot own SQL Agent Jobs.
 
 For more limitations, see [T-SQL differences between SQL Server & Azure SQL Managed Instance](../managed-instance/transact-sql-tsql-differences-sql-server.md#logins-and-users).
 

articles/azure-sql/managed-instance/instance-pools-overview.md

@@ -11,7 +11,7 @@ ms.topic: conceptual
 author: urosmil
 ms.author: urmilano
 ms.reviewer: mathoma
-ms.date: 09/05/2019
+ms.date: 10/21/2021
 ---
 # What is an Azure SQL Managed Instance pool (preview)?
 [!INCLUDE[appliesto-sqlmi](../includes/appliesto-sqlmi.md)]
@@ -76,7 +76,7 @@ There are several resource limitations regarding instance pools and instances in
     - 8 vCores pool supports up to 200 databases,
     - 16 vCores pool supports up to 400 databases,
     - 24 and larger vCores pool supports up to 500 databases.
-- AAD Admin cannot be set for the instances deployed inside the instance pool therefore AAD Authentication can't be used.
+- Azure AD authentication can be used after creating or setting a managed instance with the `-AssignIdentity` flag. For more information, see [New-AzSqlInstance](/powershell/module/az.sql/new-azsqlinstance) and [Set-AzSqlInstance](/powershell/module/az.sql/set-azsqlinstance). Users can then set an Azure AD admin for the instance by following [Provision Azure AD admin (SQL Managed Instance)](/azure/azure-sql/database/authentication-aad-configure#provision-azure-ad-admin-sql-managed-instance).
 
 Total storage allocation and number of databases across all instances must be lower than or equal to the limits exposed by instance pools.
 

articles/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server.md

@@ -9,7 +9,7 @@ ms.topic: reference
 author: danimir
 ms.author: danil
 ms.reviewer: mathoma, bonova, danil
-ms.date: 8/18/2021
+ms.date: 10/21/2021
 ms.custom: seoapril2019, sqldbrb=1
 ---
 
@@ -140,14 +140,14 @@ SQL Managed Instance can't access files, so cryptographic providers can't be cre
     SQL Managed Instance supports Azure AD database principals with the syntax `CREATE USER [AADUser/AAD group] FROM EXTERNAL PROVIDER`. This feature is also known as Azure AD contained database users.
 
 - Windows logins created with the `CREATE LOGIN ... FROM WINDOWS` syntax aren't supported. Use Azure Active Directory logins and users.
-- The Azure AD user who created the instance has [unrestricted admin privileges](../database/logins-create-manage.md).
+- The Azure AD admin for the instance has [unrestricted admin privileges](../database/logins-create-manage.md).
 - Non-administrator Azure AD database-level users can be created by using the `CREATE USER ... FROM EXTERNAL PROVIDER` syntax. See [CREATE USER ... FROM EXTERNAL PROVIDER](../database/authentication-aad-configure.md#create-contained-users-mapped-to-azure-ad-identities).
 - Azure AD server principals (logins) support SQL features within one SQL Managed Instance only. Features that require cross-instance interaction, no matter whether they're within the same Azure AD tenant or different tenants, aren't supported for Azure AD users. Examples of such features are:
 
   - SQL transactional replication.
   - Link server.
 
-- Setting an Azure AD login mapped to an Azure AD group as the database owner isn't supported.
+- Setting an Azure AD login mapped to an Azure AD group as the database owner isn't supported. A member of the Azure AD group can be a database owner, even if the login hasn't been created in the database.
 - Impersonation of Azure AD server-level principals by using other Azure AD principals is supported, such as the [EXECUTE AS](/sql/t-sql/statements/execute-as-transact-sql) clause. EXECUTE AS limitations are:
 
   - EXECUTE AS USER isn't supported for Azure AD users when the name differs from the login name. An example is when the user is created through the syntax CREATE USER [myAadUser] FROM LOGIN [[email protected]] and impersonation is attempted through EXEC AS USER = _myAadUser_. When you create a **USER** from an Azure AD server principal (login), specify the user_name as the same login_name from **LOGIN**.
@@ -170,15 +170,13 @@ SQL Managed Instance can't access files, so cryptographic providers can't be cre
 - If the login is a SQL principal, only logins that are part of the `sysadmin` role can use the create command to create logins for an Azure AD account.
 - The Azure AD login must be a member of an Azure AD within the same directory that's used for Azure SQL Managed Instance.
 - Azure AD server principals (logins) are visible in Object Explorer starting with SQL Server Management Studio 18.0 preview 5.
-- Overlapping Azure AD server principals (logins) with an Azure AD admin account is allowed. Azure AD server principals (logins) take precedence over the Azure AD admin when you resolve the principal and apply permissions to SQL Managed Instance.
+- A server principal with *sysadmin* access level is automatically created for the Azure AD admin account once it’s enabled on an instance.
 - During authentication, the following sequence is applied to resolve the authenticating principal:
 
     1. If the Azure AD account exists as directly mapped to the Azure AD server principal (login), which is present in sys.server_principals as type "E," grant access and apply permissions of the Azure AD server principal (login).
-    2. If the Azure AD account is a member of an Azure AD group that's mapped to the Azure AD server principal (login), which is present in sys.server_principals as type "X," grant access and apply permissions of the Azure AD group login.
-    3. If the Azure AD account is a special portal-configured Azure AD admin for SQL Managed Instance, which doesn't exist in SQL Managed Instance system views, apply special fixed permissions of the Azure AD admin for SQL Managed Instance (legacy mode).
-    4. If the Azure AD account exists as directly mapped to an Azure AD user in a database, which is present in sys.database_principals as type "E," grant access and apply permissions of the Azure AD database user.
-    5. If the Azure AD account is a member of an Azure AD group that's mapped to an Azure AD user in a database, which is present in sys.database_principals as type "X," grant access and apply permissions of the Azure AD group login.
-    6. If there's an Azure AD login mapped to either an Azure AD user account or an Azure AD group account, which resolves to the user who's authenticating, all permissions from this Azure AD login are applied.
+    1. If the Azure AD account is a member of an Azure AD group that's mapped to the Azure AD server principal (login), which is present in sys.server_principals as type "X," grant access and apply permissions of the Azure AD group login.
+    1. If the Azure AD account exists as directly mapped to an Azure AD user in a database, which is present in sys.database_principals as type "E," grant access and apply permissions of the Azure AD database user.
+    1. If the Azure AD account is a member of an Azure AD group that's mapped to an Azure AD user in a database, which is present in sys.database_principals as type "X," grant access and apply permissions of the Azure AD group user.
 
 ### Service key and service master key