edits

VanMSFT · VanMSFT · commit 2e4654582ad4 · 2022-03-10T17:06:45.000-08:00
diff --git a/articles/azure-sql/database/authentication-azure-ad-logins-tutorial.md b/articles/azure-sql/database/authentication-azure-ad-logins-tutorial.md
@@ -68,7 +68,7 @@ In this tutorial, you learn how to:
 
 ## Create user from an Azure AD login
 
-1. Now that we've created an Azure AD login, we can create a database-level Azure AD user that is mapped to the Azure AD login in the virtual master database. We'll continue to use our example, `bob@contoso.com` to create a user in the virtual master database, as we want to demonstrate adding the user to special roles.
+1. Now that we've created an Azure AD login, we can create a database-level Azure AD user that is mapped to the Azure AD login in the virtual master database. We'll continue to use our example, `bob@contoso.com` to create a user in the virtual master database, as we want to demonstrate adding the user to special roles. Only an Azure AD admin or SQL server admin can create users in the virtual master database.
 
 1. We're using the virtual master database, but you can switch to a database of your choice. Run the following query.
 
@@ -102,7 +102,7 @@ In this tutorial, you learn how to:
 
 ## Grant server roles to the Azure AD user
 
-[Special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse) can be assigned to users in the virtual master database, including **dbmanager** and **loginmanager**. For more server roles, see [Azure SQL Database server roles for permission management](security-server-roles.md).
+[Special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse) can be assigned to users in the virtual master database.
 
 In order to grant one of the server roles, an Azure AD user with a login must be created in the virtual master database. 
 
@@ -125,8 +125,8 @@ In our example, we created the user `bob@contoso.com`. Let's give the user the *
 1. Run the following query:
 
    ```sql
-   ALTER SERVER ROLE [dbamanger] ADD MEMBER [AAD_object] 
-   ALTER SERVER ROLE [loginmanager] ADD MEMBER [AAD_object] 
+   ALTER SERVER ROLE [dbamanger] ADD MEMBER [bob@contoso.com] 
+   ALTER SERVER ROLE [loginmanager] ADD MEMBER [bob@contoso.com] 
    ```
 
 1. Check the server role assignment by running the following query:
@@ -150,6 +150,22 @@ In our example, we created the user `bob@contoso.com`. Let's give the user the *
    loginmanager	       bob@contoso.com
    ```
 
+### Additional server-level roles
+
+You can also choose to give the user additional [built-in server-level roles](security-server-roles.md#built-in-server-level-roles), such as the **##MS_DefinitionReader##**, **##MS_ServerStateReader##**, or **##MS_ServerStateManager##** role.
+
+```sql
+ALTER SERVER ROLE ##MS_DefinitionReader## ADD MEMBER [AAD_object];
+```
+
+```sql
+ALTER SERVER ROLE ##MS_ServerStateReader## ADD MEMBER [AAD_object];
+```
+
+```sql
+ALTER SERVER ROLE ##MS_ServerStateManager## ADD MEMBER [AAD_object];
+```
+
 ## Optional - Disable a login
 
 The [ALTER LOGIN (Transact-SQL)](/sql/t-sql/statements/alter-login-transact-sql?view=azuresqldb-current&preserve-view=true) DDL syntax can be used to enable or disable an Azure AD login in Azure SQL Database.
diff --git a/articles/azure-sql/database/authentication-azure-ad-logins.md b/articles/azure-sql/database/authentication-azure-ad-logins.md
@@ -85,6 +85,12 @@ The Azure AD principal `login_name` won't be able to log into any user database
 >   DBCC FREESYSTEMCACHE('TokenAndPermUserStore') WITH NO_INFOMSGS 
 >   ```
 
+## Server-level roles for Azure AD principals
+
+[Special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse) can be assigned to users in the virtual master database for Azure AD principals, including **dbmanager** and **loginmanager**. For more server roles, see [Azure SQL Database server roles for permission management](security-server-roles.md).
+
+For a tutorial on how to grant these roles to a user, see [Tutorial: Create and utilize Azure Active Directory server logins](authentication-azure-ad-logins-tutorial.md).
+
 ## Azure AD logins and users with non-unique display names
 
 It's possible to create Azure AD resources with the same display names. For example, creating an [Azure AD application (service principal)](authentication-aad-service-principal.md) with the same name. In this release, we're also introducing the ability to create logins and users using the **Object ID**. 
@@ -99,18 +105,18 @@ CREATE LOGIN login_name FROM EXTERNAL PROVIDER WITH OBJECT_ID = 'objectid'
 Using the display name of a service principal that isn't unique in Azure AD could lead to errors when creating the login or user in Azure SQL. For example, if `myapp` isn't unique, you may run into the following error when executing the following query:
 
 ```sql
-CREATE USER [myapp] FROM EXTERNAL PROVIDER 
+CREATE LOGIN [myapp] FROM EXTERNAL PROVIDER 
 ```
 
 ```output
 Msg 33131, Level 16, State 1, Line 4 
 Principal 'myapp' has a duplicate display name. Make the display name unique in Azure Active Directory and execute this statement again. 
 ```
 
-With the T-SQL DDL extension to create logins or users with the Object ID, you can avoid this error and also specify an alias for the login or user created with the Object ID. For example, the following will create a user `myapp4466e` using the application Object ID `4466e2f8-0fea-4c61-a470-xxxxxxxxxxxx`.
+With the T-SQL DDL extension to create logins or users with the Object ID, you can avoid this error and also specify an alias for the login or user created with the Object ID. For example, the following will create a login `myapp4466e` using the application Object ID `4466e2f8-0fea-4c61-a470-xxxxxxxxxxxx`.
 
 ```sql
-CREATE USER [myapp4466e] FROM EXTERNAL PROVIDER 
+CREATE LOGIN [myapp4466e] FROM EXTERNAL PROVIDER 
   WITH OBJECT_ID='4466e2f8-0fea-4c61-a470-xxxxxxxxxxxx' 
 ```
 
@@ -119,7 +125,7 @@ For more information on obtaining the Object ID of a service principal, see [Ser
 To get the Object ID of the application, you can execute the following query:
 
 ```sql
-SELECT CAST(sid as uniqueidentifier) ApplicationID from sys.database_principals WHERE NAME = 'myapp4466e'
+SELECT CAST(sid as uniqueidentifier) ApplicationID from sys.server_principals WHERE NAME = 'myapp4466e'
 ```
 
 ## Limitations and remarks
