Merge pull request #101129 from MarkusVi/arturo111

arturo111

Author: megvanhuygen

articles/active-directory/managed-identities-azure-resources/tutorial-windows-vm-access-sql.md

@@ -5,15 +5,14 @@ services: active-directory
 documentationcenter: ''
 author: MarkusVi
 manager: daveba
-editor: bryanla
 
 ms.service: active-directory
 ms.subservice: msi
 ms.devlang: na
 ms.topic: tutorial
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 01/10/2020
+ms.date: 01/14/2020
 ms.author: markvi
 ms.collection: M365-identity-device-management
 ---
@@ -33,6 +32,12 @@ This tutorial shows you how to use a system-assigned identity for a Windows virt
 
 [!INCLUDE [msi-tut-prereqs](../../../includes/active-directory-msi-tut-prereqs.md)]
 
+
+## Enable
+
+[!INCLUDE [msi-tut-enable](../../../includes/active-directory-msi-tut-enable.md)]
+
+
 ## Grant access
 
 To grant your VM access to a database in an Azure SQL Server, you can use an existing SQL server or create a new one. To create a new server and database using the Azure portal, follow this [Azure SQL quickstart](https://docs.microsoft.com/azure/sql-database/sql-database-get-started-portal). There are also quickstarts that use the Azure CLI and Azure PowerShell in the [Azure SQL documentation](https://docs.microsoft.com/azure/sql-database/).
@@ -42,9 +47,9 @@ There are two steps to granting your VM access to a database:
 1. Enable Azure AD authentication for the SQL server.
 2. Create a **contained user** in the database that represents the VM's system-assigned identity.
 
-## Enable Azure AD authentication
+### Enable Azure AD authentication
 
-[Configure Azure AD authentication for the SQL server](/azure/sql-database/sql-database-aad-authentication-configure) using the following steps:
+**To [configure Azure AD authentication for the SQL server](/azure/sql-database/sql-database-aad-authentication-configure):**
 
 1.	In the Azure portal, select **SQL servers** from the left-hand navigation.
 2.	Click the SQL server to be enabled for Azure AD authentication.
@@ -53,7 +58,7 @@ There are two steps to granting your VM access to a database:
 5.	Select an Azure AD user account to be made an administrator of the server, and click **Select.**
 6.	In the command bar, click **Save.**
 
-## Create user
+### Create contained user
 
 This section shows how to create a contained user in the database that represents the VM's system assigned identity. For this step, you need [Microsoft SQL Server Management Studio](https://docs.microsoft.com/sql/ssms/download-sql-server-management-studio-ssms) (SSMS). Before beginning, it may also be helpful to review the following articles for background on Azure AD integration:
 
@@ -62,6 +67,8 @@ This section shows how to create a contained user in the database that represent
 
 SQL DB requires unique AAD display names. With this, the AAD accounts such as users, groups and Service Principals (applications) and VM names enabled for managed identity must be uniquely defined in AAD regarding their display names. SQL DB checks the AAD display name during T-SQL creation of such users and if it is not unique, the command fails requesting to provide a unique AAD display name for a given account.
 
+**To create a contained user:**
+
 1. Start SQL Server Management Studio.
 2. In the **Connect to Server** dialog, Enter your SQL server name in the **Server name** field.
 3. In the **Authentication** field, select **Active Directory - Universal with MFA support**.
@@ -94,7 +101,7 @@ SQL DB requires unique AAD display names. With this, the AAD accounts such as us
 
 Code running in the VM can now get a token using its system-assigned managed identity and use the token to authenticate to the SQL server.
 
-## Get an access token
+## Access data
 
 This section shows how to get an access token using the VM's system-assigned managed identity and use it to call Azure SQL. Azure SQL natively supports Azure AD authentication, so it can directly accept access tokens obtained using managed identities for Azure resources. You use the **access token** method of creating a connection to SQL. This is part of Azure SQL's integration with Azure AD, and is different from supplying credentials on the connection string.
 
@@ -188,6 +195,12 @@ Alternatively, a quick way to test the end to end setup without having to write
 
 Examine the value of `$DataSet.Tables[0]` to view the results of the query.
 
+
+## Disable
+
+[!INCLUDE [msi-tut-disable](../../../includes/active-directory-msi-tut-disable.md)]
+
+
 ## Next steps
 
 In this tutorial, you learned how to use a system-assigned managed identity to access Azure SQL server. To learn more about Azure SQL Server see:

includes/active-directory-msi-tut-disable.md

@@ -0,0 +1,19 @@
+---
+title: include file
+description: include file
+services: active-directory
+author: MarkusVi
+ms.service: active-directory
+ms.topic: include
+ms.date: 01/14/2020
+ms.author: markvi
+ms.custom: include file
+---
+
+
+
+
+
+To disable the system-assigned identity on your VM, set the status of the system-assigned identity to **Off**. 
+
+![Create new storage account](./media/active-directory-msi-tut-disable/identity.png)

includes/active-directory-msi-tut-enable.md

@@ -0,0 +1,22 @@
+---
+title: include file
+description: include file
+services: active-directory
+author: MarkusVi
+ms.service: active-directory
+ms.topic: include
+ms.date: 01/14/2020
+ms.author: markvi
+ms.custom: include file
+---
+
+Enabling a system-assigned managed identity is a one-click experience. You can either enable it during the creation of a VM or in the properties of an existing VM.
+
+![Create new storage account](./media/active-directory-msi-tut-enable/identity.png)
+
+
+**To enable a system-assigned managed identity on a new VM:** 
+
+1. [Sign in to Azure portal](https://portal.azure.com)
+
+2. [Create a virtual machine with system-assigned identity enabled](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity)

includes/active-directory-msi-tut-prereqs.md

@@ -2,15 +2,13 @@
 title: include file
 description: include file
 services: active-directory
-author: daveba
+author: MarkusVi
 ms.service: active-directory
 ms.topic: include
-ms.date: 11/13/2018
-ms.author: daveba
+ms.date: 01/14/2020
+ms.author: markvi
 ms.custom: include file
 ---
 
 - If you're not familiar with the managed identities for Azure resources feature, see this [overview](../articles/active-directory/msi-overview.md). If you don't have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before you continue.
 - To perform the required resource creation and role management, your account needs "Owner" permissions at the appropriate scope (your subscription or resource group). If you need assistance with role assignment, see [Use Role-Based Access Control to manage access to your Azure subscription resources](../articles/role-based-access-control/role-assignments-portal.md).
-- [Sign in to Azure portal](https://portal.azure.com)
-- [Create a virtual machine with system-assigned identity enabled](/azure/active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm#system-assigned-managed-identity)