edit

Author: VanMSFT

articles/azure-sql/database/authentication-azure-ad-logins.md

@@ -178,7 +178,7 @@ It's important to verify the Azure AD alias is tied to the correct application o
 - Azure AD logins overlapping with Azure AD administrator aren't supported. Azure AD admin takes precedence over any login. If an Azure AD account already has access to the server as an Azure AD admin, either directly or as a member of the admin group, the login created for this user won't have any effect. The login creation isn't blocked through T-SQL. After the account authenticates to the server, the login will have the effective permissions of an Azure AD admin, and not of a newly created login.
 - Changing permissions on specific Azure AD login object isn't supported:
   - `GRANT <PERMISSION> ON LOGIN :: <Azure AD account> TO <Any other login> `
-- When permissions are altered for an Azure AD login with existing open connections to an Azure SQL Database, permissions aren't effective until the user reconnects. This applies to server role membership change using the [ALTER SERVER ROLE](/sql/t-sql/statements/alter-server-role-transact-sql) statement. 
+- When permissions are altered for an Azure AD login with existing open connections to an Azure SQL Database, permissions aren't effective until the user reconnects. Also [flush the authentication cache and the TokenAndPermUserStore cache](#disable-or-enable-a-login-using-alter-login-syntax). This applies to server role membership change using the [ALTER SERVER ROLE](/sql/t-sql/statements/alter-server-role-transact-sql) statement. 
 - [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) doesn't display the login names in **Object Explorer**.
 - Setting an Azure AD login mapped to an Azure AD group as the database owner is not supported.
 - [Azure SQL Database server roles](security-server-roles.md) are not supported for Azure AD groups.