Merge pull request #190870 from WilliamDAssafMSFT/aadOnlyAuthDocs

Aad only auth docs

Author: jborsecnik

articles/synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments.md

@@ -1,18 +1,18 @@
 ---
-title: How to manage Synapse RBAC assignments in Synapse Studio
-description: This article describes how to assign and revoke Synapse RBAC roles to AAD security principals
+title: How to manage Azure Synapse RBAC assignments in Synapse Studio
+description: This article describes how to assign and revoke Azure Synapse RBAC roles to Azure AD security principals
 author: meenalsri
 ms.service: synapse-analytics 
 ms.topic: how-to
 ms.subservice: security
-ms.date: 12/1/2020
+ms.date: 3/7/2022
 ms.author: mesrivas
-ms.reviewer: sngun
+ms.reviewer: sngun, wiassaf
 ---
 
 # How to manage Synapse RBAC role assignments in Synapse Studio
 
-Synapse RBAC uses roles to assign permissions to users, groups, and other security principals to enable access and use of Synapse resources and code artifacts.  [Learn more](./synapse-workspace-synapse-rbac.md)
+Synapse RBAC uses roles to assign permissions to users, groups, and other security principals to enable access and use of Synapse resources and code artifacts. For more information, see [What is Synapse role-based access control (RBAC)?](./synapse-workspace-synapse-rbac.md)
 
 This article shows how to add and delete Synapse RBAC role assignments.
 

articles/synapse-analytics/security/how-to-review-synapse-rbac-role-assignments.md

@@ -1,18 +1,18 @@
 ---
-title: How to review Synapse RBAC role assignments in Synapse Studio
-description: This article describes how to review Synapse RBAC role assignments using Synapse Studio
+title: How to review Azure Synapse RBAC role assignments in Synapse Studio
+description: This article describes how to review Azure Synapse RBAC role assignments using Synapse Studio
 author: meenalsri
 ms.service: synapse-analytics 
 ms.topic: how-to
 ms.subservice: security
-ms.date: 12/1/2020
+ms.date: 3/07/2022
 ms.author: mesrivas
-ms.reviewer: sngun
+ms.reviewer: sngun, wiassaf
 ---
 
 # How to review Synapse RBAC role assignments
 
-Synapse RBAC roles are used to assign permissions to users, groups, and other security principals to enable access and use of Synapse resources.  [Learn more](./synapse-workspace-synapse-rbac.md)
+Synapse RBAC roles are used to assign permissions to users, groups, and other security principals to enable access and use of Synapse resources. For more information, see [What is Synapse role-based access control (RBAC)?](./synapse-workspace-synapse-rbac.md)
 
 This article explains how to review the current role assignments for a workspace.
 

articles/synapse-analytics/security/how-to-set-up-access-control.md

@@ -1,12 +1,12 @@
 ---
-title: How to set up access control for your Synapse workspace
+title: How to set up access control for your Azure Synapse workspace
 description: This article will teach you how to control access to an Azure Synapse workspace using Azure roles, Synapse roles, SQL permissions, and Git permissions.
 services: synapse-analytics 
 author: meenalsri
 ms.service: synapse-analytics 
 ms.topic: how-to 
 ms.subservice: security 
-ms.date: 8/05/2021
+ms.date: 3/07/2022
 ms.author: ronytho
 ms.reviewer: sngun, wiassaf
 ms.custom: subject-rbac-steps
@@ -146,7 +146,7 @@ To run pipelines and perform system tasks, Azure Synapse requires that the works
 
 ## STEP 5: Grant Synapse administrators the Azure Contributor role on the workspace 
 
-To create SQL pools, Apache Spark pools and Integration runtimes, users must have at least Azure Contributor role at the workspace. The contributor role also allows these users to manage the resources, including pausing and scaling. If you are using Azure portal or Synapse Studio to create SQL pools, Apache Spark pools and Integration runtimes, then you need Azure Contributor role at the resource group level. 
+To create SQL pools, Apache Spark pools and Integration runtimes, users must have at least Azure Contributor role at the workspace. The contributor role also allows these users to manage the resources, including pausing and scaling. If you're using Azure portal or Synapse Studio to create SQL pools, Apache Spark pools and Integration runtimes, then you need Azure Contributor role at the resource group level. 
 
 - Open the Azure portal
 - Locate the workspace, `workspace1`
@@ -193,7 +193,7 @@ To grant access to the serverless SQL pool, 'Built-in', the scripts can be run b
 
 ### STEP 7.1: Serverless SQL pool, Built-in
 
-In this section, there are script examples showing how to give a user permission to access a particular database or to all databases in the serverless SQL pool, 'Built-in'.
+In this section, there are script examples showing how to give a user permission to access a particular database or to all databases in the serverless SQL pool, `Built-in`.
 
 > [!NOTE]
 > In the script examples, replace *alias* with the alias of the user or group being granted access, and *domain* with the company domain you are using.
@@ -202,38 +202,31 @@ In this section, there are script examples showing how to give a user permission
 
 To grant access to a user to a **single** serverless SQL database, follow the steps in this example:
 
-1. Create LOGIN
+1. Create a login. Change to the `master` database context.
 
     ```sql
-    use master
-    go
+    --In the master database
     CREATE LOGIN [alias@domain.com] FROM EXTERNAL PROVIDER;
-    go
     ```
 
-2. Create USER
+2. Create user in your database. Change context to your database.
 
     ```sql
-    use yourdb -- Use your database name
-    go
+    -- In your database
     CREATE USER alias FROM LOGIN [[email protected]];
     ```
 
-3. Add USER to members of the specified role
+3. Add user as a member of the specified role in your database (in this case, the **db_owner** role).
 
     ```sql
-    use yourdb -- Use your database name
-    go
-    alter role db_owner Add member alias -- Type USER name from step 2
+    ALTER ROLE db_owner ADD member alias; -- Type USER name from step 2
     ```
 
 #### Workspace-scoped permission
 
-To grant full access to **all** serverless SQL pools in the workspace, use the script in this example:
+To grant full access to **all** serverless SQL pools in the workspace, in the `master` database, use the script in this example:
 
 ```sql
-use master
-go
 CREATE LOGIN [[email protected]] FROM EXTERNAL PROVIDER;
 ALTER SERVER ROLE sysadmin ADD MEMBER [[email protected]];
 ```
@@ -257,8 +250,8 @@ To grant access to a **single** dedicated SQL pool database, follow these steps
     ```
 
 > [!IMPORTANT]
-> *db_datareader* and *db_datawriter* can work for read/write permissions if granting *db_owner* permission is not desired.
-> For a Spark user to read and write directly from Spark into or from a SQL pool, *db_owner* permission is required.
+> The **db_datareader** and **db_datawriter** database roles can work for read/write permissions if granting **db_owner** permission is not desired.
+> However, for a Spark user to read and write directly from Spark into or from a SQL pool, **db_owner** permission is required.
 
 After creating the users, run queries to validate that the serverless SQL pool can query the storage account.
 
@@ -290,6 +283,8 @@ This guide has focused on setting up a basic access control system. You can supp
 
 **Restrict operators from accessing code artifacts**.  Create security groups for operators who need to monitor operational status of Synapse compute resources and view logs but who don't need access to code or to publish updates to the service. Assign these groups the Compute Operator role scoped to specific Spark pools and Integration runtimes.  
 
+**Disable local authentication**. By allowing only Azure Active Directory authentication, you can centrally manage access to Azure Synapse resources, such as SQL pools. Local authentication for all resources within the workspace can be disabled during or after workspace creation. For more information on Azure AD-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md).
+
 ## Next steps
 
  - Learn [how to manage Azure Synapse RBAC role assignments](./how-to-manage-synapse-rbac-role-assignments.md)

articles/synapse-analytics/security/media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-16.png

@@ -1,11 +1,12 @@
 ---
 title: Azure Synapse workspace access control overview
-description: This article describes the mechanisms used to control access to a Synapse workspace and the resources and code artifacts it contains.
+description: This article describes the mechanisms used to control access to an Azure Synapse workspace and the resources and code artifacts it contains.
+services: synapse-analytics
 author: meenalsri
 ms.service: synapse-analytics
 ms.topic: overview
 ms.subservice: security
-ms.date: 11/02/2021
+ms.date: 3/07/2022
 ms.author: mesrivas
 ms.reviewer: wiassaf
 ms.custom: ignite-fall-2021
@@ -38,8 +39,9 @@ Azure roles are used to control management of:
 
 To *create* these resources, you need to be an Azure Owner or Contributor on the resource group. To *manage* them once created, you need to be an Azure Owner or Contributor on either the resource group or the individual resources. 
 
-### Develop and execute code in Azure Synapse 
+An Azure Owner or Contributor can enable or disable Azure AD-only authentication for Azure Synapse workspaces. For more information on Azure AD-only authentication, see [Disabling local authentication in Azure Synapse Analytics](../sql/active-directory-authentication.md).
 
+### Develop and execute code in Azure Synapse 
 Synapse supports two development models.
 
 - **Synapse live development**. You develop and debug code in Synapse Studio and then **publish** it to save and execute.  The Synapse service is the source of truth for code editing and execution.  Any unpublished work is lost when you close Synapse Studio.  
@@ -49,7 +51,8 @@ In both development models, any user with access to Synapse Studio can create co
 
 ### Azure Synapse roles
 
-Azure Synapse roles are used to control access to the Synapse service that permit you to: 
+Azure Synapse roles are used to control access to the Synapse service. Different roles can permit you to: 
+
 - List published code artifacts, 
 - Publish code artifacts, linked services, and credential definitions,
 - Execute code or pipelines that use Synapse compute resources,
@@ -98,7 +101,7 @@ Synapse Studio will behave differently based on your permissions and the current
 - **Synapse live mode:** Synapse Studio will prevent you from seeing published content, publishing content, or taking other actions if you don't have the required permission.  In some cases, you'll be prevented from creating code artifacts that you can't use or save. 
 - **Git-mode:** If you have Git permissions that let you commit changes to the current branch, then the commit action will be permitted if you have permission to publish changes to the live service (Synapse Artifact Publisher role), and the Azure Contributor role on the workspace.  
 
-In some cases, you are allowed to create code artifacts even without permission to publish or commit. This allows you to execute code (with the required execution permissions). [Learn more](./synapse-workspace-understand-what-role-you-need.md) about the roles required for common tasks. 
+In some cases, you're allowed to create code artifacts even without permission to publish or commit. This allows you to execute code (with the required execution permissions). For more information on the roles required for common tasks, see [Understand the roles required to perform common tasks in Azure Synapse](./synapse-workspace-understand-what-role-you-need.md).
 
 If a feature is disabled in Synapse Studio, a tooltip will indicate the required permission. Use the [Synapse RBAC roles guide](./synapse-workspace-synapse-rbac-roles.md#synapse-rbac-actions-and-the-roles-that-permit-them) to look up which role is required to provide the missing permission.
 

articles/synapse-analytics/security/synapse-workspace-access-control-overview.md

@@ -1,21 +1,24 @@
 ---
-title: Synapse RBAC roles
-description: This article describes the built-in Synapse RBAC roles
+title: Azure Synapse RBAC roles
+description: This article describes the built-in Synapse RBAC (role-based access control) roles, the permissions they grant, and the scopes at which they can be used.  
 author: meenalsri
 ms.service: synapse-analytics
 ms.topic: conceptual
 ms.subservice: security
-ms.date: 11/02/2021
+ms.date: 3/07/2022
 ms.author: mesrivas
-ms.reviewer: wiassaf
+ms.reviewer: sngun, wiassaf
 ms.custom: ignite-fall-2021
 ---
 
 # Synapse RBAC Roles
 
 The article describes the built-in Synapse RBAC (role-based access control) roles, the permissions they grant, and the scopes at which they can be used.  
 
+For more information on reviewing and assigning Synapse role memberships, see [how to review Synapse RBAC role assignments](./how-to-review-synapse-rbac-role-assignments.md) and [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md).
+
 ## What's changed since the preview?
+
 For users familiar with the Synapse RBAC roles provided during the preview, the following changes apply:
 - Workspace Admin is renamed **Synapse Administrator**
 - Apache Spark Admin is renamed **Synapse Apache Spark Administrator** and has permission to see all published code artifacts, including SQL scripts.  This role no longer gives permission to use the workspace MSI, which requires the Synapse Credential User role.  This permission is required to run pipelines. 
@@ -31,7 +34,7 @@ The following table describes the built-in roles and the scopes at which they ca
 > Users with any Synapse RBAC role at any scope automatically have the Synapse User role at workspace scope. 
 
 > [!IMPORTANT]
-> Synapse RBAC roles do not grant permissions to create or manage SQL pools, Apache Spark pools, and Integration runtimes in Synapse workspaces. Azure Owner or Azure Contributor roles on the resource group are required for these actions.
+> Synapse RBAC roles do not grant permissions to create or manage SQL pools, Apache Spark pools, and Integration runtimes in Azure Synapse workspaces. Azure Owner or Azure Contributor roles on the resource group are required for these actions.
 
 |Role |Permissions|Scopes|
 |---|---|-----|
@@ -117,6 +120,5 @@ Credential |Synapse Administrator </br>Synapse Credential User
 
 ## Next steps
 
-Learn [how to review Synapse RBAC role assignments](./how-to-review-synapse-rbac-role-assignments.md) for a workspace.
-
-Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md)
+- Learn [how to review Synapse RBAC role assignments](./how-to-review-synapse-rbac-role-assignments.md) for a workspace.
+- Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md)

articles/synapse-analytics/security/synapse-workspace-synapse-rbac-roles.md

@@ -1,13 +1,13 @@
 ---
-title: Synapse role-based access control
+title: Azure Synapse role-based access control
 description: An article that explains role-based access control in Azure Synapse Analytics
 author: meenalsri
 ms.service: synapse-analytics 
 ms.topic: conceptual
 ms.subservice: security
-ms.date: 12/1/2020
+ms.date: 3/07/2022
 ms.author: mesrivas
-ms.reviewer: sngun
+ms.reviewer: sngun, wiassaf
 ---
 # What is Synapse role-based access control (RBAC)?
 
@@ -53,23 +53,28 @@ Synapse provides built-in roles that define collections of actions that match th
 
 ### Scopes
 
-A _scope_ defines the resources or artifacts that the access applies to.  Synapse supports hierarchical scopes.  Permissions granted at a higher-level scope are inherited by objects at a lower level.  In Synapse RBAC, the top-level scope is a workspace.  Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.  
+A _scope_ defines the resources or artifacts that the access applies to. Azure Synapse supports hierarchical scopes.  Permissions granted at a higher-level scope are inherited by objects at a lower level.  In Synapse RBAC, the top-level scope is a workspace.  Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.  
 
-Current supported scopes within a workspace are: Apache Spark pool, Integration runtime, linked service, and credential. 
+Current supported scopes within a workspace are: 
+
+- Apache Spark pool
+- Integration runtime
+- linked service
+- credential
 
 Access to code artifacts is granted with workspace scope.  Granting access to collections of artifacts within a workspace will be supported in a later release.
 
 ## Resolving role assignments to determine permissions
 
-A role assignment grants the principal the permissions defined by the role at the specified scope.
+A role assignment grants a principal the permissions defined by the role at the specified scope.
 
 Synapse RBAC is an additive model like Azure RBAC. Multiple roles may be assigned to a single principal and at different scopes. When computing the permissions of a security principal, the system considers all roles assigned to the principal and to groups that directly or indirectly include the principal.  It also considers the scope of each assignment in determining the permissions that apply.  
 
 ## Enforcing assigned permissions
 
 In Synapse Studio, specific buttons or options may be grayed out or a permissions error may be returned when attempting an action if you don't have the required permissions. 
 
-If a button or option is disabled, hovering over the button or option shows a tooltip with the required permission.  Contact a Synapse Administrator to assign a role that grants the required permission. You can see the roles that provide specific actions [here](./synapse-workspace-synapse-rbac-roles.md).
+If a button or option is disabled, hovering over the button or option shows a tooltip with the required permission.  Contact a Synapse Administrator to assign a role that grants the required permission. You can see the roles that provide specific actions, see [Synapse RBAC Roles](./synapse-workspace-synapse-rbac-roles.md).
 
 ## Who can assign Synapse RBAC roles?
 
@@ -79,7 +84,7 @@ When a new workspace is created, the creator is automatically given the Synapse
 
 ## Where do I manage Synapse RBAC?
 
-Synapse RBAC is managed from within Synapse Studio using the Access control tools in the Manage hub. 
+Synapse RBAC is managed from within Synapse Studio using the access control tools in the **Manage** hub. 
 
 ## Next steps
 

articles/synapse-analytics/security/synapse-workspace-synapse-rbac.md

@@ -1,18 +1,18 @@
 ---
 title: Understand the roles required to perform common tasks in Azure Synapse
-description: This article describes which built-in Synapse RBAC role(s) are required to accomplish specific tasks
+description: Understand which Synapse RBAC (role-based access control) roles or Azure RBAC roles you need to get work done in Synapse Studio.  
 author: meenalsri
 ms.service: synapse-analytics
 ms.topic: conceptual
 ms.subservice: security
-ms.date: 11/02/2021
+ms.date: 3/07/2022
 ms.author: mesrivas
-ms.reviewer: wiassaf
+ms.reviewer: sngun, wiassaf
 ms.custom: ignite-fall-2021
 ---
 # Understand the roles required to perform common tasks in Azure Synapse
 
-This article will help you understand which Synapse RBAC (role-based access control) roles or Azure RBAC roles you need to get work done in Synapse Studio.  
+This article will help you understand which Synapse RBAC (role-based access control) roles or Azure RBAC roles you need to get work done in Synapse Studio. To manage role membership, see [Manage Synapse RBAC role assignments](./how-to-manage-synapse-rbac-role-assignments.md).
 
 ## Synapse Studio access control and workflow summary 
 
@@ -62,6 +62,9 @@ The table below lists common tasks and for each task, the Synapse RBAC, or Azure
 >[!Note]
 > Synapse Administrator is not listed for each task unless it is the only role that provides the necessary permission. A Synapse Administrator can perform all tasks enabled by other Synapse RBAC roles.</br>
 
+> [!Note]
+> Guest users from another tenant are also able to review, add, or change role assignments once they have been assigned as Synapse Administrator. 
+
 The minimum Synapse RBAC role required is shown. 
 
 All Synapse RBAC roles at any scope provide you Synapse User permissions at the workspace.
@@ -129,8 +132,6 @@ ACCESS MANAGEMENT|
 Review Synapse RBAC role assignments at any scope|Synapse User|read
 Assign and remove Synapse RBAC role assignments for users, groups, and service principals| Synapse Administrator at the workspace or at a specific workspace item scope|roleAssignments/write, delete 
 
-> [!Note]
-> Guest users from another tenant are also able to review, add, or change role assignments once they have been assigned as Synapse Administrator. 
 
 ## Next steps