Merge pull request #176423 from VanMSFT/MIAADOnlyauthupdate

Adding support for MI AAD-only auth server create

Author: ShannonLeavitt

articles/azure-sql/database/authentication-azure-ad-only-authentication-create-server.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 author: GithubMirek
 ms.author: mireks
 ms.reviewer: vanto
-ms.date: 10/04/2021
+ms.date: 10/19/2021
 ---
 
 # Create server with Azure AD-only authentication enabled in Azure SQL
@@ -293,7 +293,27 @@ You can also use the following template. Use a [Custom deployment in the Azure p
 
 # [Portal](#tab/azure-portal)
 
-Managing or deploying a managed instance with Azure AD-only authentication using the Azure portal is currently not supported. You can deploy a managed instance with Azure AD-only authentication using the Azure CLI, PowerShell, Rest API, or with an ARM template.
+1. Browse to the [Select SQL deployment](https://portal.azure.com/#create/Microsoft.AzureSQL) option page in the Azure portal.
+
+1. If you aren't already signed in to Azure portal, sign in when prompted.
+
+1. Under **SQL managed instances**, leave **Resource type** set to **Single instance**, and select **Create**.
+
+1. Fill out the mandatory information required on the **Basics** tab for **Project details** and **Managed Instance details**. This is a minimum set of information required to provision a SQL Managed Instance.
+
+   :::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-managed-instance-create-basic.png" alt-text="Azure portal screenshot of the create Managed Instance basic tab ":::
+
+   For more information on the configuration options, see [Quickstart: Create an Azure SQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).
+
+1. Under **Authentication**, select **Use only Azure Active Directory (Azure AD) authentication** for the **Authentication method**.
+
+1. Select **Set admin**, which brings up a menu to select an Azure AD principal as your managed instance Azure AD administrator. When you're finished, use the **Select** button to set your admin.
+
+   :::image type="content" source="media/authentication-azure-ad-only-authentication/azure-ad-only-managed-instance-create-basic-choose-authentication.png" alt-text="Azure portal screenshot of the create Managed Instance basic tab and choosing Azure AD only authentication":::
+
+1. You can leave the rest of the settings default. For more information on the **Networking**, **Security**, or other tabs and settings, follow the guide in the article [Quickstart: Create an Azure SQL Managed Instance](/azure/azure-sql/managed-instance/instance-create-quickstart).
+
+1. Once you are done with configuring your settings, select **Review + create** to proceed. Select **Create** to start provisioning the managed instance.
 
 # [The Azure CLI](#tab/azure-cli)
 
@@ -705,7 +725,6 @@ Once the deployment is complete for your managed instance, you may notice that t
 
 ## Limitations
 
-- Creating a managed instance using the Azure portal with Azure AD-only authentication enabled during provisioning is currently not supported.
 - To reset the server administrator password, Azure AD-only authentication must be disabled.
 - If Azure AD-only authentication is disabled, you must create a server with a server admin and password when using all APIs.
 

articles/azure-sql/database/authentication-azure-ad-only-authentication-policy.md

@@ -8,7 +8,7 @@ ms.topic: conceptual
 author: GithubMirek
 ms.author: mireks
 ms.reviewer: vanto
-ms.date: 09/22/2021
+ms.date: 10/19/2021
 ---
 
 # Azure Policy for Azure Active Directory only authentication with Azure SQL
@@ -72,7 +72,6 @@ The Azure Policy can prevent a new logical server or managed instance from being
 
 ## Limitations
 
-- Currently, you can't create a logical server or managed instance in the Azure portal with Azure AD-only authentication enabled. You can create a logical server or managed instance with Azure AD-only authentication enabled using the Azure CLI, PowerShell, Rest API, or with an ARM template. For more information, see [Create server with Azure AD-only authentication enabled in Azure SQL](authentication-azure-ad-only-authentication-create-server.md).
 - Azure Policy enforces Azure AD-only authentication during logical server or managed instance creation. Once the server is created, authorized Azure AD users with special roles (for example, SQL Security Manager) can disable the Azure AD-only authentication feature. The Azure Policy allows it, but in this case, the server or managed instance will be listed in the compliance report as `Non-compliant` and the report will indicate the server or managed instance name.  
 - For more remarks, known issues, and permissions needed, see [Azure AD-only authentication](authentication-azure-ad-only-authentication.md).
 

articles/azure-sql/database/authentication-azure-ad-only-authentication-tutorial.md

@@ -8,7 +8,7 @@ ms.topic: tutorial
 author: GithubMirek
 ms.author: mireks
 ms.reviewer: vanto
-ms.date: 08/31/2021
+ms.date: 10/19/2021
 ---
 
 # Tutorial: Enable Azure Active Directory only authentication with Azure SQL
@@ -18,7 +18,7 @@ ms.date: 08/31/2021
 > [!NOTE]
 > The **Azure AD-only authentication** feature discussed in this article is in **public preview**. 
 
-This article guides you through enabling the [Azure AD-only authentication](authentication-azure-ad-only-authentication.md) feature within Azure SQL Database and Azure SQL Managed Instance. If you are looking to provision a SQL Database or Managed Instance with Azure AD-only authentication enabled, see [Create server with Azure AD-only authentication enabled in Azure SQL](authentication-azure-ad-only-authentication-create-server.md).
+This article guides you through enabling the [Azure AD-only authentication](authentication-azure-ad-only-authentication.md) feature within Azure SQL Database and Azure SQL Managed Instance. If you are looking to provision a SQL Database or SQL Managed Instance with Azure AD-only authentication enabled, see [Create server with Azure AD-only authentication enabled in Azure SQL](authentication-azure-ad-only-authentication-create-server.md).
 
 In this tutorial, you learn how to:
 
@@ -71,9 +71,16 @@ To enable Azure AD-only authentication auth in the Azure portal, see the steps b
 1. Select the **Support only Azure Active Directory authentication for this server** checkbox.
 1. The **Enable Azure AD authentication only** popup will show. Click **Yes** to enable the feature and **Save** the setting.
 
-## Azure SQL Managed Instance
+## Enable in SQL Managed Instance using Azure portal
 
-Managing Azure AD-only authentication for SQL Managed Instance in the portal is currently not supported.
+To enable Azure AD-only authentication auth in the Azure portal, see the steps below.
+
+1. Using the user with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role, go to the [Azure portal](https://portal.azure.com/).
+1. Go to your **SQL managed instance** resource, and select **Active Directory admin** under the **Settings** menu.
+
+1. If you haven't added an **Azure Active Directory admin**, you'll need to set this before you can enable Azure AD-only authentication.
+1. Select the **Support only Azure Active Directory authentication for this managed instance** checkbox.
+1. The **Enable Azure AD authentication only** popup will show. Click **Yes** to enable the feature and **Save** the setting.
 
 # [The Azure CLI](#tab/azure-cli)
 
@@ -162,7 +169,7 @@ For more information on managing Azure AD-only authentication using APIs, see [M
    Connect-AzAccount
    ```
 
-1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the SQL managed instance.
+1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the **SQL managed instance**.
 
    ```powershell
    Enable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>
@@ -176,7 +183,13 @@ Check whether Azure AD-only authentication is enabled for your server or instanc
 
 # [Portal](#tab/azure-portal)
 
-Go to your **SQL server** resource in the [Azure portal](https://portal.azure.com/). Select **Azure Active Directory** under the **Settings** menu. Portal support for Azure AD-only authentication is only available for Azure SQL Database.
+## Check status in SQL Database
+
+Go to your **SQL server** resource in the [Azure portal](https://portal.azure.com/). Select **Azure Active Directory** under the **Settings** menu.
+
+## Check status in SQL Managed Instance
+
+Go to your **SQL managed instance** resource in the [Azure portal](https://portal.azure.com/). Select **Active Directory admin** under the **Settings** menu.
 
 # [The Azure CLI](#tab/azure-cli)
 
@@ -262,7 +275,7 @@ The status will return **True** if the feature is enabled, and **False** if disa
    Connect-AzAccount
    ```
 
-1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the SQL managed instance.
+1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the **SQL managed instance**.
 
    ```powershell
    Get-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>
@@ -272,7 +285,7 @@ The status will return **True** if the feature is enabled, and **False** if disa
 
 ## Test SQL authentication with connection failure
 
-After enabling Azure AD-only authentication, test with [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) to [connect to your SQL Database or Managed Instance](connect-query-ssms.md). Use SQL authentication for the connection.
+After enabling Azure AD-only authentication, test with [SQL Server Management Studio (SSMS)](/sql/ssms/download-sql-server-management-studio-ssms) to [connect to your SQL Database or SQL Managed Instance](connect-query-ssms.md). Use SQL authentication for the connection.
 
 You should see a login failed message similar to the following output:
 
@@ -289,11 +302,17 @@ By disabling the Azure AD-only authentication feature, you allow both SQL authen
 
 # [Portal](#tab/azure-portal)
 
+## Disable in SQL Database using Azure portal
+
 1. Using the user with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role, go to the [Azure portal](https://portal.azure.com/).
 1. Go to your SQL server resource, and select **Azure Active Directory** under the **Settings** menu.
 1. To disable the Azure AD-only authentication feature, uncheck the **Support only Azure Active Directory authentication for this server** checkbox and **Save** the setting.
 
-Managing Azure AD-only authentication for SQL Managed Instance in the portal is currently not supported.
+## Disable in SQL Managed Instance using Azure portal
+
+1. Using the user with the [SQL Security Manager](../../role-based-access-control/built-in-roles.md#sql-security-manager) role, go to the [Azure portal](https://portal.azure.com/).
+1. Go to your **SQL managed instance** resource, and select **Active Directory admin** under the **Settings** menu.
+1. To disable the Azure AD-only authentication feature, uncheck the **Support only Azure Active Directory authentication for this managed instance** checkbox and **Save** the setting.
 
 # [The Azure CLI](#tab/azure-cli)
 
@@ -381,7 +400,7 @@ To disable Azure AD-only authentication in Azure SQL Managed Instance using Powe
    Connect-AzAccount
    ```
 
-1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the SQL managed instance.
+1. Run the following command, replacing `<myinstance>` with your SQL Managed Instance name, and `<myresource>` with your Azure Resource that holds the managed instance.
 
    ```powershell
    Disable-AzSqlInstanceActiveDirectoryOnlyAuthentication -InstanceName <myinstance> -ResourceGroupName <myresource>

articles/azure-sql/database/authentication-azure-ad-only-authentication.md

@@ -8,7 +8,7 @@ ms.topic: conceptual
 author: GithubMirek
 ms.author: mireks
 ms.reviewer: vanto
-ms.date: 08/31/2021
+ms.date: 10/19/2021
 ---
 
 # Azure AD-only authentication with Azure SQL
@@ -24,12 +24,9 @@ Azure AD-only authentication can be enabled or disabled using the Azure portal,
 
 For more information on Azure SQL authentication, see [Authentication and authorization](logins-create-manage.md#authentication-and-authorization).
 
-> [!IMPORTANT]
-> Currently, you cannot manage Azure AD-only authentication in the Azure portal for Azure SQL Managed Instance. For a tutorial on different methods to enable Azure AD-only authentication, see [Tutorial: Enable Azure Active Directory only authentication with Azure SQL](authentication-azure-ad-only-authentication-tutorial.md).
-
 ## Feature description
 
-When enabling Azure AD-only authentication, [SQL authentication](logins-create-manage.md#authentication-and-authorization) is disabled at the server level and prevents any authentication based on any SQL authentication credentials. SQL authentication users won't be able to connect to the [logical server](logical-servers.md) for Azure SQL Database, including all of its databases. Although SQL authentication is disabled, new SQL authentication logins and users can still be created by Azure AD accounts with proper permissions. Newly created SQL authentication accounts won't be allowed to connect to the server. Enabling Azure AD-only authentication doesn't remove existing SQL authentication login and user accounts. The feature only prevents these accounts from connecting to the server, and any database created for this server.
+When enabling Azure AD-only authentication, [SQL authentication](logins-create-manage.md#authentication-and-authorization) is disabled at the server or managed instance level and prevents any authentication based on any SQL authentication credentials. SQL authentication users won't be able to connect to the [logical server](logical-servers.md) for Azure SQL Database or managed instance, including all of its databases. Although SQL authentication is disabled, new SQL authentication logins and users can still be created by Azure AD accounts with proper permissions. Newly created SQL authentication accounts won't be allowed to connect to the server. Enabling Azure AD-only authentication doesn't remove existing SQL authentication login and user accounts. The feature only prevents these accounts from connecting to the server, and any database created for this server.
 
 You can also force servers to be created with Azure AD-only authentication enabled using Azure Policy. For more information, see [Azure Policy for Azure AD-only authentication](authentication-azure-ad-only-authentication-policy.md).
 
@@ -395,10 +392,15 @@ SELECT SERVERPROPERTY('IsExternalAuthenticationOnly')
 - Azure AD users with proper permissions can impersonate existing SQL users.
     - Impersonation continues working between SQL authentication users even when the Azure AD-only authentication feature is enabled.
 
-## Known issues
+### Limitations for Azure AD-only authentication in managed instance
+
+When Azure AD-only authentication is enabled for managed instance, the following features aren't supported:
 
-- When Azure AD-only authentication is enabled, the server administrator password cannot be reset. Currently, the password resent operation succeeds in portal but fails in the SQL engine. The failure is indicated in the server activity log. In order to reset the server admin password, the Azure AD-only authentication feature must be disabled.
+- Transactional replication 
+- EXEC AS statement for Azure AD group member accounts
+- [SQL Agent Jobs in Managed Instance](/azure/azure-sql/managed-instance/job-automation-managed-instance) supports Azure AD-only authentication. However, the Azure AD user who is a member of an Azure AD group that has access to the managed instance cannot own SQL Agent Jobs.
 
+For more limitations, see [T-SQL differences between SQL Server & Azure SQL Managed Instance](/azure/azure-sql/managed-instance/transact-sql-tsql-differences-sql-server#logins-and-users).
 
 ## Next steps