edits according to Mushahid

Author: VanMSFT

articles/azure-sql/database/authentication-azure-ad-logins-tutorial.md

@@ -100,11 +100,49 @@ In this tutorial, you learn how to:
 >
 > For example, `CREATE USER [[email protected]] FROM EXTERNAL PROVIDER`.
 
-## Grant roles to the Azure AD login
+## Grant server-level roles to Azure AD logins
 
-[Special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse) can be assigned to logins in the virtual master database.
+You can add logins to the [built-in server-level roles](security-server-roles.md#built-in-server-level-roles), such as the **##MS_DefinitionReader##**, **##MS_ServerStateReader##**, or **##MS_ServerStateManager##** role.
 
-In order to grant one of the special database roles, an Azure AD user with a login must be created in the virtual master database. 
+> [!NOTE]
+> The server-level roles mentioned here are not supported for Azure AD groups.
+
+```sql
+ALTER SERVER ROLE ##MS_DefinitionReader## ADD MEMBER [AzureAD_object];
+```
+
+```sql
+ALTER SERVER ROLE ##MS_ServerStateReader## ADD MEMBER [AzureAD_object];
+```
+
+```sql
+ALTER SERVER ROLE ##MS_ServerStateManager## ADD MEMBER [AzureAD_object];
+```
+
+Permissions aren't effective until the user reconnects. Flush the DBCC cache as well:
+
+```sql
+DBCC FLUSHAUTHCACHE
+DBCC FREESYSTEMCACHE('TokenAndPermUserStore') WITH NO_INFOMSGS 
+```
+
+To check which Azure AD logins are part of server-level roles, run the following query:
+
+```sql
+SELECT roles.principal_id AS RolePID,roles.name AS RolePName,
+       server_role_members.member_principal_id AS MemberPID, members.name AS MemberPName
+       FROM sys.server_role_members AS server_role_members
+       INNER JOIN sys.server_principals AS roles
+       ON server_role_members.role_principal_id = roles.principal_id
+       INNER JOIN sys.server_principals AS members 
+       ON server_role_members.member_principal_id = members.principal_id;
+```
+
+## Grant special roles for Azure AD users
+
+[Special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse) can be assigned to users in the virtual master database.
+
+In order to grant one of the special database roles to a user, the user must exist in the virtual master database. 
 
 To add a user to a role, you can run the following query:
 
@@ -150,44 +188,6 @@ In our example, we created the user `[email protected]`. Let's give the user the *
    loginmanager	       [email protected]
    ```
 
-### Server-level roles
-
-You can also choose to give the user additional [built-in server-level roles](security-server-roles.md#built-in-server-level-roles), such as the **##MS_DefinitionReader##**, **##MS_ServerStateReader##**, or **##MS_ServerStateManager##** role.
-
-> [!NOTE]
-> The server-level roles mentioned here are not supported for Azure AD groups.
-
-```sql
-ALTER SERVER ROLE ##MS_DefinitionReader## ADD MEMBER [AzureAD_object];
-```
-
-```sql
-ALTER SERVER ROLE ##MS_ServerStateReader## ADD MEMBER [AzureAD_object];
-```
-
-```sql
-ALTER SERVER ROLE ##MS_ServerStateManager## ADD MEMBER [AzureAD_object];
-```
-
-Permissions aren't effective until the user reconnects. Flush the DBCC cache as well:
-
-```sql
-DBCC FLUSHAUTHCACHE
-DBCC FREESYSTEMCACHE('TokenAndPermUserStore') WITH NO_INFOMSGS 
-```
-
-To check which Azure AD logins are part of server-level roles, run the following query:
-
-```sql
-SELECT roles.principal_id AS RolePID,roles.name AS RolePName,
-       server_role_members.member_principal_id AS MemberPID, members.name AS MemberPName
-       FROM sys.server_role_members AS server_role_members
-       INNER JOIN sys.server_principals AS roles
-       ON server_role_members.role_principal_id = roles.principal_id
-       INNER JOIN sys.server_principals AS members 
-       ON server_role_members.member_principal_id = members.principal_id;
-```
-
 ## Optional - Disable a login
 
 The [ALTER LOGIN (Transact-SQL)](/sql/t-sql/statements/alter-login-transact-sql?view=azuresqldb-current&preserve-view=true) DDL syntax can be used to enable or disable an Azure AD login in Azure SQL Database.

articles/azure-sql/database/authentication-azure-ad-logins.md

@@ -19,8 +19,8 @@ ms.date: 03/14/2022
 
 You can now create and utilize Azure AD server principals, which are logins in the virutal master database of a SQL Database. There are several benefits of using Azure AD server principals for SQL Database:
 
-- Support multiple Azure AD login accounts with [special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse), such as the `loginmanager` and `dbmanager` roles.
 - Support [Azure SQL Database server roles for permission management](security-server-roles.md).
+- Support multiple Azure AD users with [special roles for SQL Database](/sql/relational-databases/security/authentication-access/database-level-roles#special-roles-for--and-azure-synapse), such as the `loginmanager` and `dbmanager` roles.
 - Functional parity between SQL logins and Azure AD logins.
 - Increase functional improvement support, such as utilizing [Azure AD-only authentication](authentication-azure-ad-only-authentication.md). Azure AD-only authentication allows SQL authentication to be disabled, which includes the SQL server admin, SQL logins and users.
 - Allows Azure AD principals to support geo-replicas. Azure AD principals will be able to connect to the geo-replica of a user database, with a *read-only* permission and *deny* permission to the primary server.