Merge pull request #34273 from MicrosoftDocs/main

5/30/2025 PM Publish

Author: Albertyang0

azure-sql/database/sql-database-paas-overview.md

@@ -202,7 +202,7 @@ Microsoft Defender for SQL is a unified package for advanced SQL security capabi
 
 ### Data encryption
 
-SQL Database helps secure your data by providing encryption. For data in motion, it uses [transport layer security](https://support.microsoft.com/kb/3135244). For data at rest, it uses [transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql). For data in use, it uses [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine).
+SQL Database helps secure your data by providing encryption. For data in motion, it uses [transport layer security](/troubleshoot/sql/database-engine/connect/tls-1-2-support-microsoft-sql-server). For data at rest, it uses [transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql). For data in use, it uses [Always Encrypted](/sql/relational-databases/security/encryption/always-encrypted-database-engine).
 
 ### Data discovery and classification
 
@@ -265,5 +265,5 @@ Azure SQL Database backups are managed automatically. No one has direct access t
   - [Azure CLI samples for SQL Database](az-cli-script-samples-content-guide.md)
   - [Azure PowerShell samples for SQL Database](powershell-script-content-guide.md)
 
-- For information about new capabilities as they're announced, see [Azure Roadmap for SQL Database](https://azure.microsoft.com/roadmap/?category=databases).
+- For information about new capabilities as they're announced, see [Azure Updates](https://azure.microsoft.com/updates/).
 - See the [Azure SQL Database blog](https://azure.microsoft.com/blog/topics/database), where SQL Server product team members blog about SQL Database news and features.

azure-sql/managed-instance/doc-changes-updates-release-notes-whats-new.md

@@ -5,7 +5,7 @@ description: Learn about the new features and documentation improvements for Azu
 author: MashaMSFT
 ms.author: mathoma
 ms.reviewer: wiassaf, mathoma
-ms.date: 05/22/2025
+ms.date: 05/30/2025
 ms.service: azure-sql-managed-instance
 ms.subservice: service-overview
 ms.topic: whats-new
@@ -50,14 +50,15 @@ The following table lists the features of Azure SQL Managed Instance that are cu
 |[UNISTR (Transact-SQL)](/sql/t-sql/functions/unistr-transact-sql)| Azure SQL Managed Instance now supports the `UNISTR` T-SQL syntax for Unicode string literals.|
 |[Vector data type and functions](/sql/t-sql/data-types/vector-data-type?view=azuresqldb-current&preserve-view=true) | Working with vector data is now easier in Azure SQL Managed Instance with the [Always-up-to-date update policy](update-policy.md#always-up-to-date-update-policy) with the introduction of a new [vector data type](/sql/t-sql/data-types/vector-data-type?view=azuresqlmi-current&preserve-view=true) and [vector functions](/sql/t-sql/functions/vector-functions-transact-sql?view=azuresqlmi-current&preserve-view=true). For more information, see [Intelligent applications with Azure SQL Managed Instance](ai-artificial-intelligence-intelligent-applications.md#vectors). |
 |[Zone redundancy for General Purpose](high-availability-sla-local-zone-redundancy.md#zone-redundant-availability) |  Deploy your General Purpose SQL Managed Instance to multiple availability zones to improve the availability of your instance in the event of a disaster. | 
-|[\|\| (String concatenation)](/sql/t-sql/language-elements/string-concatenation-pipes-transact-sql?view=azuresqldb-current&preserve-view=true) and [\|\|= (Compound assignment)](/sql/t-sql/language-elements/compound-assignment-pipes-transact-sql?view=azuresqldb-current&preserve-view=true) syntax support** | Azure SQL Managed Instance now supports [\|\| (String concatenation)](/sql/t-sql/language-elements/string-concatenation-pipes-transact-sql?view=azuresqldb-current&preserve-view=true) and [\|\|= (Compound assignment)](/sql/t-sql/language-elements/compound-assignment-pipes-transact-sql?view=azuresqldb-current&preserve-view=true) Transact-SQL syntax.|
+|[\|\| (String concatenation)](/sql/t-sql/language-elements/string-concatenation-pipes-transact-sql?view=azuresqldb-current&preserve-view=true) and [\|\|= (Compound assignment)](/sql/t-sql/language-elements/compound-assignment-pipes-transact-sql?view=azuresqldb-current&preserve-view=true) syntax support | Azure SQL Managed Instance now supports [\|\| (String concatenation)](/sql/t-sql/language-elements/string-concatenation-pipes-transact-sql?view=azuresqldb-current&preserve-view=true) and [\|\|= (Compound assignment)](/sql/t-sql/language-elements/compound-assignment-pipes-transact-sql?view=azuresqldb-current&preserve-view=true) Transact-SQL syntax.|
 
 ## General availability (GA)
 
 The following table lists features of Azure SQL Managed Instance that have been made generally available (GA) within the last 12 months:
 
 | Feature | GA Month | Details |
 | ---| --- |--- |
+| [TLS 1.3 support for replication](replication-transactional-overview.md#tls-13-support) | May 2025 | Configure Azure SQL Managed Instance replication agents to use TLS 1.3. |
 | [Free SQL Managed Instance](free-offer.md) | May 2025 | Try Azure SQL Managed Instance for free for the first 12 months after an instance is created.  |
 | [JSON native data type](/sql/t-sql/data-types/json-data-type?view=azuresqlmi-current&preserve-view=true) | May 2025 | The **json** data type provides new capabilities for handling semistructured data in Azure SQL Managed Instance. |
 | [JSON aggregate functions](/sql/relational-databases/json/json-data-sql-server?view=azuresqlmi-current&preserve-view=true#json-data-from-aggregates) | May 2025 | Two **json** aggregate functions (`JSON_OBJECTAGG` and `JSON_ARRAYAGG`) enable construction of JSON objects or arrays based on an aggregate from SQL data. |
@@ -86,9 +87,11 @@ Learn about significant changes to the Azure SQL Managed Instance documentation.
 | **JSON native data type GA** |  The  [**json** data type](/sql/t-sql/data-types/json-data-type?view=azuresqlmi-current&preserve-view=true) provides new capabilities for handling semistructured data in Azure SQL Managed Instance. This data type is now generally available. |
 | **JSON aggregate functions GA** | Two [**json** aggregate functions `JSON_OBJECTAGG` and `JSON_ARRAYAGG`](/sql/relational-databases/json/json-data-sql-server?view=azuresqlmi-current&preserve-view=true#json-data-from-aggregates) enable construction of JSON objects or arrays based on an aggregate from SQL data. These JSON functions are now generally available. |
 | **Regular expression functions preview** | Regular expression (REGEX) functions return text based on values in a search pattern. This capability is currently in preview for Azure SQL Managed Instance. For more information, see [Regular expressions](/sql/relational-databases/regular-expressions/overview). |
+| **TLS 1.3 support for replication GA** | Configure Azure SQL Managed Instance replication agents to use TLS 1.3. This capability is generally available. Review [TLS 1.3 support for replication](replication-transactional-overview.md#tls-13-support) to learn more.  |
 | **UNISTR (Transact-SQL) preview** | Azure SQL Managed Instance now supports the `UNISTR` T-SQL syntax for Unicode string literals. This capability is currently in preview. For more information, see [UNISTR (Transact-SQL)](/sql/t-sql/functions/unistr-transact-sql).|
 | **\|\| (String concatenation) and \|\|= (Compound assignment) syntax support preview** | Azure SQL Managed Instance now supports [\|\| (String concatenation)](/sql/t-sql/language-elements/string-concatenation-pipes-transact-sql) and [\|\|= (Compound assignment)](/sql/t-sql/language-elements/compound-assignment-pipes-transact-sql) Transact-SQL syntax. This capability is currently in preview.|
 
+
 ### April 2025
 
 | Changes | Details |

azure-sql/managed-instance/replication-transactional-overview.md

@@ -5,7 +5,7 @@ description: Learn about using SQL Server transactional replication with Azure S
 author: sasapopo
 ms.author: sasapopo
 ms.reviewer: mathoma, randolphwest
-ms.date: 06/10/2024
+ms.date: 05/30/2025
 ms.service: azure-sql-managed-instance
 ms.subservice: data-movement
 ms.topic: conceptual
@@ -77,7 +77,6 @@ The transactional and snapshot replication supportability matrix for Azure SQL M
 
 [!INCLUDE [replication-compat-matrix](../../docs/includes/replication-compat-matrix-transactional.md)]
 
-
 ## When to use
 
 Transactional replication is useful in the following scenarios:
@@ -134,6 +133,18 @@ In this configuration, a database in Azure SQL Database or Azure SQL Managed Ins
 
 ## Security 
 
+### TLS 1.3 support 
+
+Azure SQL Managed Instance supports TLS 1.3 for replication connections initialized by agents configured to run on a SQL managed instance. This applies to a replication topology between two SQL managed instances, and also to any version of SQL Server as a subscriber from a SQL managed instance publisher and distributor. 
+
+If you use TLS 1.3 to secure the connections between instances in a replication topology, specify a value of **3** or **4** for the **-EncryptionLevel** parameter of each replication agent: 
+
+- [Distribution agent](/sql/relational-databases/replication/agents/replication-distribution-agent#encryption-level)
+- [Log reader agent](/sql/relational-databases/replication/agents/replication-log-reader-agent#encryption-level)
+- [Snapshot agent](/sql/relational-databases/replication/agents/replication-snapshot-agent#encryption-level)
+
+A value of `3` enforces TLS 1.3 connections between SQL managed instances, but has not impact on connections between SQL Server and SQL managed instances. A value of `4` enforces TLS 1.3 connections between SQL managed instances, and also connections from SQL managed instance to SQL Server, and requires that you install the certificate to the SQL Server host. 
+
 ### Login `replAgentUser`
 
 For purposes of transactional replication, a SQL managed instance has a pre-created login(s) with the name `replAgentUser`. This login is a member of the `sysadmin` server role and is used by replication agents that need to connect to a SQL managed instance participating in transactional replication setup.

data-migration/sql-server/managed-instance/overview.md

@@ -143,7 +143,7 @@ You can migrate SQL Server Reporting Services (SSRS) reports to paginated report
 
 ### SQL Server Analysis Services
 
-SQL Server Analysis Services tabular models from SQL Server 2012 and later can be migrated to Azure Analysis Services, which is a platform as a service (PaaS) deployment model for the Analysis Services tabular model in Azure. You can learn more about migrating on-premises models to Azure Analysis Services in [this video tutorial](https://azure.microsoft.com/resources/videos/azure-analysis-services-moving-models/).
+SQL Server Analysis Services tabular models from SQL Server 2012 and later can be migrated to Azure Analysis Services, which is a platform as a service (PaaS) deployment model for the Analysis Services tabular model in Azure. You can learn more about migrating on-premises models to Azure Analysis Services in [this video tutorial](/shows/azure-analysis-services/azureanalysisservicesmovingmodels).
 
 Alternatively, you can consider migrating your on-premises Analysis Services tabular models to [Power BI Premium by using the new XMLA read/write endpoints](/power-bi/admin/service-premium-connect-tools).
 

data-migration/sql-server/virtual-machines/overview.md

@@ -140,7 +140,7 @@ SQL Server Analysis Services databases (multidimensional or tabular models) can
 
 See [Move an Analysis Services Database](/analysis-services/multidimensional-models/move-an-analysis-services-database?view=asallproducts-allversions&preserve-view=true) to learn more.
 
-Alternatively, you can consider migrating your on-premises Analysis Services tabular models to [Azure Analysis Services](https://azure.microsoft.com/resources/videos/azure-analysis-services-moving-models/) or to [Power BI Premium by using the new XMLA read/write endpoints](/power-bi/admin/service-premium-connect-tools).
+Alternatively, you can consider migrating your on-premises Analysis Services tabular models to [Azure Analysis Services](/shows/azure-analysis-services/azureanalysisservicesmovingmodels) or to [Power BI Premium by using the new XMLA read/write endpoints](/power-bi/admin/service-premium-connect-tools).
 
 ## Server objects
 

docs/database-engine/configure-windows/certificate-overview.md

@@ -27,7 +27,7 @@ Enabling TLS encryption increases the security of data transmitted across networ
 - Packets sent from the instance of SQL Server to the application must be encrypted by the server TLS stack and decrypted by the client TLS stack.
 
 > [!IMPORTANT]  
-> Starting with SQL Server 2016 (13.x), Secure Sockets Layer (SSL) has been discontinued. Use TLS (TLS 1.2 is recommended) instead. For more information, see [KB3135244 - TLS 1.2 support for Microsoft SQL Server](https://support.microsoft.com/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe). SQL Server 2022 introduces support for TLS 1.3. For more information, see [TLS 1.3 support](../../relational-databases/security/networking/tls-1-3.md).
+> Starting with SQL Server 2016 (13.x), Secure Sockets Layer (SSL) has been discontinued. Use TLS (TLS 1.2 is recommended) instead. For more information, see [TLS 1.2 support for Microsoft SQL Server](/troubleshoot/sql/database-engine/connect/tls-1-2-support-microsoft-sql-server). SQL Server 2022 introduces support for TLS 1.3. For more information, see [TLS 1.3 support](../../relational-databases/security/networking/tls-1-3.md).
 > If no matching protocols exist between the client and server computer, you can run into the error described in [An existing connection was forcibly closed by the remote host](/troubleshoot/sql/connect/tls-exist-connection-closed).
 
 ## Digital certificate overview

docs/database-engine/configure-windows/connect-to-the-database-engine-using-extended-protection.md

@@ -51,7 +51,7 @@ Service binding addresses luring attacks by requiring a client to send a signed
 Channel binding establishes a secure channel (Schannel) between a client and an instance of the  SQL Server service. The service verifies the client's authenticity by comparing the client's channel binding token (CBT) specific to that channel with its own CBT. Channel binding addresses both luring and spoofing attacks. However, it incurs a larger runtime cost because it requires Transport Layer Security (TLS) encryption of all the session traffic. Channel Binding occurs when a client application uses encryption to connect to the  SQL Server, regardless of whether encryption is enforced by the client or by the server.
 
 > [!WARNING]  
-> SQL Server and  Microsoft  data providers for SQL Server support TLS 1.0 and SSL 3.0. If you enforce a different protocol (such as TLS 1.1 or TLS 1.2) by making changes in the operating system SChannel layer, your connections to SQL Server might fail. Make sure that you have the latest build of SQL Server to Support TLS 1.1 or TLS 1.2. For more information, see <https://support.microsoft.com/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe>.
+> SQL Server and  Microsoft  data providers for SQL Server support TLS 1.0 and SSL 3.0. If you enforce a different protocol (such as TLS 1.1 or TLS 1.2) by making changes in the operating system SChannel layer, your connections to SQL Server might fail. Make sure that you have the latest build of SQL Server to Support TLS 1.1 or TLS 1.2. For more information, see [TLS 1.2 support for Microsoft SQL Server](/troubleshoot/sql/database-engine/connect/tls-1-2-support-microsoft-sql-server).
 
 ### Operating system support
 
@@ -107,13 +107,13 @@ After enabling **Extended Protection** on the server computer, use the following
 
 ## Configuring other SQL Server components
 
-For more information about how to configure [!INCLUDE [ssRSnoversion](../../includes/ssrsnoversion-md.md)], see [Extended Protection for Authentication with Reporting Services](../../reporting-services/security/extended-protection-for-authentication-with-reporting-services.md).
+For more information about how to configure [!INCLUDE [ssRSnoversion](../../includes/ssrsnoversion-md.md)], see [Extended protection for authentication with Reporting Services](../../reporting-services/security/extended-protection-for-authentication-with-reporting-services.md).
 
 When using IIS to access [!INCLUDE [ssASnoversion](../../includes/ssasnoversion-md.md)] data using an HTTP or HTTPS connection, [!INCLUDE [ssASnoversion](../../includes/ssasnoversion-md.md)] can take advantage of Extended Protection provided by IIS. For more information about how to configure IIS to use Extended Protection, see [Configure Extended Protection in IIS 7.5](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee909472(v=ws.10)).
 
 ## Related content
 
-- [Server Network Configuration](../../database-engine/configure-windows/server-network-configuration.md)
-- [Client Network Configuration](../../database-engine/configure-windows/client-network-configuration.md)
+- [Server Network Configuration](server-network-configuration.md)
+- [Client Network Configuration](client-network-configuration.md)
 - [Extended Protection for Authentication Overview](/previous-versions/dotnet/netframework-3.5/dd767318(v=vs.90))
 - [Integrated Windows Authentication with Extended Protection](/previous-versions/visualstudio/visual-studio-2008/dd639324(v=vs.90))

docs/database-engine/configure-windows/enable-or-disable-a-server-network-protocol.md

@@ -28,7 +28,7 @@ All network protocols are installed during installation, by [!INCLUDE[ssNoVersio
 
 - During setup of [!INCLUDE[ssExpress](../../includes/ssexpress-md.md)] edition, a login is added for the BUILTIN\Users group. This login allows all authenticated users of the computer to access the instance of [!INCLUDE[ssExpress](../../includes/ssexpress-md.md)] as a member of the public role. The BUILTIN\Users login can be safely removed to restrict [!INCLUDE[ssDE](../../includes/ssde-md.md)] access to computer users who have individual logins or are members of other Windows groups with logins.
 
-- [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] and [!INCLUDE[msCoName](../../includes/msconame-md.md)] data providers for [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] up to [!INCLUDE[sssql14](../../includes/sssql14-md.md)] only support TLS 1.0 and SSL 3.0 by default. If you enforce a different protocol (such as TLS 1.1 or TLS 1.2) by making changes in the operating system SChannel layer, your connections to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] might fail, unless you install the appropriate update to add support for TLS 1.1 and 1.2 to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. For more information, see [KB 3135244](https://support.microsoft.com/help/3135244/). Starting from [!INCLUDE[sssql16-md](../../includes/sssql16-md.md)], all release versions of SQL Server include TLS 1.2 support without further updates required.
+- [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] and [!INCLUDE[msCoName](../../includes/msconame-md.md)] data providers for [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] up to [!INCLUDE[sssql14](../../includes/sssql14-md.md)] only support TLS 1.0 and SSL 3.0 by default. If you enforce a different protocol (such as TLS 1.1 or TLS 1.2) by making changes in the operating system SChannel layer, your connections to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] might fail, unless you install the appropriate update to add support for TLS 1.1 and 1.2 to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)]. For more information, see [TLS 1.2 support for Microsoft SQL Server](/troubleshoot/sql/database-engine/connect/tls-1-2-support-microsoft-sql-server). Starting from [!INCLUDE[sssql16-md](../../includes/sssql16-md.md)], all release versions of SQL Server include TLS 1.2 support without further updates required.
 
 ## <a id="SSMSProcedure"></a> Use SQL Server Configuration Manager