Merge pull request #33926 from MicrosoftDocs/main

4/24/2025 PM Publish

Author: Albertyang0

azure-sql/database/authentication-azure-ad-only-authentication-create-server.md

@@ -44,7 +44,7 @@ The following section provides you with examples and scripts on how to create a
 In our examples, we're enabling Microsoft Entra-only authentication during server or managed instance creation, with a system assigned server admin and password. This will prevent server admin access when Microsoft Entra-only authentication is enabled, and only allows the Microsoft Entra admin to access the resource. It's optional to add parameters to the APIs to include your own server admin and password during server creation. However, the password can't be reset until you disable Microsoft Entra-only authentication. An example of how to use these optional parameters to specify the server admin login name is presented in the [PowerShell](?tabs=azure-powershell#azure-sql-database) tab on this page.
 
 > [!NOTE]
-> To change the existing properties after server or managed instance creation, other existing APIs should be used. For more information, see [Managing Microsoft Entra-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis) and [Configure and manage Microsoft Entra authentication with Azure SQL](authentication-aad-configure.md).
+> To change the [Microsoft Entra-only authentication](authentication-azure-ad-only-authentication.md) property after server or managed instance creation, other existing APIs should be used. For more information, see [Managing Microsoft Entra-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis).
 > 
 > If Microsoft Entra-only authentication is set to false, which it is by default, a server admin and password will need to be included in all APIs during server or managed instance creation.
 

azure-sql/database/hyperscale-named-replica-configure.md

@@ -4,7 +4,7 @@ description: Learn how to configure and manage Hyperscale named replica so that
 author: WilliamDAssafMSFT
 ms.author: wiassaf
 ms.reviewer: atsingh, dinethi, rsetlem
-ms.date: 02/26/2024
+ms.date: 04/24/2025
 ms.service: azure-sql-database
 ms.subservice: scale-out
 ms.custom: devx-track-azurecli, devx-track-azurepowershell
@@ -226,6 +226,19 @@ DELETE https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444
 > [!IMPORTANT]  
 > Named replicas will be automatically removed when the primary replica from which they have been created is deleted.
 
+## Optimizing named replica configuration
+
+It is recommended to configure the named replica with the same compute size (vCores) as the primary replica. If the primary replica experiences a heavy write workload, a named replica with a lower compute size might not be able to keep up, causing replication lag. To maintain the recoverability SLAs, primary's transaction log rate can be temporarily reduced to allow its secondaries to catch up.
+
+If you choose to create the named replica with a different compute size (vCores) than the primary, monitor the log IO rate on the primary over time. This helps estimate the minimal compute size required for the named replica to sustain the replication load. For more information, consider the following objects:
+
+- The [sys.dm_hs_database_log_rate()](/sql/relational-databases/system-dynamic-management-views/sys-dm-hs-database-log-rate) dynamic management function (DMF) provides additional details to help understand log rate reduction, if any. It can indicate which specific secondary replica is behind in applying log records and the total size of the unapplied transaction log.
+- To retrieve historical log IO data, use [sys.resource_stats](/sql/relational-databases/system-catalog-views/sys-resource-stats-azure-sql-database) view.
+- For recent log IO data with higher granularity that better reflects short-term spikes, use [sys.dm_db_resource_stats](/sql/relational-databases/system-dynamic-management-views/sys-dm-db-resource-stats-azure-sql-database).
+
+For more information, see to the [Azure SQL Database Hyperscale Performance Diagnostics](hyperscale-performance-diagnostics.md#reduced-log-rate-waits).
+
+
 ## Related content
 
 - [Hyperscale secondary replicas](service-tier-hyperscale-replicas.md)

azure-sql/managed-instance/native-windows-principals.md

@@ -49,7 +49,7 @@ In order to use the **Windows** authentication metadata mode, the user environme
 
 The **Windows** authentication metadata mode helps modernize authentication for application, and unblocks migration challenges to SQL Managed Instance. Here are some common scenarios where the **Windows** authentication metadata mode can be used to address customer challenges:
 
-- The complexities of setting up [Windows Authentication for Azure SQL Managed Instance using Microsoft Entra ID and Kerberos](winauth-azuread-setup.md).
+- The overhead of migrating Windows logins to Microsoft Entra ID for [Windows authentication with Azure SQL Managed Instance using Microsoft Entra ID and Kerberos](winauth-azuread-setup.md).
 - Read-only replica failovers in [Managed Instance link](managed-instance-link-feature-overview.md).
 - Synchronization of [Microsoft Entra authentication for SQL Server](/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-overview).
 

docs/connect/ado-net/sql/bulk-copy-example-setup.md

@@ -31,10 +31,7 @@ To create the tables necessary for the code samples to run correctly, you must r
 USE AdventureWorks2022;
 GO
 
-IF EXISTS (SELECT * FROM dbo.sysobjects   
- WHERE id = object_id(N'[dbo].[BulkCopyDemoMatchingColumns]')  
- AND OBJECTPROPERTY(id, N'IsUserTable') = 1)  
-    DROP TABLE [dbo].[BulkCopyDemoMatchingColumns]  
+DROP TABLE IF EXISTS [dbo].[BulkCopyDemoMatchingColumns]  
 
 CREATE TABLE [dbo].[BulkCopyDemoMatchingColumns]([ProductID] [int] IDENTITY(1,1) NOT NULL,  
     [Name] [nvarchar](50) NOT NULL,  
@@ -44,10 +41,7 @@ CREATE TABLE [dbo].[BulkCopyDemoMatchingColumns]([ProductID] [int] IDENTITY(1,1)
     [ProductID] ASC  
 ) ON [PRIMARY]) ON [PRIMARY]  
 
-IF EXISTS (SELECT * FROM dbo.sysobjects   
- WHERE id = object_id(N'[dbo].[BulkCopyDemoDifferentColumns]')  
- AND OBJECTPROPERTY(id, N'IsUserTable') = 1)  
-    DROP TABLE [dbo].[BulkCopyDemoDifferentColumns]  
+DROP TABLE IF EXISTS [dbo].[BulkCopyDemoDifferentColumns]  
 
 CREATE TABLE [dbo].[BulkCopyDemoDifferentColumns]([ProdID] [int] IDENTITY(1,1) NOT NULL,  
     [ProdNum] [nvarchar](25) NOT NULL,  
@@ -57,10 +51,7 @@ CREATE TABLE [dbo].[BulkCopyDemoDifferentColumns]([ProdID] [int] IDENTITY(1,1) N
     [ProdID] ASC  
 ) ON [PRIMARY]) ON [PRIMARY]  
 
-IF EXISTS (SELECT * FROM dbo.sysobjects   
- WHERE id = object_id(N'[dbo].[BulkCopyDemoOrderHeader]')  
- AND OBJECTPROPERTY(id, N'IsUserTable') = 1)  
-    DROP TABLE [dbo].[BulkCopyDemoOrderHeader]  
+DROP TABLE IF EXISTS [dbo].[BulkCopyDemoOrderHeader]  
 
 CREATE TABLE [dbo].[BulkCopyDemoOrderHeader]([SalesOrderID] [int] IDENTITY(1,1) NOT NULL,  
     [OrderDate] [datetime] NOT NULL,  
@@ -70,10 +61,7 @@ CREATE TABLE [dbo].[BulkCopyDemoOrderHeader]([SalesOrderID] [int] IDENTITY(1,1)
     [SalesOrderID] ASC  
 ) ON [PRIMARY]) ON [PRIMARY]  
 
-IF EXISTS (SELECT * FROM dbo.sysobjects   
- WHERE id = object_id(N'[dbo].[BulkCopyDemoOrderDetail]')  
- AND OBJECTPROPERTY(id, N'IsUserTable') = 1)  
-    DROP TABLE [dbo].[BulkCopyDemoOrderDetail]  
+DROP TABLE IF EXISTS [dbo].[BulkCopyDemoOrderDetail]  
 
 CREATE TABLE [dbo].[BulkCopyDemoOrderDetail]([SalesOrderID] [int] NOT NULL,  
     [SalesOrderDetailID] [int] NOT NULL,  

docs/relational-databases/security/encryption/always-encrypted-enclaves-rotate-keys.md

@@ -28,6 +28,10 @@ The below steps include links to detailed articles, depending on your rotation s
 1. Provision a new key (a column master key or a column encryption key).
     - To provision a new enclave-enclave enabled key, see [Provision enclave-enabled keys](always-encrypted-enclaves-provision-keys.md).
     - To provision a key that isn't enclave enabled, see [Provision Always Encrypted keys using SQL Server Management Studio](configure-always-encrypted-keys-using-ssms.md) and [Provision Always encrypted keys using PowerShell](configure-always-encrypted-keys-using-powershell.md).
+
+    > [!NOTE]
+    > When using Azure Key Vault as the key store, multitenant customer managed key rotation is not supported. Ensure that the new customer managed key is in the same tenant as the existing one.
+
 2. Replace an existing key with the new key.
     - If you're rotating a column encryption key and both the source key and the target key are enclave-enabled, you can run the rotation (which involves re-encrypting your data) in-place. For more information, see [Configure column encryption in-place using Always Encrypted with secure enclaves](always-encrypted-enclaves-configure-encryption.md).
     - For detailed steps for rotating keys, see [Rotate Always Encrypted keys using SQL Server Management Studio](rotate-always-encrypted-keys-using-ssms.md) and [Rotate Always Encrypted keys using PowerShell](rotate-always-encrypted-keys-using-powershell.md).

docs/relational-databases/security/encryption/configure-always-encrypted-keys-using-powershell.md

@@ -34,7 +34,7 @@ Step 1. Create a column master key in a key store.<br><br>**Note:** The SqlServe
 Step 2.  Start a PowerShell environment and import the SqlServer PowerShell module.  |   [Configure Always Encrypted using PowerShell](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md)   |    No    | No         
 Step 3.  Connect to your server and database.     |     [Connect to a database](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#connectingtodatabase)    |    No     | Yes         
 Step 4.  Create a *SqlColumnMasterKeySettings* object that contains information about the location of your column master key. SqlColumnMasterKeySettings is an object that exists in memory (in PowerShell). Use the cmdlet that is specific to your key store.   |     [New-SqlAzureKeyVaultColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlazurekeyvaultcolumnmasterkeysettings)<br><br>[New-SqlCertificateStoreColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcertificatestorecolumnmasterkeysettings)<br><br>[New-SqlCngColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcngcolumnmasterkeysettings)<br><br>[New-SqlCspColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcspcolumnmasterkeysettings)        |   No      | No         
-Step 5.  Create the metadata about the column master key in your database.      |    [New-SqlColumnMasterKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnmasterkey)<br><br>**Note:** under the covers, the cmdlet issues the [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement to create key metadata.|    No     |    Yes
+Step 5.  Create the metadata about the column master key in your database.  <br /> <br /> **Note:** We do not verify the validity of the keys or certificates used to generate the column master key.      |    [New-SqlColumnMasterKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnmasterkey)<br><br>**Note:** under the covers, the cmdlet issues the [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement to create key metadata.|    No     |    Yes
 Step 6.  Authenticate to Azure, if your column master key is stored in Azure Key Vault. | [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount)    |  Yes   | No
 Step 7. Obtain an access token for Azure Key Vaults, if your column master key is stored in Azure Key Vault. | [Get-AzAccessToken](/powershell/module/az.accounts/get-azaccesstoken) | No | No         
 Step 8.  Generate a new column encryption key, encrypt it with the column master key and create column encryption key metadata in the database.     |    [New-SqlColumnEncryptionKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnencryptionkey)<br><br>**Note:** Use a variation of the cmdlet that internally generates and encrypts a column encryption key.<br><br>**Note:** Under the covers, the cmdlet issues the [CREATE COLUMN ENCRYPTION KEY (Transact-SQL)](../../../t-sql/statements/create-column-encryption-key-transact-sql.md) statement to create key metadata.  | Yes | Yes
@@ -194,7 +194,7 @@ Step 1.  Obtain the location of the column master key and encrypted value of the
 Step 2.  Start a PowerShell environment and import the SqlServer module.  | [Configure Always Encrypted using PowerShell](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md)  | No | No
 Step 3.  Connect to your server and a database. | [Connect to a database](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#connectingtodatabase) | No | Yes
 Step 4.  Create a SqlColumnMasterKeySettings object that contains information about the location of your column master key. SqlColumnMasterKeySettings is an object that exists in memory. | New-SqlColumnMasterKeySettings | No | No
-Step 5. Create the metadata about the column master key in your database | [New-SqlColumnMasterKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnmasterkey)<br>**Note:** under the covers, the cmdlet issues the [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement to create column master key metadata. | No | Yes
+Step 5. Create the metadata about the column master key in your database. <br /> <br /> **Note:** We do not verify the validity of the keys or certificates used to generate the column master key.  | [New-SqlColumnMasterKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnmasterkey)<br>**Note:** under the covers, the cmdlet issues the [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement to create column master key metadata. | No | Yes
 Step 6. Create the column encryption key metadata in the database. | New-SqlColumnEncryptionKey<br>**Note:** DBAs use a variation of the cmdlet that only creates column encryption key metadata.<br>Under the covers, the cmdlet issues the [CREATE COLUMN ENCRYPTION KEY (Transact-SQL)](../../../t-sql/statements/create-column-encryption-key-transact-sql.md) statement to create column encryption key metadata. | No | Yes
 
 ## Windows Certificate Store with Role Separation (Example)

docs/relational-databases/security/encryption/configure-always-encrypted-keys-using-ssms.md

@@ -51,6 +51,10 @@ The **New Column Master Key** dialog allows you to generate a column master key
     > The **Allow enclave computations** checkbox does not appear if your SQL Server instance is not correctly configured with a secure enclave.
 
 1. Pick an existing key in your key store, or click the **Generate Key** or **Generate Certificate** button, to create a key in the key store. 
+
+    > [!NOTE]
+    >  We do not verify the validity of the keys or certificates used to generate the column master key. 
+    
 1. Click **OK** and the new key appears in the list.
 
 Once you complete the dialog, SQL Server Management Studio creates metadata for your column master key in the database. The dialog generates and issues a [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement.

docs/relational-databases/security/encryption/rotate-always-encrypted-keys-using-powershell.md

@@ -29,7 +29,7 @@ The method of rotating a column master key described in this section doesn't sup
 
 | Task | Article | Accesses plaintext keys/keystore| Accesses database
 |:---|:---|:---|:---
-|Step 1. Create a new column master key in a key store.<br><br>**Note:** The SqlServer PowerShell module doesn't support this step. To accomplish this task from the command-line, you need to use tools that are specific for your key store. | [Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md)| Yes | No
+|Step 1. Create a new column master key in a key store. <br /> <br />**Note:** The SqlServer PowerShell module doesn't support this step. To accomplish this task from the command-line, you need to use tools that are specific for your key store. When using Azure Key Vault as the key store, multitenant customer managed key rotation is not supported. Ensure that the new customer managed key is in the same tenant as the existing one.| [Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md)| Yes | No
 |Step 2. Start a PowerShell environment and import the SqlServer module | [Import the SqlServer module](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#importsqlservermodule) | No | No
 |Step 3. Connect to your server and database. | [Connecting to a database](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#connectingtodatabase) | No | Yes
 |Step 4. Create a SqlColumnMasterKeySettings object that contains information about the location of your new column master key. SqlColumnMasterKeySettings is an object that exists in memory (in PowerShell). To create it, you need to use the cmdlet that is specific to your key store. |[New-SqlAzureKeyVaultColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlazurekeyvaultcolumnmasterkeysettings)<br><br>[New-SqlCertificateStoreColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcertificatestorecolumnmasterkeysettings)<br><br>[New-SqlCngColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcngcolumnmasterkeysettings)<br><br>[New-SqlCspColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcspcolumnmasterkeysettings)<br> | No | No
@@ -107,7 +107,7 @@ The Security Administrator generates a new column master key, re-encrypts the im
 | Task | Article | Access plaintext keys/keystore| Accesses database
 |:---|:---|:---|:---
 |Step 1. Obtain the location of the old column master key and the encrypted values of the corresponding column encryption keys, protected with the old column master key, from your DBA.|N/A<br>See the examples below.|No| No
-|Step 2. Create a new column master key in a key store.<br><br>**Note:** The SqlServer module doesn't support this step. To accomplish this task from a command-line, you need to use the tools that are specific the type of your key store.|[Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md)| Yes | No
+|Step 2. Create a new column master key in a key store.  <br /> <br />**Note:** The SqlServer module doesn't support this step. To accomplish this task from a command-line, you need to use the tools that are specific the type of your key store. When using Azure Key Vault as the key store, multitenant customer managed key rotation is not supported. Ensure that the new customer managed key is in the same tenant as the existing one.|[Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md)| Yes | No
 |Step 3. Start a PowerShell environment and import the SqlServer module. | [Import the SqlServer module](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#importsqlservermodule) | No | No
 |Step 4. Create a SqlColumnMasterKeySettings object that contains information about the location of your **old** column master key. SqlColumnMasterKeySettings is an object that exists in memory (in PowerShell). |New-SqlColumnMasterKeySettings| No | No
 |Step 5. Create a SqlColumnMasterKeySettings object that contains information about the location of your **new** column master key. SqlColumnMasterKeySettings is an object that exists in memory (in PowerShell). To create it, you need to use the cmdlet that is specific to your key store. | [New-SqlAzureKeyVaultColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlazurekeyvaultcolumnmasterkeysettings)<br><br>[New-SqlCertificateStoreColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcertificatestorecolumnmasterkeysettings)<br><br>[New-SqlCngColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcngcolumnmasterkeysettings)<br><br>[New-SqlCspColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcspcolumnmasterkeysettings)| No | No