Merge pull request #33482 from MicrosoftDocs/main

3/13/2025 AM Publish

Author: Albertyang0

azure-sql/database/auditing-overview.md

@@ -5,7 +5,7 @@ description: SQL Auditing for Azure SQL Database and Azure Synapse Analytics tra
 author: sravanisaluru
 ms.author: srsaluru
 ms.reviewer: wiassaf, vanto, mathoma
-ms.date: 09/16/2024
+ms.date: 03/12/2025
 ms.service: azure-sql-database
 ms.subservice: security
 ms.topic: conceptual
@@ -39,6 +39,21 @@ You can use SQL Database auditing to:
 > [!IMPORTANT]  
 > Auditing for Azure SQL Database, Azure Synapse Analytics SQL pools, and Azure SQL Managed Instance is optimized for availability and performance of the database or instance being audited. During periods of very high activity or high network load, the auditing feature might allow transactions to proceed without recording all of the events marked for auditing.
 
+## Enhancements to performance, availability, and reliability in server auditing for Azure SQL Database (March 2025)
+
+- Re-architected major portions of SQL Auditing resulting in increased availability and reliability of server audits. As an added benefit, there's closer feature alignment with SQL Server and Azure SQL Managed Instance. Database auditing remains unchanged. 
+- The previous design of auditing triggers a database level audit and executes one audit session for each database in the server. The new architecture of auditing creates one extended event session at the server level that captures audit events for all databases.
+- The new auditing design optimizes memory and CPU, and is consistent with how auditing works in SQL Server and Azure SQL Managed Instance.
+
+### Changes from the re-architecture of server auditing 
+
+- Folder structure change for storage account:
+  - One of the primary changes involves a folder structure change for audit logs stored in storage account containers. Previously, server audit logs were written to separate folders; one for each database, with the database name serving as the folder name. With the new update, all server audit logs will be consolidated into a single folder labeled `master`. This behavior is the same as Azure SQL Managed Instance and SQL Server.
+- Folder structure change for read-only replicas:
+  - Read-only database replicas previously had their logs stored in a read-only folder. Those logs will now be written into the `master` folder. You can retrieve these logs by filtering on the new column `is_secondary_replica_true`.
+- Permissions required to view Audit logs :
+  - **Control Server** permission is required to view audit logs stored in the `master` folder
+
 ## Auditing limitations
 
 - Enabling auditing on a paused **Azure Synapse SQL pool** isn't supported. To enable auditing, resume the **Synapse SQL pool**.
@@ -65,7 +80,7 @@ You can use SQL Database auditing to:
 
 ## Related content
 
-- [What's New in Azure SQL Auditing](/Shows/Data-Exposed/Whats-New-in-Azure-SQL-Auditing)
+- [What's New in Azure SQL Auditing](/shows/data-exposed/server-audit-redesign-for-azure-sql-database-data-exposed)
 - [Get started with Azure SQL Managed Instance auditing](../managed-instance/auditing-configure.md)
 - [Auditing for SQL Server](/sql/relational-databases/security/auditing/sql-server-audit-database-engine)
 - [Set up Auditing for Azure SQL Database and Azure Synapse Analytics](auditing-setup.md)

azure-sql/database/transparent-data-encryption-byok-create-server-cross-tenant.md

@@ -1,8 +1,8 @@
 ---
 title: Create server configured with user-assigned managed identity and cross-tenant CMK for TDE
 description: Learn how to configure user-assigned managed identity and transparent data encryption (TDE) with cross-tenant customer managed keys (CMK) while creating an Azure SQL Database logical server using the Azure portal, PowerShell, or Azure CLI.
-author: GithubMirek
-ms.author: mireks
+author: Pietervanhove
+ms.author: pivanho
 ms.reviewer: vanto, mathoma
 ms.date: 10/10/2023
 ms.service: azure-sql-database
@@ -23,7 +23,7 @@ In this guide, we'll go through the steps to create an Azure SQL [logical server
 ## Prerequisites
 
 - This guide presupposes that you possess two Microsoft Entra tenants.
-  - The first contains the Azure SQL Database resource, a multi-tenant Microsoft Entra application, and a user-assigned managed identity.
+  - The first contains the Azure SQL Database resource, a multitenant Microsoft Entra application, and a user-assigned managed identity.
   - The second tenant houses the Azure Key Vault.
 - For comprehensive instructions on setting up cross-tenant CMK and the RBAC permissions necessary for configuring Microsoft Entra applications and Azure Key Vault, refer to one of the following guides:
   - [Configure cross-tenant customer-managed keys for a new storage account](/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account)
@@ -33,19 +33,19 @@ In this guide, we'll go through the steps to create an Azure SQL [logical server
 
 For the purpose of this tutorial, we'll assume the first tenant belongs to an independent software vendor (ISV), and the second tenant is from their client. For more information on this scenario, see [Cross-tenant customer-managed keys with transparent data encryption](transparent-data-encryption-byok-cross-tenant.md#setting-up-cross-tenant-cmk).
 
-Before we can configure TDE for Azure SQL Database with a cross-tenant CMK, we need to have a multi-tenant Microsoft Entra application that is configured with a user-assigned managed identity assigned as a federated identity credential for the application. Follow one of the guides in the Prerequisites.
+Before we can configure TDE for Azure SQL Database with a cross-tenant CMK, we need to have a multitenant Microsoft Entra application that is configured with a user-assigned managed identity assigned as a federated identity credential for the application. Follow one of the guides in the Prerequisites.
 
-1. On the first tenant where you want to create the Azure SQL Database, [create and configure a multi-tenant Microsoft Entra application](/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account#the-service-provider-creates-a-new-multi-tenant-app-registration)
+1. On the first tenant where you want to create the Azure SQL Database, [create and configure a multitenant Microsoft Entra application](/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account#the-service-provider-creates-a-new-multi-tenant-app-registration)
 
 1. [Create a user-assigned managed identity](/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account#the-service-provider-creates-a-user-assigned-managed-identity)
-1. [Configure the user-assigned managed identity](/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account#the-service-provider-configures-the-user-assigned-managed-identity-as-a-federated-credential-on-the-application) as a [federated identity credential](/graph/api/resources/federatedidentitycredentials-overview) for the multi-tenant application
+1. [Configure the user-assigned managed identity](/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account#the-service-provider-configures-the-user-assigned-managed-identity-as-a-federated-credential-on-the-application) as a [federated identity credential](/graph/api/resources/federatedidentitycredentials-overview) for the multitenant application
 1. Record the application name and application ID. This can be found in the [Azure portal](https://portal.azure.com) > **Microsoft Entra ID** > **Enterprise applications** and search for the created application
 
 ### Required resources on the second tenant
 
 [!INCLUDE [Azure AD PowerShell deprecation note](~/../azure-sql/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)]
 
-1. On the second tenant where the Azure Key Vault resides, [create a service principal (application)](/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account#the-customer-grants-the-service-providers-app-access-to-the-key-in-the-key-vault) using the application ID from the registered application from the first tenant. Here's some examples of how to register the multi-tenant application. Replace `<TenantID>` and `<ApplicationID>` with the client **Tenant ID** from Microsoft Entra ID and **Application ID** from the multi-tenant application, respectively:
+1. On the second tenant where the Azure Key Vault resides, [create a service principal (application)](/azure/storage/common/customer-managed-keys-configure-cross-tenant-new-account#the-customer-grants-the-service-providers-app-access-to-the-key-in-the-key-vault) using the application ID from the registered application from the first tenant. Here's some examples of how to register the multitenant application. Replace `<TenantID>` and `<ApplicationID>` with the client **Tenant ID** from Microsoft Entra ID and **Application ID** from the multitenant application, respectively:
    - **PowerShell**:
 
       ```powershell
@@ -64,7 +64,7 @@ Before we can configure TDE for Azure SQL Database with a cross-tenant CMK, we n
 1. Create an [Azure Key Vault](/azure/key-vault/general/quick-create-portal) if you don't have one, and [create a key](/azure/key-vault/keys/quick-create-portal)
 1. [Create or set the access policy](/azure/key-vault/general/assign-access-policy).
    1. Select the *Get, Wrap Key, Unwrap Key* permissions under **Key permissions** when creating the access policy
-   1. Select the multi-tenant application created in the first step in the **Principal** option when creating the access policy
+   1. Select the multitenant application created in the first step in the **Principal** option when creating the access policy
 
    :::image type="content" source="media/transparent-data-encryption-byok-create-server-cross-tenant/access-policy-principal.png" alt-text="Screenshot of the access policy menu of a key vault in the Azure portal.":::
 
@@ -118,12 +118,12 @@ This guide will walk you through the process of creating a logical server and da
 
     :::image type="content" source="media/transparent-data-encryption-byok-create-server/selecting-primary-identity-for-server.png" alt-text="Screenshot of selecting primary identity and federated client identity for server.":::
 
-15. For **Federated client identity**, select the **Change identity** option, and search for the multi-tenant application that you created in the [Prerequisites](#prerequisites).
+15. For **Federated client identity**, select the **Change identity** option, and search for the multitenant application that you created in the [Prerequisites](#prerequisites).
 
     :::image type="content" source="media/transparent-data-encryption-byok-create-server-cross-tenant/selecting-user-assigned-managed-identity.png" alt-text="Screenshot of user assigned managed identity when configuring server identity.":::
 
     > [!NOTE]
-    > If the multi-tenant application hasn't been added to the key vault access policy with the required permissions (*Get, Wrap Key, Unwrap Key*), using this application for identity federation in the Azure portal will show an error. Make sure that the permissions are configured correctly before configuring the federated client identity.
+    > If the multitenant application hasn't been added to the key vault access policy with the required permissions (*Get, Wrap Key, Unwrap Key*), using this application for identity federation in the Azure portal will show an error. Make sure that the permissions are configured correctly before configuring the federated client identity.
 
 16. Select **Apply**
 
@@ -141,7 +141,7 @@ This guide will walk you through the process of creating a logical server and da
 
 For information on installing the current release of Azure CLI, see [Install the Azure CLI](/cli/azure/install-azure-cli) article.
 
-Create a server configured with user-assigned managed identity and cross-tenant customer-managed TDE using the [az sql server create](/cli/azure/sql/server) command. The **Key Identifier** from the second tenant can be used in the `key-id` field. The **Application ID** of the multi-tenant application can be used in the `federated-client-id` field.
+Create a server configured with user-assigned managed identity and cross-tenant customer-managed TDE using the [az sql server create](/cli/azure/sql/server) command. The **Key Identifier** from the second tenant can be used in the `key-id` field. The **Application ID** of the multitenant application can be used in the `federated-client-id` field.
 
 ```azurecli
 az sql server create \
@@ -192,7 +192,7 @@ Replace the following values in the example:
 - `<UserAssignedIdentityId>`: The list of user-assigned managed identities to be assigned to the server (can be one or multiple)
 - `<PrimaryUserAssignedIdentityId>`: The user-assigned managed identity that should be used as the primary or default on this server
 - `<CustomerManagedKeyId>`: The **Key Identifier** from the second tenant Key Vault
-- `<FederatedClientId>`: The **Application ID** of the multi-tenant application
+- `<FederatedClientId>`: The **Application ID** of the multitenant application
 
 To get your user-assigned managed identity **Resource ID**, search for **Managed Identities** in the [Azure portal](https://portal.azure.com). Find your managed identity, and go to **Properties**. An example of your UMI **Resource ID** looks like `/subscriptions/<subscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managedIdentity>`
 
@@ -219,7 +219,7 @@ New-AzSqlServer @params
 
 # [ARM Template](#tab/arm-template)
 
-Here's an example of an ARM template that creates an Azure SQL logical server with a user-assigned managed identity and customer-managed TDE. For a cross-tenant CMK, use the **Key Identifier** from the second tenant Key Vault, and the **Application ID** from the multi-tenant application.
+Here's an example of an ARM template that creates an Azure SQL logical server with a user-assigned managed identity and customer-managed TDE. For a cross-tenant CMK, use the **Key Identifier** from the second tenant Key Vault, and the **Application ID** from the multitenant application.
 
 The template also adds a Microsoft Entra admin set for the server and enables [Microsoft Entra-only authentication](authentication-azure-ad-only-authentication.md), but this can be removed from the template example.
 

azure-sql/database/transparent-data-encryption-byok-create-server.md

@@ -2,8 +2,8 @@
 title: Create server configured with user-assigned managed identity and customer-managed TDE
 titleSuffix: Azure SQL Database & Azure Synapse Analytics
 description: Learn how to configure user-assigned managed identity and customer-managed transparent data encryption (TDE) while creating an Azure SQL Database logical server using the Azure portal, PowerShell, or Azure CLI.
-author: GithubMirek
-ms.author: mireks
+author: Pietervanhove
+ms.author: pivanho
 ms.reviewer: vanto, mathoma
 ms.date: 10/10/2023
 ms.service: azure-sql-database

azure-sql/database/transparent-data-encryption-byok-cross-tenant.md

@@ -2,8 +2,8 @@
 title: Cross-tenant customer-managed keys with transparent data encryption
 titleSuffix: Azure SQL Database & Azure Synapse Analytics
 description: Overview of cross-tenant customer-managed keys (CMK) support using transparent data encryption (TDE)
-author: GithubMirek
-ms.author: mireks
+author: Pietervanhove
+ms.author: pivanho
 ms.reviewer: vanto, mathoma
 ms.date: 05/01/2023
 ms.service: azure-sql-database

azure-sql/database/transparent-data-encryption-byok-identity.md

@@ -2,8 +2,8 @@
 title: Customer-managed keys with transparent data encryption using user-assigned managed identity
 titleSuffix: Azure SQL Database & Azure SQL Managed Instance
 description: Bring Your Own Key (BYOK) support for transparent data encryption (TDE) using user-assigned managed identity (UMI)
-author: GithubMirek
-ms.author: mireks
+author: Pietervanhove
+ms.author: pivanho
 ms.reviewer: vanto, mathoma
 ms.date: 02/12/2025
 ms.service: azure-sql

azure-sql/database/transparent-data-encryption-byok-key-rotation.md

@@ -2,8 +2,8 @@
 title: Rotate TDE protector (PowerShell & the Azure CLI)
 titleSuffix: Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics
 description: Learn how to rotate the Transparent data encryption (TDE) protector for a server in Azure used by Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics using PowerShell and the Azure CLI.
-author: GithubMirek
-ms.author: mireks
+author: Pietervanhove
+ms.author: pivanho
 ms.reviewer: wiassaf, vanto, mathoma
 ms.date: 07/03/2024
 ms.service: azure-sql

azure-sql/database/transparent-data-encryption-byok-overview.md

@@ -2,8 +2,8 @@
 title: Customer-managed transparent data encryption (TDE)
 titleSuffix: Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics
 description: Bring Your Own Key (BYOK) support for transparent data encryption (TDE) with Azure Key Vault for SQL Database and Azure Synapse Analytics. TDE with BYOK overview, benefits, how it works, considerations, and recommendations.
-author: GithubMirek
-ms.author: mireks
+author: Pietervanhove
+ms.author: pivanho
 ms.reviewer: wiassaf, vanto, mathoma, randolphwest
 ms.date: 02/04/2025
 ms.service: azure-sql

azure-sql/database/transparent-data-encryption-byok-remove-tde-protector.md

@@ -2,8 +2,8 @@
 title: Remove TDE protector (PowerShell & the Azure CLI)
 titleSuffix: Azure SQL Database & Azure Synapse Analytics
 description: Learn how to respond to a potentially compromised TDE protector for Azure SQL Database or Azure Synapse Analytics using TDE with Bring Your Own Key (BYOK) support.
-author: GithubMirek
-ms.author: mireks
+author: Pietervanhove
+ms.author: pivanho
 ms.reviewer: wiassaf, vanto, mathoma
 ms.date: 01/16/2024
 ms.service: azure-sql-database

azure-sql/database/transparent-data-encryption-tde-overview.md

@@ -2,8 +2,8 @@
 title: Transparent data encryption
 titleSuffix: Azure SQL Database & Azure SQL Managed Instance & Azure Synapse Analytics
 description: An overview of transparent data encryption for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. The document covers its benefits and the options for configuration, which includes service-managed transparent data encryption and Bring Your Own Key.
-author: GithubMirek
-ms.author: mireks
+author: Pietervanhove
+ms.author: pivanho
 ms.reviewer: wiassaf, vanto, mathoma
 ms.date: 05/02/2024
 ms.service: azure-sql

azure-sql/managed-instance/automated-backups-overview.md

@@ -48,6 +48,8 @@ The frequency of transaction log backups depends on the compute size and the amo
 > [!CAUTION]
 > Automatic full backups are initiated once a week based on a schedule determined by Microsoft. [User-initiated backups](/sql/relational-databases/backup-restore/copy-only-backups-sql-server) have priority over automatic full backups, so a long-running copy-only backup can affect the timing of the next automatic full backup.
 
+A tail log backup is taken every time before a database or SQL managed instance is deleted.
+
 ### Backup storage redundancy
 
 By default, Azure SQL Managed Instance stores backups in geo-redundant [storage blobs](/azure/storage/common/storage-redundancy) that are replicated to a [paired region](/azure/reliability/cross-region-replication-azure). Geo-redundancy helps protect against outages that affect backup storage in the primary region. It also allows you to restore your instance to a different region in the event of a disaster.