Refresh articles 2 (#34569)

Author: VanMSFT

azure-sql/database/firewall-configure.md

@@ -1,10 +1,10 @@
 ---
-title: Certificate requirements for SQL Server
+title: Certificate Requirements for SQL Server
 description: This article describes the requirements for SQL Server encryption and how to check if a certificate meets the requirements.
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: randolphwest
-ms.date: 04/18/2024
+ms.date: 06/30/2025
 ms.service: sql
 ms.subservice: configuration
 ms.topic: conceptual
@@ -16,7 +16,7 @@ This article describes certificate requirements for [!INCLUDE [ssnoversion-md](.
 
 ## Certificate requirements for SQL Server encryption
 
-For using TLS for [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] encryption, you need to provision a certificate (one of the three digital types) that meets the following conditions:
+For using Transport Layer Security (TLS) for [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] encryption, you need to provision a certificate (one of the three digital types) that meets the following conditions:
 
 - The certificate must be in either the local computer certificate store or the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] service account certificate store. We recommend local computer certificate store as it avoids reconfiguring certificates with [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] startup account changes.
 
@@ -38,7 +38,7 @@ For using TLS for [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)]
 The client must be able to verify the ownership of the certificate used by the server. If the client has the public key certificate of the certification authority that signed the server certificate, no further configuration is necessary. Microsoft Windows includes the public key certificates of many certification authorities. If the server certificate was signed by a public or private certification authority for which the client doesn't have the public key certificate, you must install the public key certificate of the certification authority that signed the server certificate on each client that is going to connect to [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)].
 
 > [!IMPORTANT]  
-> [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] will not start if a certificate exists in the computer store, but only meets some requirements in the above list and if it's manually configured for use by [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] Configuration Manager or through registry entries. Select another certificate that meets all the requirements or remove the certificate from being used by [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] until you can provision one that meets requirements or use a self-generated certificate as discussed in [SQL Server generated self-signed certificates](configure-sql-server-encryption.md#sql-server-generated-self-signed-certificates).
+> [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] won't start if a certificate exists in the computer store, but only meets some requirements in the above list and if it's manually configured for use by [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] Configuration Manager or through registry entries. Select another certificate that meets all the requirements or remove the certificate from being used by [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] until you can provision one that meets requirements or use a self-generated certificate as discussed in [SQL Server generated self-signed certificates](configure-sql-server-encryption.md#sql-server-generated-self-signed-certificates).
 
 ## Check if a certificate meets the requirements
 
@@ -64,7 +64,7 @@ You can use one of the following methods to check the validity of the certificat
 
 ### Expired certificates
 
-[!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] only checks the validity of the certificates at the time of configuration. For example, you can't use Configuration Manager on [!INCLUDE [sssql19-md](../../includes/sssql19-md.md)] and later versions, to provision an expired certificate. [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] continues to run without problems if the certificate expires after it is already provisioned. But, some client applications like Power BI check the validity of the certificate on each connection and raise an error if the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] instance is configured to use an expired certificate for encryption. We recommend that you don't use an expired certificate for [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] encryption.
+[!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] only checks the validity of the certificates at the time of configuration. For example, you can't use Configuration Manager on [!INCLUDE [sssql19-md](../../includes/sssql19-md.md)] and later versions, to provision an expired certificate. [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] continues to run without problems if the certificate expires after it's already provisioned. But, some client applications like Power BI check the validity of the certificate on each connection and raise an error if the [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] instance is configured to use an expired certificate for encryption. We recommend that you don't use an expired certificate for [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] encryption.
 
 ## Related content
 

azure-sql/database/logins-create-manage.md

@@ -1,9 +1,9 @@
 ---
-title: "Choose an authentication mode"
+title: "Choose an Authentication Mode"
 description: Choose between Windows Authentication mode and mixed mode authentication for the SQL Server Database Engine at setup time.
 author: VanMSFT
 ms.author: vanto
-ms.date: 09/12/2024
+ms.date: 06/30/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: how-to
@@ -33,7 +33,7 @@ During setup, you must select an authentication mode for the [!INCLUDE [ssDE](..
 
 If you select Mixed Mode Authentication (SQL Server and Windows Authentication mode) during setup, you must provide and then confirm a strong password for the built-in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] system administrator account named `sa`. The `sa` account connects by using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication.
 
-If you select Windows Authentication during setup, the setup creates the `sa` account for [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] authentication but it's disabled. If you later change to Mixed Mode Authentication and you want to use the `sa` account, you must enable the account. Any Windows or [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] account can be configured as a system administrator. Because the `sa` account is well known and often targeted by malicious users, don't enable the `sa` account unless your application requires it. Never set a blank or weak password for the `sa` account. To change from Windows Authentication mode to Mixed Mode Authentication and use [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication, see [Change Server Authentication Mode](../../database-engine/configure-windows/change-server-authentication-mode.md).
+If you select Windows Authentication during setup, the setup creates the `sa` account for [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] authentication but it's disabled. If you later change to Mixed Mode Authentication and you want to use the `sa` account, you must enable the account. Any Windows or [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] account can be configured as a system administrator. Because the `sa` account is well known and often targeted by malicious users, don't enable the `sa` account unless your application requires it. Never set a blank or weak password for the `sa` account. To change from Windows Authentication mode to Mixed Mode Authentication and use [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication, see [Change server authentication mode](../../database-engine/configure-windows/change-server-authentication-mode.md).
 
 ## Connecting through Windows Authentication
 
@@ -48,7 +48,7 @@ By using Windows Authentication, Windows groups can be created at the domain lev
 
 ## Connecting through SQL Server Authentication
 
-When using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication, logins are created in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] that aren't based on Windows user accounts. Both the user name and the password are created by using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] and stored in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)]. Users connecting using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication must provide their credentials (login and password) every time that they connect. When using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication, you must set strong passwords for all [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] accounts. For strong password guidelines, see [Strong Passwords](../../relational-databases/security/strong-passwords.md).
+When using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication, logins are created in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] that aren't based on Windows user accounts. Both the user name and the password are created by using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] and stored in [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)]. Users connecting using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication must provide their credentials (login and password) every time that they connect. When using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication, you must set strong passwords for all [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] accounts. For strong password guidelines, see [Strong Passwords](strong-passwords.md).
 
 Three optional password policies are available for [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] logins.
 
@@ -97,8 +97,8 @@ Three optional password policies are available for [!INCLUDE [ssNoVersion](../..
 - Allows software developers to distribute their applications by using a complex permission hierarchy based on known, preset [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] logins.
 
   > [!NOTE]  
-  > Using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication does not limit the permissions of local administrators on the computer where [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] is installed.
+  > Using [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] Authentication doesn't limit the permissions of local administrators on the computer where [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] is installed.
 
 ## Related content
 
-- [Security Considerations for a SQL Server Installation](../../sql-server/install/security-considerations-for-a-sql-server-installation.md)
+- [Security considerations for a SQL Server installation](../../sql-server/install/security-considerations-for-a-sql-server-installation.md)

azure-sql/database/media/firewall-configure/sql-database-server-firewall-settings.png

@@ -3,7 +3,7 @@ title: "Password Policy"
 description: This article goes over the Windows password policy mechanisms applying to a login that uses SQL Server authentication and to a contained database user with a password.
 author: VanMSFT
 ms.author: vanto
-ms.date: 05/24/2024
+ms.date: 06/30/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: conceptual
@@ -39,7 +39,7 @@ helpviewer_keywords:
 [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)] can apply the same complexity and expiration policies used in Windows to passwords used inside [!INCLUDE [ssNoVersion](../../includes/ssnoversion-md.md)]. This functionality depends on the `NetValidatePasswordPolicy` API.
 
 > [!NOTE]  
-> Azure SQL Database enforces [password complexity](#password-complexity). The password expiration and policy enforcement sections do not apply to Azure SQL Database.
+> Azure SQL Database enforces [password complexity](#password-complexity). The password expiration and policy enforcement sections don't apply to Azure SQL Database.
 >
 > For information on password policy for Azure SQL Managed Instance, see our [SQL Managed Instance FAQ](/azure/azure-sql/managed-instance/frequently-asked-questions-faq#password-policy-).
 
@@ -69,7 +69,7 @@ Password expiration policies are used to manage the lifespan of a password. When
 
 ## Policy Enforcement
 
-The enforcement of password policy can be configured separately for each SQL Server login. Use [ALTER LOGIN (Transact-SQL)](../../t-sql/statements/alter-login-transact-sql.md) to configure the password policy options of a SQL Server login. The following rules apply to the configuration of password policy enforcement:
+The enforcement of password policy can be configured separately for each SQL Server login. Use [ALTER LOGIN](../../t-sql/statements/alter-login-transact-sql.md) to configure the password policy options of a SQL Server login. The following rules apply to the configuration of password policy enforcement:
 
 - When CHECK_POLICY is changed to ON, the following behaviors occur:
 
@@ -104,7 +104,7 @@ Some combinations of policy options aren't supported.
 The security policy might be set in Windows, or might be received from the domain. To view the password policy on the computer, use the Local Security Policy MMC snap-in (**secpol.msc**).
 
 > [!NOTE]  
-> For SQL Server logins that have CHECK_POLICY enabled, if you run [ALTER LOGIN](../../t-sql/statements/alter-login-transact-sql.md) and do not include OLD_PASSWORD in the command to change the password, then [Enforce Password History](/windows/security/threat-protection/security-policy-settings/enforce-password-history) is ignored. This is a by-design behavior to allow password resets, despite any previously used passwords. Other checks associated with CHECK_POLICY, including length and complexity are checked regardless of whether OLD_PASSWORD is used.
+> For SQL Server logins that have CHECK_POLICY enabled, if you run [ALTER LOGIN](../../t-sql/statements/alter-login-transact-sql.md) and don't include OLD_PASSWORD in the command to change the password, then [Enforce Password History](/windows/security/threat-protection/security-policy-settings/enforce-password-history) is ignored. This is a by-design behavior to allow password resets, despite any previously used passwords. Other checks associated with CHECK_POLICY, including length and complexity are checked regardless of whether OLD_PASSWORD is used.
 
 ## Checking SQL user password policy information
 
@@ -128,18 +128,18 @@ FROM sys.sql_logins;
 
 ## Related tasks
 
-[CREATE LOGIN (Transact-SQL)](../../t-sql/statements/create-login-transact-sql.md)
+[CREATE LOGIN](../../t-sql/statements/create-login-transact-sql.md)
 
-[ALTER LOGIN (Transact-SQL)](../../t-sql/statements/alter-login-transact-sql.md)
+[ALTER LOGIN](../../t-sql/statements/alter-login-transact-sql.md)
 
-[CREATE USER (Transact-SQL)](../../t-sql/statements/create-user-transact-sql.md)
+[CREATE USER](../../t-sql/statements/create-user-transact-sql.md)
 
-[ALTER USER (Transact-SQL)](../../t-sql/statements/alter-user-transact-sql.md)
+[ALTER USER](../../t-sql/statements/alter-user-transact-sql.md)
 
-[Create a Login](../../relational-databases/security/authentication-access/create-a-login.md)
+[Create a login](authentication-access/create-a-login.md)
 
-[Create a Database User](../../relational-databases/security/authentication-access/create-a-database-user.md)
+[Create a database user](authentication-access/create-a-database-user.md)
 
 ## Related content
 
-- [Strong Passwords](../../relational-databases/security/strong-passwords.md)
+- [Strong Passwords](strong-passwords.md)