Merge pull request #33987 from MicrosoftDocs/main

v-alje · web-flow · commit b0cd67b9c20a · 2025-05-01T15:46:15.000-07:00
05/01/2025 PM Publishing
diff --git a/docs/connect/ado-net/sql/azure-active-directory-authentication.md b/docs/connect/ado-net/sql/azure-active-directory-authentication.md
@@ -4,7 +4,7 @@ description: Describes how to use supported Microsoft Entra authentication modes
 author: David-Engel
 ms.author: davidengel
 ms.reviewer: davidengel
-ms.date: 09/13/2024
+ms.date: 05/01/2025
 ms.service: sql
 ms.subservice: connectivity
 ms.topic: conceptual
@@ -363,6 +363,12 @@ The following example shows how to set an application client ID through a config
 
 Available in version 5.2 onwards, there's a new [AccessTokenCallback](/dotnet/api/microsoft.data.sqlclient.sqlconnection.accesstokencallback) property on [SqlConnection](/dotnet/api/microsoft.data.sqlclient.sqlconnection). Use the `AccessTokenCallback` property to define a custom function that returns an access token given the incoming parameters. Using the callback is better than using the [AccessToken](/dotnet/api/microsoft.data.sqlclient.sqlconnection.accesstoken) property because it allows the access token to be refreshed within a connection pool. When using the `AccessToken` property, the token can't be updated after opening the connection. There's also no associated expiration date provided through the property. Once the token expires, new connection requests fail with a server authentication error and pools using it must be manually cleared.
 
+> [!IMPORTANT]
+> An `AccessTokenCallback` must return access tokens of the same security context for the same input parameters. If the security context is different, a pooled connection with the wrong security context may be returned for a connection request.
+
+> [!NOTE]
+> `AccessTokenCallback` is part of the key used to identify connection pools. Avoid creating a new function callback for every creation of a SqlConnection since that results in a new pool every time. Reference the same instance of a function for connections you want to be considered for pooling. The connection pool key includes parameters passed to the callback to partition connection pools appropriately.
+
 The following code snippet is an example of using the `AccessTokenCallback` property in **Microsoft.Data.SqlClient v5.2 onwards**.
 
 [!code-csharp [AADAuthenticationAccessTokenCallback#1](~/../sqlclient/doc/samples/SqlConnection_AccessTokenCallback.cs#1)]
@@ -371,6 +377,9 @@ The following code snippet is an example of using the `AccessTokenCallback` prop
 
 Given more flexibility, the client application can also use its own provider for Microsoft Entra authentication instead of using the `ActiveDirectoryAuthenticationProvider` class. The custom authentication provider needs to be a subclass of `SqlAuthenticationProvider` with overridden methods. It then must register the custom provider, overriding one or more of the existing `Active Directory*` authentication methods.
 
+> [!IMPORTANT]
+> An authentication provider must return access tokens of the same security context for the same input parameters. If the security context is different, a pooled connection with the wrong security context may be returned for a connection request.
+
 The following example shows how to use a new authentication provider for `Active Directory Device Code Flow` authentication.
 
 [!code-csharp [CustomDeviceCodeFlowAzureAuthenticationProvider#1](~/../sqlclient/doc/samples/CustomDeviceCodeFlowAzureAuthenticationProvider.cs#1)]
diff --git a/docs/relational-databases/security/permissions-or-securables-page.md b/docs/relational-databases/security/permissions-or-securables-page.md
@@ -3,7 +3,7 @@ title: "Permissions or Securables Page"
 description: Use the Permissions page or the Securables page to view or set the permissions for securables in SQL Server.
 author: VanMSFT
 ms.author: vanto
-ms.date: "01/07/2016"
+ms.date: 05/01/2025
 ms.service: sql
 ms.subservice: security
 ms.topic: conceptual
@@ -18,55 +18,60 @@ f1_keywords:
 monikerRange: ">=aps-pdw-2016 || =azuresqldb-current || =azure-sqldw-latest || >=sql-server-2016 || >=sql-server-linux-2017 || =azuresqldb-mi-current || =fabric"
 ---
 # Permissions or Securables Page
+
 [!INCLUDE [SQL Server Azure SQL Database Synapse Analytics PDW FabricSQLDB](../../includes/applies-to-version/sql-asdb-asdbmi-asa-pdw-fabricsqldb.md)]
-  Use the **Permissions** page or the **Securables** page to view or set the permissions for securables. This page can be opened from many locations. The contents of the page can change slightly, depending on how the page is opened and what it contains. The top grid of the page might be populated when the page opens, or it might be empty. To add items to the upper grid, click **Search**. In the upper grid, select an item, and then set the appropriate permissions on the **Explicit** tab. To view aggregated permissions, use the **Effective** tab.  
-  
- To understand the possible combinations of securables and principals, see the securable-specific syntax links in the topic [GRANT &#40;Transact-SQL&#41;](../../t-sql/statements/grant-transact-sql.md). For more information, see [Securables](../../relational-databases/security/securables.md).  
-  
-## Page Header  
- The header of the **Permissions** or **Securables** page varies depending on the securable or principal. It displays information relevant to the item, such as its name.  
-  
-## Upper Grid  
- The upper grid contains one or more items for which permissions can be set. This dialog box provides the **Search** button for selecting objects or principals to add to the upper grid. The name of the grid might display **Securables** or one or more types of securables or principals. The columns that are displayed in the upper grid vary depending on the principal or securable.  
-  
- **Name**  
- The name of each principal or securable that is added to the grid.  
-  
- **Type**  
- Describes the type of each item.  
-  
-## Explicit Tab  
- The **Explicit** tab lists the possible permissions for the securable that are selected in the upper grid. To configure the permissions, select or clear the **Grant** (or **Allow**), **With Grant**, and **Deny** check boxes. All options are not available for all explicit permissions.  
-  
- **Permissions**  
- The name of the permission.  
-  
- **Grantor**  
- The principal that granted the permission.  
-  
- **Grant**  
- Select to grant this permission to the login. Clear to revoke this permission.  
-  
- **With Grant**  
- Reflects the state of the WITH GRANT option for the listed permission. This box is read-only. To apply this permission, use the [GRANT](../../t-sql/statements/grant-transact-sql.md) statement.  
-  
- **Deny**  
- Select to deny this permission to the login. Clear to revoke this permission.  
-  
- **Column Permissions**  
- For objects that contain columns (such as tables, views, or table-valued functions), the **Column Permissions** button opens the **Column Permissions** dialog box. In this dialog box, you can set **Grant**, **Allow**, or **Deny** permissions on individual columns of a table or view. This option is not available for all object types or permissions.  
-  
-## Effective Tab  
- The permissions that a principal has related to a securable may come from permissions that are set for several different principals. For example, a login might be granted permissions individually and also as a member of a group. The **Effective** tab shows the result of combining explicit permissions and the permissions that are received from group or role memberships. Grant permissions are aggregated. A deny permission overrides all grant permissions.  
-  
- **Permissions**  
- The name of the permission.  
-  
- **Column**  
- The names of columns that are affected by the permission.  
-  
-## See Also  
- [Database-Level Roles](../../relational-databases/security/authentication-access/database-level-roles.md)   
- [Security Center for SQL Server Database Engine and Azure SQL Database](../../relational-databases/security/security-center-for-sql-server-database-engine-and-azure-sql-database.md)  
-  
-  
+
+Use the **Permissions** page or the **Securables** page to view or set the permissions for securables. This page can be opened from many locations. The contents of the page can change slightly, depending on how the page is opened and what it contains. The top grid of the page might be populated when the page opens, or it might be empty. To add items to the upper grid, select **Search**. In the upper grid, select an item, and then set the appropriate permissions on the **Explicit** tab. To view aggregated permissions, use the **Effective** tab.
+
+To understand the possible combinations of securables and principals, see the securable-specific syntax links in the article [GRANT](../../t-sql/statements/grant-transact-sql.md). For more information, see [Securables](securables.md).
+
+## Page Header
+
+The header of the **Permissions** or **Securables** page varies depending on the securable or principal. It displays information relevant to the item, such as its name.
+
+## Upper Grid
+
+The upper grid contains one or more items for which permissions can be set. This dialog box provides the **Search** button for selecting objects or principals to add to the upper grid. The name of the grid might display **Securables** or one or more types of securables or principals. The columns that are displayed in the upper grid vary depending on the principal or securable.
+
+**Name**  
+The name of each principal or securable that is added to the grid.
+
+**Type**  
+Describes the type of each item.
+
+## Explicit Tab
+
+The **Explicit** tab lists the possible permissions for the securable that are selected in the upper grid. To configure the permissions, select or clear the **Grant** (or **Allow**), **With Grant**, and **Deny** check boxes. All options aren't available for all explicit permissions.
+
+**Permissions**  
+The name of the permission.
+
+**Grantor**  
+The principal that granted the permission.
+
+**Grant**  
+Select to grant this permission to the login. Clear to revoke this permission.
+
+**With Grant**  
+Reflects the state of the WITH GRANT option for the listed permission. This box is read-only. To apply this permission, use the [GRANT](../../t-sql/statements/grant-transact-sql.md) statement.
+
+**Deny**  
+Select to deny this permission to the login. Clear to revoke this permission.
+
+**Column Permissions**  
+For objects that contain columns (such as tables, views, or table-valued functions), the **Column Permissions** button opens the **Column Permissions** dialog box. In this dialog box, you can set **Grant**, **Allow**, or **Deny** permissions on individual columns of a table or view. This option isn't available for all object types or permissions.
+
+## Effective Tab
+
+The permissions that a principal has related to a securable might come from permissions that are set for several different principals. For example, a login might be granted permissions individually and also as a member of a group. The **Effective** tab shows the result of combining explicit permissions and the permissions that are received from group or role memberships. Grant permissions are aggregated. A deny permission overrides all grant permissions.
+
+**Permissions**  
+The name of the permission.
+
+**Column**  
+The names of columns that are affected by the permission.
+
+## Related content
+
+- [Database-level roles](authentication-access/database-level-roles.md)
+- [Security for SQL Server Database Engine and Azure SQL Database](security-center-for-sql-server-database-engine-and-azure-sql-database.md)
