Merge pull request #34574 from VanMSFT/20250630_updateImg

Update images and steps

Author: AnnaMHuff

azure-sql/database/authentication-aad-directory-readers-role-tutorial.md

@@ -5,7 +5,7 @@ description: This article guides you through enabling the Directory Readers role
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: wiassaf, vanto, mathoma
-ms.date: 06/10/2025
+ms.date: 06/30/2025
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: tutorial
@@ -42,17 +42,17 @@ For more information on the benefits of assigning the Directory Readers role to
 
 1. A user with [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) permissions is required for this initial setup.
 1. Have the privileged user sign into the [Azure portal](https://portal.azure.com).
-1. Go to the **Microsoft Entra ID** resource. Under **Managed**, go to **Groups**. Select **New group** to create a new group.
+1. Go to the **Microsoft Entra ID** resource. Under **Manage**, go to **Groups**. Select **New group** to create a new group.
 1. Select **Security** as the group type, and fill in the rest of the fields. Make sure that the setting **Microsoft Entra roles can be assigned to the group** is switched to **Yes**. Then assign the Microsoft Entra ID **Directory readers** role to the group.
-1. Assign Microsoft Entra users as owner(s) to the group that was created. A group owner can be a regular AD user without any Microsoft Entra administrative role assigned. The owner should be a user that is managing your SQL Database, SQL Managed Instance, or Azure Synapse.
+1. Assign Microsoft Entra users as an owner to the group that was created. A group owner can be a regular AD user without any Microsoft Entra administrative role assigned. The owner should be a user that is managing your SQL Database, SQL Managed Instance, or Azure Synapse.
 1. Select **Create**
 
 <a id="checking-the-group-that-was-created"></a>
 
 ### Check the group that was created
 
 > [!NOTE]
-> Make sure that the **Group Type** is **Security**. *Microsoft 365* groups are not supported for Azure SQL.
+> Make sure that the **Group Type** is **Security**. *Microsoft 365* groups aren't supported for Azure SQL.
 
 To check and manage the group that was created, go back to the **Groups** pane in the Azure portal, and search for your group name. Additional owners and members can be added under the **Owners** and **Members** menu of **Manage** setting after selecting your group. You can also review the **Assigned roles** for the group.
 
@@ -77,20 +77,18 @@ For subsequent steps, the Privileged Role Administrator user is no longer needed
 
     :::image type="content" source="media/authentication-aad-directory-readers-role-tutorial/azure-ad-managed-instance-service-principal.png" alt-text="Screenshot of the Enterprise applications page for a Microsoft Entra ID resource with the Object ID of the SQL Managed instance highlighted." lightbox="media/authentication-aad-directory-readers-role-tutorial/azure-ad-managed-instance-service-principal.png":::
 
-1. Go to the **Microsoft Entra ID** resource. Under **Managed**, go to **Groups**. Select the group that you created. Under the **Managed** setting of your group, select **Members**. Select **Add members** and add your SQL Managed Instance service principal as a member of the group by searching for the name found above.
-
-   :::image type="content" source="media/authentication-aad-directory-readers-role-tutorial/azure-ad-add-managed-instance-service-principal.png" alt-text="Screenshot of the Members page for a Microsoft Entra resource with the options highlighted for adding a SQL Managed instance as a new member." lightbox="media/authentication-aad-directory-readers-role-tutorial/azure-ad-add-managed-instance-service-principal.png":::
+1. Go to the **Microsoft Entra ID** resource. Under **Manage**, go to **Groups**. Select the group that you created. Under the **Manage** setting of your group, select **Members**. Select **Add members** and add your SQL Managed Instance service principal as a member of the group by searching for the name found above.
 
 > [!NOTE]
-> It can take a few minutes to propagate the service principal permissions through the Azure system, and allow access to Microsoft Graph API. You might have to wait a few minutes before you provision a Microsoft Entra admin for SQL Managed Instance.
+> It can take a few minutes to propagate the service principal permissions through the Azure system, and allow access to Microsoft Graph. You might have to wait a few minutes before you provision a Microsoft Entra admin for SQL Managed Instance.
 
 ### Remarks
 
 For SQL Database and Azure Synapse, the server identity can be created during [logical server](logical-servers.md) creation or after the server is created. For more information on how to create or set the server identity in SQL Database or Azure Synapse, see [Enable service principals to create Microsoft Entra users](authentication-aad-service-principal.md#enable-service-principals-to-create-azure-ad-users).
 
-For SQL Managed Instance, the **Directory Readers** role must be assigned to managed instance identity before you can [set up a Microsoft Entra admin for the managed instance](authentication-aad-configure.md#provision-azure-ad-admin-sql-managed-instance).
+For SQL Managed Instance, the **Directory Readers** role must be assigned to the managed instance identity before you can [set up a Microsoft Entra admin for the managed instance](authentication-aad-configure.md#provision-azure-ad-admin-sql-managed-instance).
 
-Assigning the **Directory Readers** role to the server identity isn't required for SQL Database or Azure Synapse when setting up a Microsoft Entra admin for the logical server. However, to enable Microsoft Entra object creation in SQL Database or Azure Synapse on behalf of a Microsoft Entra application, the **Directory Readers** role is required. If the role isn't assigned to the logical server identity, creating Microsoft Entra users in Azure SQL will fail. For more information, see [Microsoft Entra service principals with Azure SQL](authentication-aad-service-principal.md).
+Assigning the **Directory Readers** role to the server identity isn't required for SQL Database or Azure Synapse when setting up a Microsoft Entra admin for the logical server. However, to enable Microsoft Entra object creation in SQL Database or Azure Synapse on behalf of a Microsoft Entra application, the **Directory Readers** role (or lower level permissions discussed in [Managed identities in Microsoft Entra for Azure SQL](authentication-azure-ad-user-assigned-managed-identity.md)) is required. If the role isn't assigned to the logical server identity, creating Microsoft Entra users in Azure SQL will fail. For more information, see [Microsoft Entra service principals with Azure SQL](authentication-aad-service-principal.md).
 
 ## Directory Readers role assignment using PowerShell
 

azure-sql/database/authentication-azure-ad-only-authentication-policy-how-to.md

@@ -5,7 +5,7 @@ description: This article guides you through using Azure Policy to enforce Micro
 author: VanMSFT
 ms.author: vanto
 ms.reviewer: wiassaf, vanto, mathoma
-ms.date: 06/10/2025
+ms.date: 06/30/2025
 ms.service: azure-sql
 ms.subservice: security
 ms.topic: how-to
@@ -19,7 +19,7 @@ monikerRange: "=azuresql || =azuresql-db || =azuresql-mi"
 This article guides you through creating an Azure Policy that would enforce Microsoft Entra-only authentication when users create an Azure SQL Managed Instance, or a [logical server](logical-servers.md) for Azure SQL Database. To learn more about Microsoft Entra-only authentication during resource creation, see [Create server with Microsoft Entra-only authentication enabled in Azure SQL](authentication-azure-ad-only-authentication-create-server.md).
 
 > [!NOTE]
-> Although Azure Active Directory (Azure AD) has been [renamed to Microsoft Entra ID](/entra/fundamentals/new-name), Microsoft Entra-only and Azure AD-only authentication are used interchangeably in this article. 
+> Although Azure Active Directory (Azure AD) has been [renamed to Microsoft Entra ID](/entra/fundamentals/new-name), Microsoft Entra-only and Azure AD-only authentication are used interchangeably in this article.
 
 In this article, you learn how to:
 
@@ -33,44 +33,43 @@ In this article, you learn how to:
 
 ## Create an Azure Policy
 
-Start off by creating an Azure Policy enforcing SQL Database or Managed Instance provisioning with Azure AD-only authentication enabled.
+Start off by creating an Azure Policy enforcing SQL Database or SQL Managed Instance provisioning with Microsoft Entra-only authentication enabled.
 
 1. Go to the [Azure portal](https://portal.azure.com).
 1. Search for the service **Policy**.
 1. Under the Authoring settings, select **Definitions**.
-1. In the **Search** box, search for *Azure Active Directory only authentication*.
+1. In the **Search** box, search for *Microsoft Entra-only authentication*.
 
-   There are two built-in policies available to enforce Azure AD-only authentication. One is for SQL Database, and the other is for SQL Managed Instance.
+   There are a few built-in policies available to enforce Microsoft Entra-only authentication. Look for the one available for your service:
 
-   - Azure SQL Database should have Azure Active Directory Only Authentication enabled
-   - Azure SQL Managed Instance should have Azure Active Directory Only Authentication enabled
+   - Azure SQL Database should have Microsoft Entra-only Authentication enabled
+   - Azure SQL Managed Instance should have Microsoft Entra-only Authentication enabled
 
-
-1. Select the policy name for your service. In this example, we'll use Azure SQL Database. Select **Azure SQL Database should have Azure Active Directory Only Authentication enabled**.
-1. Select **Assign** in the new menu.
+1. Select the policy name for your service. In this example, we'll use Azure SQL Database. Select **Azure SQL Database should have Microsoft Entra-only authentication enabled**.
+1. Select **Assign policy** in the new menu.
 
    > [!NOTE]
    > The JSON script in the menu shows the built-in policy definition that can be used as a template to build a custom Azure Policy for SQL Database. The default is set to `Audit`.
 
-   :::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/assign-policy-azure-ad-only-authentication.png" alt-text="Screenshot of assigning Azure Policy for Azure AD-only authentication." lightbox="media/authentication-azure-ad-only-authentication-policy-how-to/assign-policy-azure-ad-only-authentication.png":::
+   :::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/assign-policy-azure-ad-only-authentication.png" alt-text="Screenshot of assigning Azure Policy for Microsoft Entra-only authentication." lightbox="media/authentication-azure-ad-only-authentication-policy-how-to/assign-policy-azure-ad-only-authentication.png":::
 
 1. In the **Basics** tab, add a **Scope** by using the selector (**...**) on the side of the box.
 1. In the **Scope** pane, select your **Subscription** from the dropdown list menu, and select a **Resource Group** for this policy. Once you're done, use the **Select** button to save the selection.
 
    > [!NOTE]
-   > If you do not select a resource group, the policy will apply to the whole subscription.
+   > If you don't select a resource group, the policy applies to the whole subscription.
 
-   :::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/adding-scope-policy-azure-ad-only-authentication.png" alt-text="Screenshot of adding Azure Policy scope for Azure AD-only authentication.":::
+   :::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/adding-scope-policy-azure-ad-only-authentication.png" alt-text="Screenshot of adding Azure Policy scope for Microsoft Entra-only authentication.":::
 
 1. Once you're back on the **Basics** tab, customize the **Assignment name** and provide an optional **Description**. Make sure the **Policy enforcement** is **Enabled**.
 1. Go over to the **Parameters** tab. Unselect the option **Only show parameters that require input**.
-1. Under **Effect**, select **Deny**. This setting prevents creating a logical server without Azure AD-only authentication enabled.
+1. Under **Effect**, select **Deny**. This setting prevents creating a logical server without Microsoft Entra-only authentication enabled.
 
-   :::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/deny-policy-azure-ad-only-authentication.png" alt-text="Screenshot of  Azure Policy effect parameter for Azure AD-only authentication." lightbox="media/authentication-azure-ad-only-authentication-policy-how-to/deny-policy-azure-ad-only-authentication.png":::
+   :::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/deny-policy-azure-ad-only-authentication.png" alt-text="Screenshot of  Azure Policy effect parameter for Microsoft Entra-only authentication." lightbox="media/authentication-azure-ad-only-authentication-policy-how-to/deny-policy-azure-ad-only-authentication.png":::
 
 1. In the **Non-compliance messages** tab, you can customize the policy message that displays if a violation of the policy has occurred. The message will let users know what policy was enforced during server creation.
 
-   :::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/non-compliance-message-policy-azure-ad-only-authentication.png" alt-text="Screenshot of Azure Policy non-compliance message for Azure AD-only authentication." lightbox="media/authentication-azure-ad-only-authentication-policy-how-to/non-compliance-message-policy-azure-ad-only-authentication.png":::
+   :::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/non-compliance-message-policy-azure-ad-only-authentication.png" alt-text="Screenshot of Azure Policy noncompliance message for Microsoft Entra-only authentication." lightbox="media/authentication-azure-ad-only-authentication-policy-how-to/non-compliance-message-policy-azure-ad-only-authentication.png":::
 
 1. Select **Review + create**. Review the policy and select the **Create** button.
 
@@ -83,18 +82,16 @@ You can check the **Compliance** setting under the **Policy** service to see the
 
 Search for the assignment name that you have given earlier to the policy.
 
-:::image type="content" source="media/authentication-azure-ad-only-authentication-policy-how-to/compliance-policy-azure-ad-only-authentication.png" alt-text="Screenshot of Azure Policy compliance for Azure AD-only authentication." lightbox="media/authentication-azure-ad-only-authentication-policy-how-to/compliance-policy-azure-ad-only-authentication.png":::
-
-Once the logical server is created with Azure AD-only authentication, the policy report will increase the counter under the **Resources by compliance state** visual. You'll be able to see which resources are compliant, or non-compliant.
+Once the logical server is created with Microsoft Entra-only authentication, the policy report will increase the counter under the **Resources by compliance state** visual. You'll be able to see which resources are compliant, or noncompliant.
 
-If the resource group that the policy was chosen to cover contains already created servers, the policy report will indicate those resources that are compliant and non-compliant.
+If the resource group that the policy was chosen to cover contains already created servers, the policy report will indicate those resources that are compliant and noncompliant.
 
 > [!NOTE]
-> Updating the compliance report can take some time. Changes related to resource creation or Microsoft Entra-only authentication settings are not reported immediately.    
+> Updating the compliance report can take some time. Changes related to resource creation or Microsoft Entra-only authentication settings aren't reported immediately.
 
 ## Provision a server
 
-You can then try to provision a logical server or managed instance in the resource group that you assigned the Azure Policy. If Azure AD-only authentication is enabled during server creation, the provision will succeed. When Azure AD-only authentication isn't enabled, the provision will fail.
+You can then try to provision a logical server or managed instance in the resource group that you assigned the Azure Policy. If Microsoft Entra-only authentication is enabled during server creation, the provision will succeed. When Microsoft Entra-only authentication isn't enabled, the provision will fail.
 
 For more information, see [Create server with Microsoft Entra-only authentication enabled in Azure SQL](authentication-azure-ad-only-authentication-create-server.md).