Merge branch 'main' of https://github.com/MicrosoftDocs/sql-docs-pr into 20230223-arcee-features-by-os-type

Author: Mike Ray (Microsoft)

azure-sql/database/security-overview.md

@@ -5,7 +5,7 @@ description: Learn about security in Azure SQL Database and Azure SQL Managed In
 author: jaszymas
 ms.author: jaszymas
 ms.reviewer: wiassaf, vanto, emlisa, mathoma
-ms.date: 08/23/2021
+ms.date: 03/28/2023
 ms.service: sql-db-mi
 ms.subservice: security
 ms.topic: conceptual
@@ -57,9 +57,9 @@ Authentication is the process of proving the user is who they claim to be. Azure
 
     Additional Azure AD authentication options available are [Active Directory Universal Authentication for SQL Server Management Studio](authentication-mfa-ssms-overview.md) connections including [multi-factor authentication](/azure/active-directory/authentication/concept-mfa-howitworks) and [Conditional Access](conditional-access-configure.md).
 
-- **Windows Authentication for Azure AD Principals (Preview)**:
+- **Windows Authentication for Azure AD Principals**:
 
-    [Kerberos authentication for Azure AD Principals](../managed-instance/winauth-azuread-overview.md) (Preview) enables Windows Authentication for Azure SQL Managed Instance. Windows Authentication for managed instances empowers customers to move existing services to the cloud while maintaining a seamless user experience and provides the basis for infrastructure modernization.
+    [Kerberos authentication for Azure AD Principals](../managed-instance/winauth-azuread-overview.md) enables Windows Authentication for Azure SQL Managed Instance. Windows Authentication for managed instances empowers customers to move existing services to the cloud while maintaining a seamless user experience and provides the basis for infrastructure modernization.
 
     To enable Windows Authentication for Azure Active Directory (Azure AD) principals, you will turn your Azure AD tenant into an independent Kerberos realm and create an incoming trust in the customer domain. Learn [how Windows Authentication for Azure SQL Managed Instance is implemented with Azure Active Directory and Kerberos](../managed-instance/winauth-implementation-aad-kerberos.md).
 

azure-sql/managed-instance/managed-instance-link-preparation.md

@@ -27,6 +27,35 @@ To use the link with Azure SQL Managed Instance, you need the following prerequi
 - [Supported version of SQL Server](managed-instance-link-feature-overview.md#prerequisites) with required service update installed.
 - Azure SQL Managed Instance. [Get started](instance-create-quickstart.md) if you don't have it. 
 
+## Permissions
+
+
+For SQL Server, you should have **sysadmin** permissions. 
+
+For Azure SQL Managed Instance, you should be a member of the [SQL Managed Instance Contributor](/azure/role-based-access-control/built-in-roles#sql-managed-instance-contributor), or have the following permissions for a custom role: 
+
+- Microsoft.Sql/managedInstances/hybridCertificate/action
+- Microsoft.Sql/managedInstances/read
+- Microsoft.Sql/managedInstances/write
+- Microsoft.Sql/managedInstances/databases/read
+- Microsoft.Sql/managedInstances/databases/delete
+- Microsoft.Sql/managedInstances/databases/write
+- Microsoft.Sql/managedInstances/databases/completeRestore/action
+- Microsoft.Sql/managedInstances/databases/readBackups/action
+- Microsoft.Sql/managedInstances/databases/restoreDetails/read
+- Microsoft.Sql/managedInstances/distributedAvailabilityGroups/read
+- Microsoft.Sql/managedInstances/distributedAvailabilityGroups/write
+- Microsoft.Sql/managedInstances/distributedAvailabilityGroups/delete
+- Microsoft.Sql/managedInstances/distributedAvailabilityGroups/setRole/action
+- Microsoft.Sql/managedInstances/endpointCertificates/read
+- Microsoft.Sql/managedInstances/hybridLink/read
+- Microsoft.Sql/managedInstances/hybridLink/write
+- Microsoft.Sql/managedInstances/hybridLink/delete
+- Microsoft.Sql/managedInstances/serverTrustCertificates/write
+- Microsoft.Sql/managedInstances/serverTrustCertificates/delete
+- Microsoft.Sql/managedInstances/serverTrustCertificates/read
+
+
 ## Prepare your SQL Server instance
 
 To prepare your SQL Server instance, you need to validate that:

azure-sql/managed-instance/transact-sql-tsql-differences-sql-server.md

@@ -4,7 +4,7 @@ description: This article discusses the Transact-SQL (T-SQL) differences between
 author: danimir
 ms.author: danil
 ms.reviewer: mathoma, bonova, danil
-ms.date: 02/08/2023
+ms.date: 02/17/2023
 ms.service: sql-managed-instance
 ms.subservice: service-overview
 ms.topic: reference
@@ -195,9 +195,9 @@ The default instance collation is `SQL_Latin1_General_CP1_CI_AS` and can be spec
 
 ### Compatibility levels
 
-- Supported compatibility levels are 100, 110, 120, 130, 140 and 150.
+- Supported compatibility levels are 100, 110, 120, 130, 140, 150 and 160.
 - Compatibility levels below 100 aren't supported.
-- The default compatibility level for new databases is 140. For restored databases, the compatibility level remains unchanged if it was 100 and above.
+- The default compatibility level for new databases is 150. For restored databases, the compatibility level remains unchanged if it was 100 and above.
 
 See [ALTER DATABASE Compatibility Level](/sql/t-sql/statements/alter-database-transact-sql-compatibility-level).
 
@@ -405,7 +405,7 @@ Linked servers on Azure SQL Managed Instance support SQL authentication and [Azu
 - Snapshot and Bi-directional replication types are supported. Merge replication, Peer-to-peer replication, and updatable subscriptions are not supported.
 - [Transactional Replication](replication-transactional-overview.md) is available for SQL Managed Instance with some constraints:
     - All types of replication participants (Publisher, Distributor, Pull Subscriber, and Push Subscriber) can be placed on SQL Managed Instance, but the publisher and the distributor must be either both in the cloud or both on-premises.
-    - SQL Managed Instance can communicate with the recent versions of SQL Server. See the [supported versions matrix](replication-transactional-overview.md#supportability-matrix) for more information.
+    - SQL Managed Instance can communicate with the recent versions of SQL Server. For more information see [supported versions matrix](replication-transactional-overview.md#supportability-matrix).
     - Transactional Replication has some [additional networking requirements](replication-transactional-overview.md#requirements).
 
 For more information about configuring transactional replication, see the following tutorials:

docs/machine-learning/install/sql-ml-cab-downloads.md

@@ -101,7 +101,7 @@ CAB files are listed in reverse chronological order. When you download the CAB f
 
 |Release  |Component | Download link  | Issues addressed |
 |---------|----------|----------------|------------------|
-|**[SQL Server 2017 CU29](https://support.microsoft.com//help/5010786/)** |  |  |  |
+|**[SQL Server 2017 CU29](https://support.microsoft.com//help/5010786/)-[CU31](https://support.microsoft.com//help/5016884/)** |  |  |  |
 | | Microsoft R Open      | [SRO_3.5.2.777_1033.cab](https://go.microsoft.com/fwlink/?linkid=2134897)  |  |
 | | R Server              | [SRS_9.4.7.1162_1033.cab](https://go.microsoft.com/fwlink/?linkid=2174362)  |  |
 | | Microsoft Python Open | [SPO_4.5.12.479_1033.cab](https://go.microsoft.com/fwlink/?LinkId=2118341) |  |

docs/relational-databases/security/permissions-database-engine.md

@@ -4,7 +4,7 @@ description: Consult this complete list of SQL Server permissions to find out wh
 author: AndreasWolter
 ms.author: anwolter
 ms.reviewer: randolphwest
-ms.date: 02/26/2023
+ms.date: 02/27/2023
 ms.service: sql
 ms.subservice: security
 ms.topic: conceptual
@@ -236,7 +236,6 @@ The following table lists major classes of permissions and the kinds of securabl
 |DATABASE|EXECUTE|EX|SERVER|CONTROL SERVER|
 |DATABASE|EXECUTE ANY EXTERNAL ENDPOINT|EAEE|SERVER|CONTROL SERVER|
 |DATABASE|EXECUTE ANY EXTERNAL SCRIPT|EAES<br /><br />Applies to [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)] ([!INCLUDE[sssql16-md](../../includes/sssql16-md.md)] through current).|SERVER|CONTROL SERVER|
-|DATABASE|GENERATE LEDGER DIGEST|GLD|SERVER|CONTROL|
 |DATABASE|INSERT|IN|SERVER|CONTROL SERVER|
 |DATABASE|KILL DATABASE CONNECTION|KIDC<br /><br />Only applies to [!INCLUDE[ssSDSfull](../../includes/sssdsfull-md.md)]. Use ALTER ANY CONNECTION in [!INCLUDE[ssNoVersion](../../includes/ssnoversion-md.md)].|SERVER|ALTER ANY CONNECTION|
 |DATABASE|REFERENCES|RF|SERVER|CONTROL SERVER|
@@ -409,7 +408,7 @@ The following permissions are added to SQL Server 2022:
 - 18 new permissions have been added for extended events.
 - 9 new permissions have been added with regard to security-related objects.
 
-- 5 permissions have been added for Ledger.
+- 4 permissions have been added for Ledger.
 - 3 additional database permissions.
 
 For more information, see [New granular permissions for SQL Server 2022 and Azure SQL to improve adherence with PoLP](https://techcommunity.microsoft.com/t5/sql-server-blog/new-granular-permissions-for-sql-server-2022-and-azure-sql-to/ba-p/3607507).
@@ -479,7 +478,6 @@ All these permissions are under the same parent-permission: **ALTER ANY DATABASE
 - ALTER LEDGER
 - ALTER LEDGER CONFIGURATION
 - ENABLE LEDGER
-- GENERATE LEDGER DIGEST
 - VIEW LEDGER CONTENT
 
 #### Other database permissions

docs/tools/sqlpackage/sqlpackage-deploy-drift-report.md

@@ -86,7 +86,7 @@ SqlPackage {parameters}{properties}{SQLCMD Variables}
 |**/p:**|DisableAndReenableDdlTriggers=(BOOLEAN 'True')| Specifies whether Data Definition Language (DDL) triggers are disabled at the beginning of the publish process and re-enabled at the end of the publish action.|
 |**/p:**|DoNotAlterChangeDataCaptureObjects=(BOOLEAN 'True')|If true, Change Data Capture objects are not altered.|
 |**/p:**|DoNotAlterReplicatedObjects=(BOOLEAN 'True')|Specifies whether objects that are replicated are identified during verification.|
-|**/p:**|DoNotDropObjectType=(STRING)|An object type that should not be dropped when DropObjectsNotInSource is true. Valid object type names are Aggregates, ApplicationRoles, Assemblies, AsymmetricKeys, BrokerPriorities, Certificates, ColumnEncryptionKeys, ColumnMasterKeys, Contracts, DatabaseRoles, DatabaseTriggers, Defaults, ExtendedProperties, ExternalDataSources, ExternalFileFormats, ExternalTables, Filegroups, FileTables, FullTextCatalogs, FullTextStoplists, MessageTypes, PartitionFunctions, PartitionSchemes, Permissions, Queues, RemoteServiceBindings, RoleMembership, Rules, ScalarValuedFunctions, SearchPropertyLists, SecurityPolicies, Sequences, Services, Signatures, StoredProcedures, SymmetricKeys, Synonyms, Tables, TableValuedFunctions, UserDefinedDataTypes, UserDefinedTableTypes, ClrUserDefinedTypes, Users, Views, XmlSchemaCollections, Audits, Credentials, CryptographicProviders, DatabaseAuditSpecifications, DatabaseScopedCredentials, Endpoints, ErrorMessages, EventNotifications, EventSessions, LinkedServerLogins, LinkedServers, Logins, Routes, ServerAuditSpecifications, ServerRoleMembership, ServerRoles, ServerTriggers. |
+|**/p:**|DoNotDropObjectType=(STRING)|An object type that should not be dropped when DropObjectsNotInSource is true. Valid object type names are Aggregates, ApplicationRoles, Assemblies, AsymmetricKeys, BrokerPriorities, Certificates, ColumnEncryptionKeys, ColumnMasterKeys, Contracts, DatabaseRoles, DatabaseTriggers, Defaults, ExtendedProperties, ExternalDataSources, ExternalFileFormats, ExternalTables, Filegroups, FileTables, FullTextCatalogs, FullTextStoplists, MessageTypes, PartitionFunctions, PartitionSchemes, Permissions, Queues, RemoteServiceBindings, RoleMembership, Rules, ScalarValuedFunctions, SearchPropertyLists, SecurityPolicies, Sequences, Services, Signatures, StoredProcedures, SymmetricKeys, Synonyms, Tables, TableValuedFunctions, UserDefinedDataTypes, UserDefinedTableTypes, ClrUserDefinedTypes, Users, Views, XmlSchemaCollections, Audits, Credentials, CryptographicProviders, DatabaseAuditSpecifications, DatabaseScopedCredentials, Endpoints, ErrorMessages, EventNotifications, EventSessions, LinkedServerLogins, LinkedServers, Logins, Routes, ServerAuditSpecifications, ServerRoleMembership, ServerRoles, ServerTriggers. This property may be specified multiple times to indicate multiple options.|
 |**/p:**|DoNotDropObjectTypes=(STRING)|A semicolon-delimited list of object types that should not be dropped when DropObjectsNotInSource is true. Valid object type names are Aggregates, ApplicationRoles, Assemblies, AsymmetricKeys, BrokerPriorities, Certificates, ColumnEncryptionKeys, ColumnMasterKeys, Contracts, DatabaseRoles, DatabaseTriggers, Defaults, ExtendedProperties, ExternalDataSources, ExternalFileFormats, ExternalTables, Filegroups, FileTables, FullTextCatalogs, FullTextStoplists, MessageTypes, PartitionFunctions, PartitionSchemes, Permissions, Queues, RemoteServiceBindings, RoleMembership, Rules, ScalarValuedFunctions, SearchPropertyLists, SecurityPolicies, Sequences, Services, Signatures, StoredProcedures, SymmetricKeys, Synonyms, Tables, TableValuedFunctions, UserDefinedDataTypes, UserDefinedTableTypes, ClrUserDefinedTypes, Users, Views, XmlSchemaCollections, Audits, Credentials, CryptographicProviders, DatabaseAuditSpecifications, DatabaseScopedCredentials, Endpoints, ErrorMessages, EventNotifications, EventSessions, LinkedServerLogins, LinkedServers, Logins, Routes, ServerAuditSpecifications, ServerRoleMembership, ServerRoles, ServerTriggers.|
 |**/p:**|DropConstraintsNotInSource=(BOOLEAN 'True')|Specifies whether constraints that do not exist in the database snapshot (.dacpac) file will be dropped from the target database when you publish to a database.|
 |**/p:**|DropDmlTriggersNotInSource=(BOOLEAN 'True')|Specifies whether DML triggers that do not exist in the database snapshot (.dacpac) file will be dropped from the target database when you publish to a database.|

docs/tools/sqlpackage/sqlpackage-export.md

@@ -100,7 +100,7 @@ SqlPackage /at:$($AccessToken_Object.Token) /Action:Export /TargetFile:"C:\Adven
 |**/p:**|IgnoreIndexesStatisticsOnEnclaveEnabledColumns=(BOOLEAN 'False')|Specifies whether indexes or statistics on columns encrypted using randomized encryption and enclave-enabled column encryption keys should be ignored (not included in the generated bacpac). By default (false) any index or a statistic on a column encrypted using randomized encryption and an enclave-enabled column encryption key will block the export action.|
 |**/p:**|LongRunningCommandTimeout=(INT32 '0')|Specifies the long running command timeout in seconds when executing queries against SQL Server. Use 0 to wait indefinitely.|
 |**/p:**|Storage=({File|Memory})|Specifies the type of backing storage for the schema model used during extraction. 'Memory' is default for .NET Core version of SqlPackage. 'File' is only available and default for .NET Framework version of SqlPackage. |
-|**/p:**|TableData=(STRING[])|Indicates the table from which data will be extracted. Specify the table name with or without the brackets surrounding the name parts in the following format: schema_name.table_identifier. This option may be specified multiple times.|
+|**/p:**|TableData=(STRING)|Indicates the table from which data will be extracted. Specify the table name with or without the brackets surrounding the name parts in the following format: schema_name.table_identifier. This property may be specified multiple times to indicate multiple options.|
 |**/p:**|TargetEngineVersion=({Default|Latest|V11|V12} 'Latest')|This property is deprecated and use is not recommended. Specifies the version the target engine for Azure SQL Database is expected to be.|
 |**/p:**|TempDirectoryForTableData=(STRING)|Specifies an alternative temporary directory used to buffer table data before being written to the package file. The space required in this location may be large and is relative to the full size of the database.|
 |**/p:**|VerifyExtraction=(BOOLEAN 'True')|Specifies whether the extracted schema model should be verified. If set to true, schema validation rules are run on the dacpac or bacpac.|

docs/tools/sqlpackage/sqlpackage-extract.md

@@ -122,7 +122,7 @@ SqlPackage /at:$($AccessToken_Object.Token) /Action:Extract /TargetFile:"C:\Adve
 |**/p:**|IgnoreUserLoginMappings=(BOOLEAN 'False')|Specifies whether relationships between users and logins are ignored.|
 |**/p:**|LongRunningCommandTimeout=(INT32 '0')| Specifies the long running command timeout in seconds when executing queries against SQL Server. Use 0 to wait indefinitely.|
 |**/p:**|Storage=({File|Memory})|Specifies the type of backing storage for the schema model used during extraction. 'Memory' is default for .NET Core version of SqlPackage. 'File' is only available and default for .NET Framework version of SqlPackage.|
-|**/p:**|TableData=(STRING[])|Indicates the table from which data will be extracted. Specify the table name with or without the brackets surrounding the name parts in the following format: schema_name.table_identifier. This option may be specified multiple times.|
+|**/p:**|TableData=(STRING)|Indicates the table from which data will be extracted. Specify the table name with or without the brackets surrounding the name parts in the following format: schema_name.table_identifier.  This property may be specified multiple times to indicate multiple options.|
 |**/p:**|TempDirectoryForTableData=(STRING)|Specifies the temporary directory used to buffer table data before being written to the package file.|
 |**/p:**|VerifyExtraction=(BOOLEAN 'True')|Specifies whether the extracted schema model should be verified.|