Merge branch 'dimitri-furman-3' of https://github.com/dimitri-furman/azure-docs-pr into dimitri-furman-3

Author: dimitri-furman

azure-sql/accelerated-database-recovery.md

@@ -7,17 +7,17 @@ ms.subservice: high-availability
 ms.custom: sqldbrb=4
 ms.devlang: 
 ms.topic: conceptual
-author: mashamsft
-ms.author: mathoma
-ms.reviewer: sstein
+author: stevestein
+ms.author: sstein
+ms.reviewer: 
 ms.date: 05/19/2020
 ---
 # Accelerated Database Recovery in Azure SQL 
 [!INCLUDE[appliesto-sqldb-sqlmi](includes/appliesto-sqldb-sqlmi.md)]
 
 **Accelerated Database Recovery (ADR)** is a SQL Server database engine feature that greatly improves database availability, especially in the presence of long running transactions, by redesigning the SQL Server database engine recovery process. 
 
-ADR is currently available for Azure SQL Database, Azure SQL Managed Instance, databases in Azure Synapse Analytics (currently in preview), and SQL Server on Azure VMs starting with SQL Server 2019. 
+ADR is currently available for Azure SQL Database, Azure SQL Managed Instance, databases in Azure Synapse Analytics, and SQL Server on Azure VMs starting with SQL Server 2019. 
 
 > [!NOTE] 
 > ADR is enabled by default in Azure SQL Database and Azure SQL Managed Instance and disabling ADR for either product is not supported. 

azure-sql/azure-hybrid-benefit.md

@@ -83,8 +83,8 @@ SQL Database customers have the following rights associated with Azure Hybrid Be
 
 |License footprint|What does Azure Hybrid Benefit for SQL Server get you?|
 |---|---|
-|SQL Server Enterprise Edition core customers with SA|<li>Can pay base rate on either General Purpose or Business Critical SKU</li><br><li>1 core on-premises = 4 cores in General Purpose SKU</li><br><li>1 core on-premises = 1 core in Business Critical SKU</li>|
-|SQL Server Standard Edition core customers with SA|<li>Can pay base rate on General Purpose SKU only</li><br><li>1 core on-premises = 1 core in General Purpose SKU</li>|
+|SQL Server Enterprise Edition core customers with SA|<li>Can pay base rate on Hyperscale, General Purpose, or Business Critical SKU</li><br><li>1 core on-premises = 4 cores in Hyperscale SKU</li><br><li>1 core on-premises = 4 cores in General Purpose SKU</li><br><li>1 core on-premises = 1 core in Business Critical SKU</li>|
+|SQL Server Standard Edition core customers with SA|<li>Can pay base rate on Hyperscale and General Purpose SKU only</li><br><li>1 core on-premises = 1 core in Hyperscale SKU</li><br><li>1 core on-premises = 1 core in General Purpose SKU</li>|
 |||
 
 

azure-sql/database/active-directory-interactive-connect-azure-sql-db.md

@@ -12,10 +12,10 @@ ms.author: MirekS
 ms.reviewer: vanto
 ms.date: 04/23/2020
 ---
-# Connect to Azure SQL Database with Azure Multi-Factor Authentication
+# Connect to Azure SQL Database with Azure AD Multi-Factor Authentication
 [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
 
-This article provides a C# program that connects to Azure SQL Database. The program uses interactive mode authentication, which supports [Azure Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md).
+This article provides a C# program that connects to Azure SQL Database. The program uses interactive mode authentication, which supports [Azure AD Multi-Factor Authentication](../../active-directory/authentication/concept-mfa-howitworks.md).
 
 For more information about Multi-Factor Authentication support for SQL tools, see [Azure Active Directory support in SQL Server Data Tools (SSDT)](/sql/ssdt/azure-active-directory).
 
@@ -33,7 +33,7 @@ Starting in .NET Framework version 4.7.2, the enum [`SqlAuthenticationMethod`](/
 
 * A dialog box that asks for a Multi-Factor Authentication verification code, which the system has sent to a mobile phone.
 
-For information about how to configure Azure AD to require Multi-Factor Authentication, see [Getting started with Azure Multi-Factor Authentication in the cloud](../../active-directory/authentication/howto-mfa-getstarted.md).
+For information about how to configure Azure AD to require Multi-Factor Authentication, see [Getting started with Azure AD Multi-Factor Authentication in the cloud](../../active-directory/authentication/howto-mfa-getstarted.md).
 
 For screenshots of these dialog boxes, see [Configure multi-factor authentication for SQL Server Management Studio and Azure AD](authentication-mfa-ssms-configure.md).
 

azure-sql/database/active-geo-replication-overview.md

@@ -127,7 +127,7 @@ By default, the backup storage redundancy of the secondary is same as that of th
 > Transaction log rate on the primary may be throttled for reasons unrelated to lower compute size on a secondary. This kind of throttling may occur even if the secondary has the same or higher compute size than the primary. For details, including wait types for different kinds of log rate throttling, see [Transaction log rate governance](resource-limits-logical-server.md#transaction-log-rate-governance).
 
 > [!NOTE]
-> Azure SQL Database Configurable Backup Storage Redundancy is currently generally available in Southeast Asia Azure region only. When the source database is created with locally-redundant or zone-redundant backup storage redundancy, creating a secondary database in a different Azure region is not supported. 
+> Azure SQL Database Configurable Backup Storage Redundancy is currently available in public preview in Brazil South and generally available in Southeast Asia Azure region only. When the source database is created with locally-redundant or zone-redundant backup storage redundancy, creating a secondary database in a different Azure region is not supported. 
 
 For more information on the SQL Database compute sizes, see [What are SQL Database Service Tiers](purchasing-models.md).
 
@@ -239,7 +239,7 @@ To measure lag with respect to changes on the primary database that have been ap
 
 ## Programmatically managing active geo-replication
 
-As discussed previously, active geo-replication can also be managed programmatically using Azure PowerShell and the REST API. The following tables describe the set of commands available. Active geo-replication includes a set of Azure Resource Manager APIs for management, including the [Azure SQL Database REST API](/rest/api/sql/) and [Azure PowerShell cmdlets](/powershell/azure/). These APIs require the use of resource groups and support role-based security (RBAC). For more information on how to implement access roles, see [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).
+As discussed previously, active geo-replication can also be managed programmatically using Azure PowerShell and the REST API. The following tables describe the set of commands available. Active geo-replication includes a set of Azure Resource Manager APIs for management, including the [Azure SQL Database REST API](/rest/api/sql/) and [Azure PowerShell cmdlets](/powershell/azure/). These APIs require the use of resource groups and support Azure role-based access control (Azure RBAC). For more information on how to implement access roles, see [Azure role-based access control (Azure RBAC)](../../role-based-access-control/overview.md).
 
 ### T-SQL: Manage failover of single and pooled databases
 
@@ -297,4 +297,4 @@ As discussed previously, active geo-replication can also be managed programmatic
 - For a business continuity overview and scenarios, see [Business continuity overview](business-continuity-high-availability-disaster-recover-hadr-overview.md)
 - To learn about Azure SQL Database automated backups, see [SQL Database automated backups](automated-backups-overview.md).
 - To learn about using automated backups for recovery, see [Restore a database from the service-initiated backups](recovery-using-backups.md).
-- To learn about authentication requirements for a new primary server and database, see [SQL Database security after disaster recovery](active-geo-replication-security-configure.md).
+- To learn about authentication requirements for a new primary server and database, see [SQL Database security after disaster recovery](active-geo-replication-security-configure.md).

azure-sql/database/alerts-insights-configure-portal.md

@@ -9,7 +9,7 @@ ms.devlang:
 ms.topic: how-to
 author: aamalvea
 ms.author: aamalvea
-ms.reviewer: jrasnik, sstein
+ms.reviewer: wiassaf, sstein
 ms.date: 05/04/2020
 ---
 # Create alerts for Azure SQL Database and Azure Synapse Analytics using the Azure portal
@@ -18,7 +18,7 @@ ms.date: 05/04/2020
 
 ## Overview
 
-This article shows you how to set up alerts for databases in Azure SQL Database and Azure Synapse Analytics (formerly SQL Data Warehouse) using the Azure portal. Alerts can send you an email or call a web hook when some metric (for example database size or CPU usage) reaches the threshold.
+This article shows you how to set up alerts for databases in Azure SQL Database and Azure Synapse Analytics using the Azure portal. Alerts can send you an email or call a web hook when some metric (for example database size or CPU usage) reaches the threshold.
 
 > [!NOTE]
 > For Azure SQL Managed Instance specific instructions, see [Create alerts for Azure SQL Managed Instance](../managed-instance/alerts-create.md).

azure-sql/database/always-encrypted-azure-key-vault-configure.md

@@ -5,13 +5,13 @@ keywords: data encryption, encryption key, cloud encryption
 services: sql-database
 ms.service: sql-database
 ms.subservice: security
-ms.custom: sqldbrb=1
+ms.custom: sqldbrb=1, devx-track-azurecli
 ms.devlang: 
 ms.topic: how-to
 author: VanMSFT
 ms.author: vanto
 ms.reviewer:
-ms.date: 04/23/2020
+ms.date: 11/02/2020
 ---
 # Configure Always Encrypted by using Azure Key Vault 
 
@@ -94,8 +94,8 @@ az group create --location $location --name $resourceGroupName
 
 az keyvault create --name $vaultName --resource-group $resourceGroupName --location $location
 
-az keyvault set-policy --name $vaultName --key-permissions create, get, list, sign, unwrapKey, verify, wrapKey --resource-group $resourceGroupName --upn $userPrincipalName
-az keyvault set-policy --name $vaultName --key-permissions get, list, sign, unwrapKey, verify, wrapKey --resource-group $resourceGroupName --spn $applicationId
+az keyvault set-policy --name $vaultName --key-permissions create get list sign unwrapKey verify wrapKey --resource-group $resourceGroupName --upn $userPrincipalName
+az keyvault set-policy --name $vaultName --key-permissions get list sign unwrapKey verify wrapKey --resource-group $resourceGroupName --spn $applicationId
 ```
 
 ---
@@ -603,4 +603,4 @@ After your database is configured to use Always Encrypted, you may want to do th
 - [Transparent data encryption](/sql/relational-databases/security/encryption/transparent-data-encryption)
 - [SQL Server encryption](/sql/relational-databases/security/encryption/sql-server-encryption)
 - [Always Encrypted wizard](/sql/relational-databases/security/encryption/always-encrypted-wizard)
-- [Always Encrypted blog](/archive/blogs/sqlsecurity/always-encrypted-key-metadata)
+- [Always Encrypted blog](/archive/blogs/sqlsecurity/always-encrypted-key-metadata)

azure-sql/database/always-encrypted-enclaves-configure-attestation.md

@@ -0,0 +1,149 @@
+---
+title: "Configure Azure Attestation for your Azure SQL logical server"
+description: "Configure Azure Attestation for Always Encrypted with secure enclaves in Azure SQL Database."
+keywords: encrypt data, sql encryption, database encryption, sensitive data, Always Encrypted, secure enclaves, SGX, attestation
+services: sql-database
+ms.service: sql-database
+ms.subservice: security
+ms.devlang: 
+ms.topic: how-to
+author: jaszymas
+ms.author: jaszymas
+ms.reviwer: vanto
+ms.date: 01/15/2021
+---
+
+# Configure Azure Attestation for your Azure SQL logical server
+
+[!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
+
+> [!NOTE]
+> Always Encrypted with secure enclaves for Azure SQL Database is currently in **public preview**.
+
+[Microsoft Azure Attestation](../../attestation/overview.md) is a solution for attesting Trusted Execution Environments (TEEs), including Intel Software Guard Extensions (Intel SGX) enclaves. 
+
+To use Azure Attestation for attesting Intel SGX enclaves used for [Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves) in Azure SQL Database, you need to:
+
+1. Create an [attestation provider](../../attestation/basic-concepts.md#attestation-provider) and configure it with the recommended attestation policy.
+
+2. Grant your Azure SQL logical server access to your attestation provider.
+
+> [!NOTE]
+> Configuring attestation is the responsibility of the attestation administrator. See [Roles and responsibilities when configuring SGX enclaves and attestation](always-encrypted-enclaves-plan.md#roles-and-responsibilities-when-configuring-sgx-enclaves-and-attestation).
+
+## Requirements
+
+The Azure SQL logical server and the attestation provider must belong to the same Azure Active Directory tenant. Cross-tenant interactions aren't supported. 
+
+The Azure SQL logical server must have an Azure AD identity assigned to it. As the attestation administrator you need to obtain the Azure AD identity of the server from the Azure SQL Database administrator for that server. You will use the identity to grant the server access to the attestation provider. 
+
+For instructions on how to create a server with an identity or assign an identity to an existing server using PowerShell and Azure CLI, see [Assign an Azure AD identity to your server](transparent-data-encryption-byok-configure.md#assign-an-azure-active-directory-azure-ad-identity-to-your-server).
+
+## Create and configure an attestation provider
+
+An [attestation provider](../../attestation/basic-concepts.md#attestation-provider) is a resource in Azure Attestation that evaluates [attestation requests](../../attestation/basic-concepts.md#attestation-request) against [attestation policies](../../attestation/basic-concepts.md#attestation-request) and issues [attestation tokens](../../attestation/basic-concepts.md#attestation-token). 
+
+Attestation policies are specified using the [claim rule grammar](../../attestation/claim-rule-grammar.md).
+
+Microsoft recommends the following policy for attesting Intel SGX enclaves used for Always Encrypted in Azure SQL Database:
+
+```output
+version= 1.0;
+authorizationrules 
+{
+       [ type=="x-ms-sgx-is-debuggable", value==false ]
+        && [ type=="x-ms-sgx-product-id", value==4639 ]
+        && [ type=="x-ms-sgx-svn", value>= 0 ]
+        && [ type=="x-ms-sgx-mrsigner", value=="e31c9e505f37a58de09335075fc8591254313eb20bb1a27e5443cc450b6e33e5"] 
+    => permit();
+};
+```
+
+The above policy verifies:
+
+- The enclave inside Azure SQL Database doesn't support debugging (which would reduce the level of protection the enclave provides).
+- The product ID of the library inside the enclave is the product ID assigned to Always Encrypted with secure enclaves (4639).
+- The version ID (svn) of the library is greater than 0.
+- The library in the enclave has been signed using the Microsoft signing key (the value of the x-ms-sgx-mrsigner claim is the hash of the signing key).
+
+> [!IMPORTANT]
+> An attestation provider gets created with the default policy for Intel SGX enclaves, which does not validate the code running inside the enclave. Microsoft strongly advises you set the above recommended policy, and not use the default policy, for Always Encrypted with secure enclaves.
+
+For instructions for how to create an attestation provider and configure with an attestation policy using:
+
+- [Quickstart: Set up Azure Attestation with Azure portal](../../attestation/quickstart-portal.md)
+    > [!IMPORTANT]
+    > When you configure your attestation policy with Azure portal, set Attestation Type to `SGX-IntelSDK`.
+- [Quickstart: Set up Azure Attestation with Azure PowerShell](../../attestation/quickstart-powershell.md)
+    > [!IMPORTANT]
+    > When you configure your attestation policy with Azure PowerShell, set the `Tee` parameter to `SgxEnclave`.
+- [Quickstart: Set up Azure Attestation with Azure CLI](../../attestation/quickstart-azure-cli.md)
+    > [!IMPORTANT]
+    > When you configure your attestation policy with Azure CLI, set the `attestation-type` parameter to `SGX-IntelSDK`.
+
+## Determine the attestation URL for your attestation policy
+
+After you've configured an attestation policy, you need to share the attestation URL, referencing the policy, administrators of applications that use Always Encrypted with secure enclaves in Azure SQL Database. Application administrators or/and application users will need to configure their apps with the attestation URL, so that they can run statements that use secure enclaves.
+
+### Use PowerShell to determine the attestation URL
+
+Use the following script to determine your attestation URL:
+
+```powershell
+$attestationProvider = Get-AzAttestation -Name $attestationProviderName -ResourceGroupName $attestationResourceGroupName 
+$attestationUrl = $attestationProvider.AttestUri + “/attest/SgxEnclave”
+Write-Host "Your attestation URL is: " $attestationUrl 
+```
+
+### Use Azure portal to determine the attestation URL
+
+1. In the Overview pane for your attestation provider, copy the value of the Attest URI property to clipboard. An Attest URI should look like this: `https://MyAttestationProvider.us.attest.azure.net`.
+
+2. Append the following to the Attest URI: `/attest/SgxEnclave`. 
+
+The resulting attestation URL should look like this: `https://MyAttestationProvider.us.attest.azure.net/attest/SgxEnclave`
+
+## Grant your Azure SQL logical server access to your attestation provider
+
+During the attestation workflow, the Azure SQL logical server containing your database calls the attestation provider to submit an attestation request. For the Azure SQL logical server to be able to submit attestation requests, the server must have a permission for the `Microsoft.Attestation/attestationProviders/attestation/read` action on the attestation provider. The recommended way to grant the permission is for the administrator of the attestation provider to assign the Azure AD identity of the server to the Attestation Reader role for the attestation provider, or its containing resource group.
+
+### Use Azure portal to assign permission
+
+To assign the identity of an Azure SQL server to the Attestation Reader role for an attestation provider, follow the general instructions in [Add or remove Azure role assignments using the Azure portal](../../role-based-access-control/role-assignments-portal.md). When you are in the **Add role assignment** pane:
+
+1. In the **Role** drop-down, select the **Attestation Reader** role.
+1. In the **Select** field, enter the name of your Azure SQL server to search for it.
+
+See the below screenshot for an example.
+
+![attestation reader role assignment](./media/always-encrypted-enclaves/attestation-provider-role-assigment.png)
+
+> [!NOTE]
+> For a server to show up in the **Add role assignment** pane, the server must have an Azure AD identity assigned - see [Requirements](#requirements).
+
+### Use PowerShell to assign permission
+
+1. Find your Azure SQL logical server.
+
+```powershell
+$serverResourceGroupName = "<server resource group name>"
+$serverName = "<server name>" 
+$server = Get-AzSqlServer -ServerName $serverName -ResourceGroupName
+```
+ 
+2. Assign the server to the Attestation Reader role for the resource group containing your attestation provider.
+
+```powershell
+$attestationResourceGroupName = "<attestation provider resource group name>"
+New-AzRoleAssignment -ObjectId $server.Identity.PrincipalId -RoleDefinitionName "Attestation Reader" -ResourceGroupName $attestationResourceGroupName
+```
+
+For more information, see [Add or remove Azure role assignments using Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md#add-role-assignment-examples).
+
+## Next Steps
+
+- [Manage keys for Always Encrypted with secure enclaves](/sql/relational-databases/security/encryption/always-encrypted-enclaves-manage-keys)
+
+## See also
+
+- [Tutorial: Getting started with Always Encrypted with secure enclaves in Azure SQL Database](always-encrypted-enclaves-getting-started.md)