Merge pull request #35619 from VanMSFT/20251021_updateURLspec

denrea · web-flow · commit c46221c158b7 · 2025-10-23T09:47:37.000-07:00
Reference Microsoft Entra auth URLs
diff --git a/docs/includes/entra-id-tutorial.md b/docs/includes/entra-id-tutorial.md
@@ -31,7 +31,7 @@ In this tutorial, you learn how to:
 - Access to Microsoft Entra ID is available for authentication purpose. For more information, see [Microsoft Entra authentication for SQL Server](../relational-databases/security/authentication-access/azure-ad-authentication-sql-server-overview.md).
 - [SQL Server Management Studio (SSMS)](../ssms/download-sql-server-management-studio-ssms.md) version 18.0 or higher is installed on the client machine.
 - A supported certificate.
-- [Network requirements for enabling Entra ID authentication](../sql-server/azure-arc/prerequisites.md#network-requirements-for-enabling-entra-id-authentication)
+- [Network requirements for enabling Entra ID authentication](../sql-server/azure-arc/prerequisites.md#network-requirements-for-enabling-microsoft-entra-authentication)
 
   Microsoft Entra ID supports CSP certificates. Entra ID doesn't support CNG certificates.
 
@@ -47,7 +47,7 @@ In this tutorial, you learn how to:
 > [!WARNING]  
 > Connections authenticated by Microsoft Entra ID are always encrypted. If SQL Server is using a self-signed certificate, you must add `trust server cert = true` in the connection string. SQL Server and Windows authenticated connections don't require encryption, but it's strongly recommended.
 >
-> SQL Server connects directly to Microsoft Entra ID for authentication. Either [explicit firewall URLs](../sql-server/azure-arc/prerequisites.md#network-requirements-for-enabling-entra-id-authentication) need to be opened for direct access, or use a proxy server. Microsoft Entra ID doesn't use the Arc Connected Machine Agent proxy for authentication. If the machine requires using a proxy server, Microsoft Entra ID requires that the machine-level WinHTTP proxy is set using the following commands (replace `<http://proxyserver:port>` with the appropriate value):
+> SQL Server connects directly to Microsoft Entra ID for authentication. Either [explicit firewall URLs](../sql-server/azure-arc/prerequisites.md#network-requirements-for-enabling-microsoft-entra-authentication) need to be opened for direct access, or use a proxy server. Microsoft Entra ID doesn't use the Arc Connected Machine Agent proxy for authentication. If the machine requires using a proxy server, Microsoft Entra ID requires that the machine-level WinHTTP proxy is set using the following commands (replace `<http://proxyserver:port>` with the appropriate value):
 >
 > ```console
 > netsh winhttp set proxy proxy-server="<http://proxyserver:port>"
diff --git a/docs/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-automation-setup-tutorial.md b/docs/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-automation-setup-tutorial.md
@@ -38,7 +38,7 @@ We'll also go over the updated functionality to set up a Microsoft Entra admin f
 - SQL Server is connected to Azure cloud. For more information, see [Connect your SQL Server to Azure Arc](../../../sql-server/azure-arc/connect.md).
 - Microsoft Entra ID is configured for authentication in the same tenant as the Azure Arc instance.
 - An [Azure Key Vault](/azure/key-vault/general/quick-create-portal) is required.
-- [Network requirements for enabling Entra ID authentication](../../../sql-server/azure-arc/prerequisites.md#network-requirements-for-enabling-entra-id-authentication) are met.
+- [Network requirements for enabling Entra ID authentication](../../../sql-server/azure-arc/prerequisites.md#network-requirements-for-enabling-microsoft-entra-authentication) are met.
 
 <a name='preparation-before-setting-the-azure-ad-admin'></a>
 
diff --git a/docs/sql-server/azure-arc/includes/entra-id-authentication-prerequisites.md b/docs/sql-server/azure-arc/includes/entra-id-authentication-prerequisites.md
@@ -5,8 +5,12 @@ ms.date: 03/24/2025
 ms.topic: include
 ---
 
-Enabling Entra ID authentication for [!INCLUDE [ssnoversion-md](../../../includes/ssnoversion-md.md)] enabled by Azure Arc requires some URLs to be allowed explicitly if a firewall blocks outbound URLs. Add the following URLs to the allowlist:
+Enabling Microsoft Entra authentication for [!INCLUDE [ssnoversion-md](../../../includes/ssnoversion-md.md)] enabled by Azure Arc requires some URLs to be allowed explicitly if a firewall blocks outbound URLs. Add the following URLs to the allowlist:
 
 - `https://login.microsoftonline.com/`
-- `https://<azure-keyvault-name>.vault.azure.net/`
+- `https://login.microsoft.com/`
+- `https://enterpriseregistration.windows.net/`
 - `https://graph.microsoft.com/`
+- `https://<azure-keyvault-name>.vault.azure.net/` (Required only if you're using certificates for Microsoft Entra authentication)
+
+Additionally, you might need to allow [Azure portal authentication URLs](/azure/azure-portal/azure-portal-safelist-urls#azure-portal-authentication).
diff --git a/docs/sql-server/azure-arc/prerequisites.md b/docs/sql-server/azure-arc/prerequisites.md
@@ -4,7 +4,7 @@ description: Describes prerequisites required for SQL Server enabled by Azure Ar
 author: anosov1960
 ms.author: sashan
 ms.reviewer: mikeray, randolphwest
-ms.date: 03/25/2025
+ms.date: 10/21/2025
 ms.topic: conceptual
 ms.custom: references_regions
 ---
@@ -15,7 +15,7 @@ ms.custom: references_regions
 
 An Azure Arc-enabled instance of [!INCLUDE [ssnoversion-md](../../includes/ssnoversion-md.md)] is an instance on-premises or in a cloud provider that is connected to Azure Arc. This article explains those prerequisites.
 
-If your SQL Server VMs are on VMware clusters, review [Support on VMware](#support-on-vmware).
+If your SQL Server virtual machines are on VMware clusters, review [Support on VMware](#support-on-vmware).
 
 ## Before you deploy
 
@@ -70,7 +70,7 @@ Only databases that are online and updateable are included.
 
 Verify the state of any databases you plan to manage from Azure.
 
-This query lists all databases, their status, and if they are updateable:
+This query lists all databases, their status, and if they're updateable:
 
 ```sql
 SELECT 
@@ -98,9 +98,9 @@ For more information about this requirement, review [SQL Server service account]
 ### Set proxy exclusions
 
 > [!NOTE]
-> The exclusion in this section is required for the March, 2024 release and before.
+> The exclusion in this section is required for the March 2024 release and before.
 >
-> Beginning with the release in April, 2024 this exclusion is not required.
+> Beginning with the release in April 2024, this exclusion isn't required.
 
 If a proxy server is used, set the `NO_PROXY` environment variable to exclude proxy traffic for:
 
@@ -121,7 +121,7 @@ If a proxy server is used, set the `NO_PROXY` environment variable to exclude pr
 > [!NOTE]
 > You can't use Azure Private Link connections to the Azure Arc data processing service. See [Unsupported configurations](#unsupported-configurations).
 
-### Network requirements for enabling Entra ID authentication
+### Network requirements for enabling Microsoft Entra authentication
 
 [!INCLUDE [entra-id-authentication-prerequisites](includes/entra-id-authentication-prerequisites.md)]
 
