You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: azure-sql/database/authentication-azure-ad-only-authentication-create-server.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,7 +44,7 @@ The following section provides you with examples and scripts on how to create a
44
44
In our examples, we're enabling Microsoft Entra-only authentication during server or managed instance creation, with a system assigned server admin and password. This will prevent server admin access when Microsoft Entra-only authentication is enabled, and only allows the Microsoft Entra admin to access the resource. It's optional to add parameters to the APIs to include your own server admin and password during server creation. However, the password can't be reset until you disable Microsoft Entra-only authentication. An example of how to use these optional parameters to specify the server admin login name is presented in the [PowerShell](?tabs=azure-powershell#azure-sql-database) tab on this page.
45
45
46
46
> [!NOTE]
47
-
> To change the existing properties after server or managed instance creation, other existing APIs should be used. For more information, see [Managing Microsoft Entra-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis) and [Configure and manage Microsoft Entra authentication with Azure SQL](authentication-aad-configure.md).
47
+
> To change the [Microsoft Entra-only authentication](authentication-azure-ad-only-authentication.md) property after server or managed instance creation, other existing APIs should be used. For more information, see [Managing Microsoft Entra-only authentication using APIs](authentication-azure-ad-only-authentication.md#managing-azure-ad-only-authentication-using-apis).
48
48
>
49
49
> If Microsoft Entra-only authentication is set to false, which it is by default, a server admin and password will need to be included in all APIs during server or managed instance creation.
> Named replicas will be automatically removed when the primary replica from which they have been created is deleted.
228
228
229
+
## Optimizing named replica configuration
230
+
231
+
It is recommended to configure the named replica with the same compute size (vCores) as the primary replica. If the primary replica experiences a heavy write workload, a named replica with a lower compute size might not be able to keep up, causing replication lag. To maintain the recoverability SLAs, primary's transaction log rate can be temporarily reduced to allow its secondaries to catch up.
232
+
233
+
If you choose to create the named replica with a different compute size (vCores) than the primary, monitor the log IO rate on the primary over time. This helps estimate the minimal compute size required for the named replica to sustain the replication load. For more information, consider the following objects:
234
+
235
+
- The [sys.dm_hs_database_log_rate()](/sql/relational-databases/system-dynamic-management-views/sys-dm-hs-database-log-rate) dynamic management function (DMF) provides additional details to help understand log rate reduction, if any. It can indicate which specific secondary replica is behind in applying log records and the total size of the unapplied transaction log.
236
+
- To retrieve historical log IO data, use [sys.resource_stats](/sql/relational-databases/system-catalog-views/sys-resource-stats-azure-sql-database) view.
237
+
- For recent log IO data with higher granularity that better reflects short-term spikes, use [sys.dm_db_resource_stats](/sql/relational-databases/system-dynamic-management-views/sys-dm-db-resource-stats-azure-sql-database).
238
+
239
+
For more information, see to the [Azure SQL Database Hyperscale Performance Diagnostics](hyperscale-performance-diagnostics.md#reduced-log-rate-waits).
Copy file name to clipboardExpand all lines: azure-sql/managed-instance/native-windows-principals.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,7 +49,7 @@ In order to use the **Windows** authentication metadata mode, the user environme
49
49
50
50
The **Windows** authentication metadata mode helps modernize authentication for application, and unblocks migration challenges to SQL Managed Instance. Here are some common scenarios where the **Windows** authentication metadata mode can be used to address customer challenges:
51
51
52
-
- The complexities of setting up [Windows Authentication for Azure SQL Managed Instance using Microsoft Entra ID and Kerberos](winauth-azuread-setup.md).
52
+
- The overhead of migrating Windows logins to Microsoft Entra ID for [Windows authentication with Azure SQL Managed Instance using Microsoft Entra ID and Kerberos](winauth-azuread-setup.md).
53
53
- Read-only replica failovers in [Managed Instance link](managed-instance-link-feature-overview.md).
54
54
- Synchronization of [Microsoft Entra authentication for SQL Server](/sql/relational-databases/security/authentication-access/azure-ad-authentication-sql-server-overview).
Copy file name to clipboardExpand all lines: docs/relational-databases/security/encryption/always-encrypted-enclaves-rotate-keys.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,6 +28,10 @@ The below steps include links to detailed articles, depending on your rotation s
28
28
1. Provision a new key (a column master key or a column encryption key).
29
29
- To provision a new enclave-enclave enabled key, see [Provision enclave-enabled keys](always-encrypted-enclaves-provision-keys.md).
30
30
- To provision a key that isn't enclave enabled, see [Provision Always Encrypted keys using SQL Server Management Studio](configure-always-encrypted-keys-using-ssms.md) and [Provision Always encrypted keys using PowerShell](configure-always-encrypted-keys-using-powershell.md).
31
+
32
+
> [!NOTE]
33
+
> When using Azure Key Vault as the key store, multitenant customer managed key rotation is not supported. Ensure that the new customer managed key is in the same tenant as the existing one.
34
+
31
35
2. Replace an existing key with the new key.
32
36
- If you're rotating a column encryption key and both the source key and the target key are enclave-enabled, you can run the rotation (which involves re-encrypting your data) in-place. For more information, see [Configure column encryption in-place using Always Encrypted with secure enclaves](always-encrypted-enclaves-configure-encryption.md).
33
37
- For detailed steps for rotating keys, see [Rotate Always Encrypted keys using SQL Server Management Studio](rotate-always-encrypted-keys-using-ssms.md) and [Rotate Always Encrypted keys using PowerShell](rotate-always-encrypted-keys-using-powershell.md).
Copy file name to clipboardExpand all lines: docs/relational-databases/security/encryption/configure-always-encrypted-keys-using-powershell.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,7 +34,7 @@ Step 1. Create a column master key in a key store.<br><br>**Note:** The SqlServe
34
34
Step 2. Start a PowerShell environment and import the SqlServer PowerShell module. | [Configure Always Encrypted using PowerShell](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md) | No | No
35
35
Step 3. Connect to your server and database. | [Connect to a database](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#connectingtodatabase) | No | Yes
36
36
Step 4. Create a *SqlColumnMasterKeySettings* object that contains information about the location of your column master key. SqlColumnMasterKeySettings is an object that exists in memory (in PowerShell). Use the cmdlet that is specific to your key store. | [New-SqlAzureKeyVaultColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlazurekeyvaultcolumnmasterkeysettings)<br><br>[New-SqlCertificateStoreColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcertificatestorecolumnmasterkeysettings)<br><br>[New-SqlCngColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcngcolumnmasterkeysettings)<br><br>[New-SqlCspColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcspcolumnmasterkeysettings) | No | No
37
-
Step 5. Create the metadata about the column master key in your database. | [New-SqlColumnMasterKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnmasterkey)<br><br>**Note:** under the covers, the cmdlet issues the [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement to create key metadata.| No | Yes
37
+
Step 5. Create the metadata about the column master key in your database. <br /> <br /> **Note:** We do not verify the validity of the keys or certificates used to generate the column master key. | [New-SqlColumnMasterKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnmasterkey)<br><br>**Note:** under the covers, the cmdlet issues the [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement to create key metadata.| No | Yes
38
38
Step 6. Authenticate to Azure, if your column master key is stored in Azure Key Vault. | [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) | Yes | No
39
39
Step 7. Obtain an access token for Azure Key Vaults, if your column master key is stored in Azure Key Vault. | [Get-AzAccessToken](/powershell/module/az.accounts/get-azaccesstoken) | No | No
40
40
Step 8. Generate a new column encryption key, encrypt it with the column master key and create column encryption key metadata in the database. | [New-SqlColumnEncryptionKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnencryptionkey)<br><br>**Note:** Use a variation of the cmdlet that internally generates and encrypts a column encryption key.<br><br>**Note:** Under the covers, the cmdlet issues the [CREATE COLUMN ENCRYPTION KEY (Transact-SQL)](../../../t-sql/statements/create-column-encryption-key-transact-sql.md) statement to create key metadata. | Yes | Yes
@@ -194,7 +194,7 @@ Step 1. Obtain the location of the column master key and encrypted value of the
194
194
Step 2. Start a PowerShell environment and import the SqlServer module. | [Configure Always Encrypted using PowerShell](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md) | No | No
195
195
Step 3. Connect to your server and a database. | [Connect to a database](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#connectingtodatabase) | No | Yes
196
196
Step 4. Create a SqlColumnMasterKeySettings object that contains information about the location of your column master key. SqlColumnMasterKeySettings is an object that exists in memory. | New-SqlColumnMasterKeySettings | No | No
197
-
Step 5. Create the metadata about the column master key in your database | [New-SqlColumnMasterKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnmasterkey)<br>**Note:** under the covers, the cmdlet issues the [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement to create column master key metadata. | No | Yes
197
+
Step 5. Create the metadata about the column master key in your database. <br /> <br /> **Note:** We do not verify the validity of the keys or certificates used to generate the column master key. | [New-SqlColumnMasterKey](/powershell/sqlserver/sqlserver/vlatest/new-sqlcolumnmasterkey)<br>**Note:** under the covers, the cmdlet issues the [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement to create column master key metadata. | No | Yes
198
198
Step 6. Create the column encryption key metadata in the database. | New-SqlColumnEncryptionKey<br>**Note:** DBAs use a variation of the cmdlet that only creates column encryption key metadata.<br>Under the covers, the cmdlet issues the [CREATE COLUMN ENCRYPTION KEY (Transact-SQL)](../../../t-sql/statements/create-column-encryption-key-transact-sql.md) statement to create column encryption key metadata. | No | Yes
199
199
200
200
## Windows Certificate Store with Role Separation (Example)
Copy file name to clipboardExpand all lines: docs/relational-databases/security/encryption/configure-always-encrypted-keys-using-ssms.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,6 +51,10 @@ The **New Column Master Key** dialog allows you to generate a column master key
51
51
> The **Allow enclave computations** checkbox does not appear if your SQL Server instance is not correctly configured with a secure enclave.
52
52
53
53
1. Pick an existing key in your key store, or click the **Generate Key** or **Generate Certificate** button, to create a key in the key store.
54
+
55
+
> [!NOTE]
56
+
> We do not verify the validity of the keys or certificates used to generate the column master key.
57
+
54
58
1. Click **OK** and the new key appears in the list.
55
59
56
60
Once you complete the dialog, SQL Server Management Studio creates metadata for your column master key in the database. The dialog generates and issues a [CREATE COLUMN MASTER KEY (Transact-SQL)](../../../t-sql/statements/create-column-master-key-transact-sql.md) statement.
|Step 1. Create a new column master key in a key store.<br><br>**Note:** The SqlServer PowerShell module doesn't support this step. To accomplish this task from the command-line, you need to use tools that are specific for your key store. | [Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md)| Yes | No
32
+
|Step 1. Create a new column master key in a key store.<br /> <br />**Note:** The SqlServer PowerShell module doesn't support this step. To accomplish this task from the command-line, you need to use tools that are specific for your key store. When using Azure Key Vault as the key store, multitenant customer managed key rotation is not supported. Ensure that the new customer managed key is in the same tenant as the existing one.| [Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md)| Yes | No
33
33
|Step 2. Start a PowerShell environment and import the SqlServer module | [Import the SqlServer module](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#importsqlservermodule) | No | No
34
34
|Step 3. Connect to your server and database. | [Connecting to a database](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#connectingtodatabase) | No | Yes
35
35
|Step 4. Create a SqlColumnMasterKeySettings object that contains information about the location of your new column master key. SqlColumnMasterKeySettings is an object that exists in memory (in PowerShell). To create it, you need to use the cmdlet that is specific to your key store. |[New-SqlAzureKeyVaultColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlazurekeyvaultcolumnmasterkeysettings)<br><br>[New-SqlCertificateStoreColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcertificatestorecolumnmasterkeysettings)<br><br>[New-SqlCngColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcngcolumnmasterkeysettings)<br><br>[New-SqlCspColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcspcolumnmasterkeysettings)<br> | No | No
@@ -107,7 +107,7 @@ The Security Administrator generates a new column master key, re-encrypts the im
|Step 1. Obtain the location of the old column master key and the encrypted values of the corresponding column encryption keys, protected with the old column master key, from your DBA.|N/A<br>See the examples below.|No| No
110
-
|Step 2. Create a new column master key in a key store.<br><br>**Note:** The SqlServer module doesn't support this step. To accomplish this task from a command-line, you need to use the tools that are specific the type of your key store.|[Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md)| Yes | No
110
+
|Step 2. Create a new column master key in a key store.<br /> <br />**Note:** The SqlServer module doesn't support this step. To accomplish this task from a command-line, you need to use the tools that are specific the type of your key store. When using Azure Key Vault as the key store, multitenant customer managed key rotation is not supported. Ensure that the new customer managed key is in the same tenant as the existing one.|[Create and store column master keys for Always Encrypted](../../../relational-databases/security/encryption/create-and-store-column-master-keys-always-encrypted.md)| Yes | No
111
111
|Step 3. Start a PowerShell environment and import the SqlServer module. | [Import the SqlServer module](../../../relational-databases/security/encryption/configure-always-encrypted-using-powershell.md#importsqlservermodule) | No | No
112
112
|Step 4. Create a SqlColumnMasterKeySettings object that contains information about the location of your **old** column master key. SqlColumnMasterKeySettings is an object that exists in memory (in PowerShell). |New-SqlColumnMasterKeySettings| No | No
113
113
|Step 5. Create a SqlColumnMasterKeySettings object that contains information about the location of your **new** column master key. SqlColumnMasterKeySettings is an object that exists in memory (in PowerShell). To create it, you need to use the cmdlet that is specific to your key store. | [New-SqlAzureKeyVaultColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlazurekeyvaultcolumnmasterkeysettings)<br><br>[New-SqlCertificateStoreColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcertificatestorecolumnmasterkeysettings)<br><br>[New-SqlCngColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcngcolumnmasterkeysettings)<br><br>[New-SqlCspColumnMasterKeySettings](/powershell/sqlserver/sqlserver/vlatest/new-sqlcspcolumnmasterkeysettings)| No | No
0 commit comments