SQL + AI: Get ready for a fun new experience, launching next week!
The SQL community is leveling up! We’re launching a lightweight, beginner friendly SQL + AI contest designed to spark awareness of SQL Server 2025’s new AI capabilities—from connecting to an AI model, to generating embeddings, to exploring what’s possible when natural language intelligence meets your database. Building on the momentum, each week in February unlocks a new chapter of the story - from your first steps connecting SQL to AI, to exploring embeddings, to experimenting with lightweight RAG patterns, and finally orchestrating full end-to-end workflows. This will be hands-on, guided, and fun! You don’t need to be an AI expert to participate. Each challenge builds on the last, helping you discover what’s possible when SQL’s new capabilities meet real world scenarios — all in a fun, approachable format designed to spark curiosity and get people talking. Join us for some SQL fun starting next week, February 5th! Stay tuned to this post for more details! Get ready to build, discover, and play. SQL + AI is here.
Announcing SQLCon 2026: Better Together with FabCon!
We’re thrilled to unveil SQLCon 2026, the premier Microsoft SQL Community Conference, co-located with the Microsoft Fabric Community Conference (FabCon) from March 16–20, 2026! This year, we’re bringing the best of both worlds under one roof—uniting the vibrant SQL and Fabric communities for a truly next-level experience. Whether you’re passionate about SQL Server, Azure SQL, SQL in Fabric, SQL Tools, migration and modernization, database security, or building AI-powered apps with SQL, SQLCon 2026 has you covered. Dive into 50+ breakout sessions and 4 expert-led workshops designed to help you optimize, innovate, and connect. Why are SQLCon + FabCon better together? One registration, double the value: Register for either conference and get full access to both—mix and match sessions, keynotes, and community events to fit your interests. Shared spaces, shared energy: Enjoy the same expo hall, registration desk, conference app, and community lounge. Network with peers across the data platform spectrum. Unforgettable experiences: Join us for both keynotes at the State Farm Arena and celebrate at the legendary attendee party at the Georgia Aquarium. Our goal is to reignite the SQL Community spirit—restoring the robust networks, friendships, and career-building opportunities that make this ecosystem so special. SQLCon is just the beginning of a renewed commitment to connect at conferences, user groups, online, and at regional events. Early Access Pricing Extended! Register by November 14th and save $200 with code SQLCMTY200. Register Now! Want to share your expertise? The Call for Content is open until November 20th for both conferences! Let’s build the future of data—together. See you at SQLCon + FabCon!SQL Server 2025 is Now Generally Available
Today at Ignite, we announce the general availability of SQL Server 2025. This marks the latest milestone in the more than 30-year history of SQL Server. It is also a key part of our commitment to the one consistent SQL promise, delivering consistent experience across on-premises, cloud, and SaaS environments, with one engine and one unified platform. Built on SQL Server’s foundation of best-in-class security, performance and availability, SQL Server 2025 is the AI-ready enterprise database and it redefines what's possible for enterprise data. With built-in AI and developer-first enhancements, SQL Server 2025 empowers customers to accelerate AI innovation using the data they already have, securely and at scale, all within SQL Server using the familiar T-SQL language. SQL Server 2025 is designed to meet customers where they are, whether on-premises, in the cloud, or in hybrid environments, helping you build intelligent, secure, scalable, and consistent solutions that drive real business outcomes. SQL Server 2025 is experiencing significant momentum, as evidenced by 10,000 organizations participating in the public preview and 100,000 active SQL Server 2025 databases. Leading customers like Mediterranean Shipping Company (MSC), Infios, and Buhler are already advancing with SQL Server 2025, supported by a robust ecosystem of technology partners including AMD, Canonical, HPE, Lenovo, NVIDIA, Pure Storage and Red Hat. Key Innovations in SQL Server 2025 AI built-in AI is now integrated directly into the SQL Server engine, enabling advanced semantic search for deeper insights and natural language experiences across enterprise data. Model management is built into T-SQL, supporting seamless integration with Microsoft Foundry, Azure OpenAI Service, OpenAI, Ollama, and more—deployable securely anywhere, from on premises to the cloud. Developers can easily switch between models without changing code, and essential AI building blocks like vector embedding, text chunking, and DiskANN indexing are natively supported. Integration with frameworks such as LangChain and Semantic Kernel accelerates AI-powered app development. At Ivanti, our mission is to elevate human potential by managing, protecting, and automating technology to drive continuous innovation. SQL Server 2025 plays a crucial role in helping us achieve this goal. By harnessing the advanced capabilities of SQL Server 2025 and Azure OpenAI, we are building intelligent, agentic tools that empower customers to access knowledge and resolve incidents faster. Sirjad Parakkat, Vice President, AI Engineering | Ivanti Made for developers This release is the most significant for SQL developers in a decade, streamlining development and boosting productivity. Native JSON support, REST APIs,RegEx and Fuzzy string match enable richer data enrichment and validation. Change event streaming allows real-time, event-driven applications by streaming changes directly from transaction to Azure Event Hubs, reducing resource overhead compared to CDC. SQL Tooling SQL Server 2025 delivers major updates across the data platform. SQL Server Management Studio (SSMS 22) is now generally available, offering official support for SQL Server 2025, enhanced AI assistance, and ARM64 support. SSMS 22 also includes AI assistance when you install the GitHub Copilot workload, which leverages the same GitHub subscription you use with GitHub Copilot in Visual Studio or VS Code. The Microsoft Python Driver for SQL Server (mssql-python) is generally available, providing a modern, high-performance connector with Entra ID authentication. "SQL Server 2025 offers two major functionalities which are very important to us and will bring SQL Server into the future – native API calls and RAG. In the past we’ve had to use custom assemblies for making API calls, which can be a huge problem when you have to make hundreds of thousands of API calls and the remote systems are slow to respond, creating large queues and high CPU load in SQL. With RAG and vector search, we can now implement countless AI possibilities, making data searchable in ways previously impossible.” Alex Ivanov, CTO, eDynamix Best-in-class security, performance, and availability SQL Server 2025 builds on its foundation as the most secure database in the last decade, introducing modern identity and encryption practices, including Microsoft Entra managed identities for improved credential management. Optimized locking reduces lock memory consumption, minimizes blocking, and boosts concurrency. Tempdb space resource governance improves server reliability. Optional parameter plan optimization makes query performance more stable. SQL Server 2025 continues to strengthen its mission-critical capabilities with enhancements to Always On availability groups (AGs) and disaster recovery options. The focus is on faster failover, improved diagnostics, and hybrid flexibility. Preliminary benchmarks show SQL Server 2025 running on AMD EPYC processors with HPE hardware delivers measurable gains in performance and value. For performance, the 10TB workload sets a new record for SQL Server. In price-performance, SQL Server 2025 achieves a 4% improvement in the 3TB category compared to previous results. “At Infios, we are very excited about several new features in SQL Server 2025 and the vast amount of opportunities for performance improvements. We are most excited about the optimized locking feature and how that can drastically help reduce locking across our customers and all their unique workloads. Optional Parameter Plan Optimization (OPPO) could also be huge for us with SQL Server being able to reduce parameter sniffing issues. Persisted statistics on secondary replicas will also be beneficial for the rare occurrence that we have a failover event. While we’ve been pleased with all the improvements to tempdb in previous versions, resource governance to prevent runaway queries and consuming large amounts of disk space in SQL 2025 is a big improvement for us. ” Tim Radney, SaaS Operations Manager, Infios Cloud agility through Azure and Fabric SQL Server 2025 enhances cloud agility with support for database mirroring in Fabric, enabling near real-time analytics with zero-ETL and offloading analytical workloads. Azure Arc integration continues to provide unified management, security, and governance for SQL estates across on-premises and cloud environments, empowering organizations to scale and modernize with confidence. “With Fabric Mirroring in SQL Server 2025, ExponentHR can effortlessly mirror numerous datasets to fabric, enabling near real-time analytics. This technology has alleviated the need for expensive and complex ETL operations and enables more productivity for our customers. Thanks to SQL Server 2025’s built-in cloud connectivity, we can directly process large amounts of data efficiently and overcome traditional bottlenecks.” -- Brent Carlson, IT Manager, ExponentHR SQL Server 2025 on Linux SQL Server 2025 on Linux introduces several important enhancements. Security is strengthened with TLS 1.3 support, custom password policies, and signed container images. Platform support expands to include RHEL 10 and Ubuntu 24.04, while performance is improved through tmpfs support for tempdb and container-based deployments. Advanced analytics are enabled with generic ODBC data source support via PolyBase. Developer experience is streamlined with Visual Studio Code integration for local container deployment using the mssql extension and validated deployment patterns in partnership with Red Hat, supporting modern workloads and AI scenarios across hybrid environments. "The work we’re doing with Microsoft to optimize SQL Server on Red Hat Enterprise Linux is a powerful testament to the strength of our collaboration. With the new features in SQL Server, including support for Red Hat Enterprise Linux 10 and enabling streamlined deployment via Red Hat Ansible Automation Platform, we are making it easier than ever for customers to deploy and manage this critical workload across the hybrid cloud. This collaboration extends beyond just enabling core performance to deliver innovative, validated patterns, such as leveraging Red Hat Enterprise Linux AI with SQL Server for retrieval-augmented generation (RAG) and generative AI scenarios, and providing a more consistent experience for customers, whether they are deploying via the Azure Marketplace or on-premises. Our mutual goal is to minimize complexity, increase confidence and help enterprises harness the full potential of their data and AI investments on a trusted, open foundation." - Gunner Hellekson, Vice President and General Manager, Red Hat Enterprise Linux, Red Hat SQL Server 2025 on Azure Virtual Machines Run SQL Server 2025—any edition, Standard, Enterprise, Enterprise Developer, or the new Standard Developer Edition—on Azure Virtual Machines, using optimized VM families like Mbdsv3, Ebdsv5/6, and FXmdsv2 for high performance. Pair with Premium SSD v2 or Ultra Disk storage to achieve fast throughput, low latency, and excellent scalability. Deploy quickly from the Azure portal with features including configurable settings, flexible licensing, storage setup for data, logs, and tempdb, automated patching, and Best Practice Assessment (BPA). Get started today to leverage SQL Server 2025 and Azure’s high performance and flexibility. Preview Features & Flexibility In SQL Server 2025, customers can explore new database features using an opt-in mechanism through database-scoped configurations. Certain features, such as vector indexes, are introduced this way, allowing customers to try them in preview even while SQL Server is generally available. These features will become fully available in a future SQL Server 2025 update, at which point the database-scoped configuration will no longer be required. Our goal is to make preview features generally available within approximately 12 months, guided by customer feedback and our commitment to delivering high-quality experiences. Learn more. Product Changes SQL Server 2025 brings important changes to the product lineup. Standard edition changes: Resource limits have increased to support up to 32 cores and 256 GB of memory. Resource governor is now available in Standard edition. The newly launched Standard Developer edition offers full feature parity with the Standard edition, enabling development and testing that mirrors production environment capabilities. Power BI Report Server entitlement is now included for all editions except the Express edition, adding value for customers. Express edition changes: The maximum database size is now increased to 50 GB per database. The Express Advanced mode has been consolidated into a single, unified SQL Express edition, featuring all feature capabilities that were available in Express Advanced. Discontinuing Web edition in SQL Server 2025 release: SQL Server 2022 is the final version of the Web edition, with SQL Server 2022 Web edition remaining supported until January 2033 in line with Microsoft’s fixed lifecycle policy. If you've been using the Web edition for cost-effective web applications, now is a great time to consider migrating to Azure SQL. Azure SQL offers an affordable, scalable solution that is well-suited for modern web workloads. For multi-tenant apps, Azure SQL Database elastic pools provide flexible pricing and easy management—making the move to Azure SQL a smart choice for future growth. If you remain on-premises or use Azure SQL Virtual Machines, upgrade to the Standard edition. Modern Reporting and Analytics On-premises SQL Server Reporting Service (SSRS) consolidated into Power BI Report Server is now the default reporting solution, unifying paginated and interactive reports for all paid SQL Server licenses. Learn more. SQL Server Analysis Services 2025 introduces major performance enhancements, including improved MDX query efficiency, parallel DirectQuery execution, and visual DAX calculations for simplified modeling. It also adds new DAX functions, client library updates, and deprecates PowerPivot for SharePoint, while discontinuing HTTP access via msmdpump.dll by default. Learn more. SQL Server Integration Services (SSIS) now introduces support for the Microsoft SqlClient Data Provider in ADO.NET connection manager, enhancing connectivity and modernizing data integration workflows. Learn more. Partner Momentum Partners such as AMD, Intel, and HPE are collaborating on advanced performance and high availability solutions, including benchmark testing on AMD EPYC and Intel Xeon processors, with HPE achieving world record results for performance and price/performance. NVIDIA is working with SQL Server 2025 to enable streamlined deployment of GPU-optimized AI models using built-in REST APIs, supporting flexible AI workloads across environments. Pure Storage is delivering high availability and fast backup solutions through deep integration with SQL Server 2025, including metadata-aware snapshots and automation for simplified operations. Additionally, Microsoft works closely with partners like Canonical and Red Hat to ensure SQL Server is integrated seamlessly and operates effectively within the Linux ecosystem, providing customers with robust and reliable database solutions across a broader range of environments. Get Started Today SQL Server 2025 reaffirms Microsoft’s commitment to innovation, performance, and developer empowerment. We thank our customers, partners, and community for your ongoing support and feedback. We look forward to seeing what you build next with the AI-ready enterprise database. Download SQL Server 2025 today One consistent SQL: the launchpad from legacy to innovation Learn more through documentation and our Mechanics video Master SQL Server 2025 with a full learning path and claim your badge Get started with Azure SQL Share your feedback at SQL CommunityAnnouncing the Public Preview of mssql-python
We’re excited to announce the public preview of the mssql-python driver with new platform support and powerful features for Microsoft SQL Server and the Azure SQL family, now available on GitHub: mssql-python. Join us and contribute in shaping the future of Python connectivity with SQL Server! MacOS Support The mssql-python driver is now compatible with macOS ARM-based systems, expanding support for developers using Apple Silicon (M-Series) devices. This adds to our growing cross-platform story, and we’re not done yet — Linux support is coming soon! Connection Pooling We’ve built a robust, configurable connection pooling system to help boost performance and optimize resource usage. Key highlights: Connection Reuse: Reuses existing alive connections instead of creating new ones, improving performance. Max Pool Size Limit: Enforces a configurable maximum number of connections per pool to limit resource consumption. Idle Connection Pruning: Automatically disconnects and removes connections idle beyond a configurable timeout to free resources. Multiple Pools by Connection String: Maintains separate pools keyed by connection string, supporting multiple distinct databases/endpoints. Thread Safety: Uses mutex locking for safe concurrent access in multi-threaded environments. Connection Health Checking: Validates connections are alive before reuse and discards dead ones. Explicit Connection Reset: Resets connections before reuse to clear session state and ensure clean context. Configurable Global Pool Settings: Provides a singleton manager to configure default max pool size and idle timeout for all pools. Simple Global API: Exposes easy-to-use functions to configure pooling and acquire pooled connections. Logging: Outputs console logs for major events like creation, acquisition, release, pruning, and errors for easy debugging. Note: This feature is currently available on Windows only. macOS and Linux support is in progress. What's Next Here’s a sneak peek at what we’re working on for upcoming releases: Linux Support Connection Pooling for macOS and Linux Support for Bulk Copy for accelerated data transfer Microsoft Entra ID (formerly Azure AD) Authentication for macOS and Linux Try It and Share Your Feedback! Ready to test the latest features? We invite you to: Try it out: Check-out the mssql-python driver and integrate it into your projects. Share your thoughts: Open issues, suggest features, and contribute to the project. Join the conversation: GitHub Discussions | SQL Server Tech Community. We look forward to your feedback and collaboration!
SQL Server 2025: introducing tempdb space resource governance
An old problem Since the early days of SQL Server, DBAs had to contend with a common problem – running out of space in the tempdb database. It has always struck me as odd that all I need to cause an outage on an SQL Server instance is access to the server where I can create a temp table that fills up tempdb, and there is no permission to stop me. - Erland Sommarskog (website), an independent SQL Server consultant and a Data Platform MVP Because tempdb is used for a multitude of purposes, the problem can occur without any explicit user action such as creating a temporary table. For example, executing a reporting query that spills data to tempdb and fills it up can cause an outage for all workloads using that SQL Server instance. Over the years, many DBAs developed custom solutions that monitor tempdb space and take action, for example kill sessions that consume a large amount of tempdb space. But that comes with extra effort and complexity. I have spent more hours in my career than I can count building solutions to manage TempDB space. Even with immense time and effort, there were still quirks and caveats that came up that created challenges - especially in multi-tenant environments with lots of databases and the noisy-neighbor problem. - Edward Pollack (LinkedIn), Data Architect at Transfinder and a Data Platform MVP A new solution in the SQL Server engine SQL Server 2025 brings a new solution for this old problem, built directly into the database engine. Starting with the CTP 2.0 release, you can use resource governor, a feature available since SQL Server 2008, to enforce limits on tempdb space consumption. We rely on Resource Governor to isolate workloads on our SQL Server instances by controlling CPU and memory usage. It helps us ensure that the core of our trading systems remains stable and runs with predictable performance, even when other parts of the systems share the same servers. - Ola Hallengren (website), Chief Data Platforms Engineer at Saxo Bank and a Data Platform MVP Similarly, if you have multiple workloads running on your server, each workload can have its own tempdb limit, lower than the maximum available tempdb space. This way, even if one workload hits its limit, other workloads continue running. Here's an example that limits the total tempdb space consumption by queries in the default workload group to 17 GB, using just two T-SQL statements: ALTER WORKLOAD GROUP [default] WITH (GROUP_MAX_TEMPDB_DATA_MB = 17408); ALTER RESOURCE GOVERNOR RECONFIGURE; The default group is used for all queries that aren’t classified into another workload group. You can create workload groups for specific applications, users, etc. and set limits for each group. When a query attempts to increase tempdb space consumption beyond the workload group limit, it is aborted with error 1138, severity 17, Could not allocate a new page for database 'tempdb' because that would exceed the limit set for workload group 'workload-group-name'. All other queries on the server continue to execute. Setting the limits You might be asking, “How do I know the right limits for the different workloads on my servers?” No need to guess. Tempdb space usage is tracked for each workload group at all times and reported in the sys.dm_resource_governor_workload_groups DMV. Usage is tracked even if no limits are set for the workload groups. You can establish representative usage patterns for each workload over time, then set the right limits. You can reconfigure the limits over time if workload patterns change. For example, the following query lets you see the current tempdb space usage, peak usage, and the number of times queries were aborted because they would otherwise exceed the limit per workload group: SELECT group_id, name, tempdb_data_space_kb, peak_tempdb_data_space_kb, total_tempdb_data_limit_violation_count FROM sys.dm_resource_governor_workload_groups; Peak usage and the number of query aborts (limit violations) are tracked since server restart. You can reset these and other resource governor statistics to restart tracking at any time and without restarting the server by executing ALTER RESOURCE GOVERNOR RESET STATISTICS; What about the transaction log? The limits you set for each workload group apply to space in the tempdb data files. But what about the tempdb transaction log? Couldn’t a large transaction fill up the log and cause an outage? This is where another feature in SQL Server 2025 comes in. You can now enable accelerated database recovery (ADR) in tempdb to get the benefit of aggressive log truncation, and drastically reduce the possibility of running out of log space in tempdb. For more information, see ADR improvements in SQL Server 2025. Learn more For more information about tempdb space resource governance, including examples, best practices, and the details of how it works, see Tempdb space resource governance in documentation. If you haven’t used resource governor in SQL Server before, here’s a good starting point: Tutorial: Resource governor configuration examples and best practices. Conclusion SQL Server 2025 brings a new, built-in solution for the age-old problem of tempdb space management. You can now use resource governor to set limits on tempdb usage and avoid server-wide outages because tempdb ran out of space. We are looking forward to your feedback on this and other SQL Server features during the public preview of SQL Server 2025 and beyond. You can leave comments on this blog post, email us at sql-rg-feedback@microsoft.com, or leave feedback at https://aka.ms/sqlfeedback.Writing a great session abstract for FabCon & SQLCon
Important Dates FabCon/SQLCon Europe in Barcelona, runs 2026 September 28 - Oct 1, 2026 Workshop Call for Content open Feb 17, 2026 to March 23, 2026 Breakout Session Call for Content open Feb 17, 2026 to April 17, 2026 When submitting a session to a conference, consider the following: Title: The title should answer the attendee's question what's in it for me? Why should I attend this session? Is it going to make me better at my job? Will it save my company money? Will it make my reports more organized or my database faster, more secure or modern? The title needs to make sense; it needs to inform. It doesn't need to be funny or contain a dad joke. It CAN, but that's secondary. It shouldn't just be the name of a product or even "Learn [product name]" because you can't teach me everything about it in 60 minutes or less. Abstract: The abstract should contain 3 things: It should define the problem you're trying to solve. It should introduce the solution. It should briefly describe what they'll learn about the solution. In the time allotted. The problem can be that the attendee doesn’t know how to create great visuals, performance tune, connect to Lakehouse, etc. If so, consider titles like “Creating Great Visuals Using...”, “Cutting Costs by Optimizing Your...”, or “Understanding Governance in…” The abstract can introduce a new feature or concept. If so, then the problem is "there's a new thing that you don't know about yet." The solution is "this feature does X, Y & Z." Then tell them that they'll learn everything about X or a little bit about X, Y & Z. If you include an acronym, make sure you spell it out first. Not everyone is going to know what it means, and you don't want only a room full of attendees that already know everything. Avoid using many buzz words in you title or abstract. Drop it into Copilot for a final check and use prompts to help improve your work. Use "make it more precise" if it's over the character count. Tey "make it more professional" if you think it's more casual than you intended. Final check: Before you hit submit, run your abstract by a friend. Does it make sense to the technical and/or non-technical? Do the grammar & spelling check out? With allowances for English not being your 1st language, the abstract should show that you can effectively communicate the topic to an audience. Does the level assigned match the abstract? Is it in the right track? Most calls for content provide definitions on what's a good fit for content in each topic. You can find the topic definitions for FabCon/SQLCon Europe here. Can you do ALL THIS in 60 minutes? Does it fit within the character count? Lastly, a few "don'ts" Don't include your name in the abstract if you know the review is done blind. Don't add it to every category or track. Be mindful. Don't email organizers to say you've submitted a session. They know. Don't demand feedback the very day you're declined. Well, never demand it, but waiting a week to politely ask never hurts. Respect the decision if they aren’t able to offer you feedback. Remember that 800 people might be asking the same question. Don't be entitled. No one *stole* your spot. It was never yours to begin with. Don't use AI to write your entire abstract. Reviewers typically know when it's not written by a human or there are tools that help them check. If you can't convey a concept on your own in 400 characters, how can we trust that you can speak on the concept for a full hour?
Run a SQL Query with Azure Arc
Hi All, In this article, you can find a way to retrieve database permission from all your onboarded databases through Azure Arc. This idea is born from a customer request around maintaining a standard permission set, in a very wide environment (about 1000 SQL Server). This solution is based on Azure Arc, so first you need to onboard your SQL Server to Azure Arc and enable the SQL Server extension. If you want to test Azure Arc in a test environment, you can use the Azure Jumpstart, in this repo you will find ready-to-deploy arm templates the deploy demos environments. The other solution components are an automation account, log analytics and a Data collection rule \ endpoint. Here you can find a little recap of the purpose of each component: Automation account: with this resource you can run and schedule a PowerShell script, and you can also store the credentials securely Log Analytics workspace: here you will create a custom table and store all the data that comes from the script Data collection Endpoint / Data Collection Rule: enable you to open a public endpoint to allow you to ingest collected data on Log analytics workspace In this section you will discover how I composed the six phases of the script: Obtain the bearer token and authenticate on the portal: First of all you need to authenticate on the azure portal to get all the SQL instance and to have to token to send your assessment data to log analytics $tenantId = "XXXXXXXXXXXXXXXXXXXXXXXXXXX" $cred = Get-AutomationPSCredential -Name 'appreg' Connect-AzAccount -ServicePrincipal -Tenant $tenantId -Credential $cred $appId = $cred.UserName $appSecret = $cred.GetNetworkCredential().Password $endpoint_uri = "https://sampleazuremonitorworkspace-weu-a5x6.westeurope-1.ingest.monitor.azure.com" #Logs ingestion URI for the DCR $dcrImmutableId = "dcr-sample2b9f0b27caf54b73bdbd8fa15908238799" #the immutableId property of the DCR object $streamName = "Custom-MyTable" $scope= [System.Web.HttpUtility]::UrlEncode("https://monitor.azure.com//.default") $body = "client_id=$appId&scope=$scope&client_secret=$appSecret&grant_type=client_credentials"; $headers = @{"Content-Type"="application/x-www-form-urlencoded"}; $uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" $bearerToken = (Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers).access_token Get all the SQL instances: in my example I took all the instances, you can also use a tag to filter some resources, for example if a want to assess only the production environment you can use the tag as a filter $servers = Get-AzResource -ResourceType "Microsoft.AzureArcData/SQLServerInstances" When you have all the SQL instance you can run your t-query to obtain all the permission , remember now we are looking for the permission, but you can use for any query you want or in other situation where you need to run a command on a generic server $SQLCmd = @' Invoke-SQLcmd -ServerInstance . -Query "USE master; BEGIN IF LEFT(CAST(Serverproperty('ProductVersion') AS VARCHAR(1)),1) = '8' begin IF EXISTS (SELECT TOP 1 * FROM tempdb.dbo.sysobjects (nolock) WHERE name LIKE '#TUser%') begin DROP TABLE #TUser end end ELSE begin IF EXISTS (SELECT TOP 1 * FROM tempdb.sys.objects (nolock) WHERE name LIKE '#TUser%') begin DROP TABLE #TUser end end CREATE TABLE #TUser (DBName SYSNAME,[Name] SYSNAME,GroupName SYSNAME NULL,LoginName SYSNAME NULL,default_database_name SYSNAME NULL,default_schema_name VARCHAR(256) NULL,Principal_id INT); IF LEFT(CAST(Serverproperty('ProductVersion') AS VARCHAR(1)),1) = '8' INSERT INTO #TUser EXEC sp_MSForEachdb ' SELECT ''?'' as DBName, u.name As UserName, CASE WHEN (r.uid IS NULL) THEN ''public'' ELSE r.name END AS GroupName, l.name AS LoginName, NULL AS Default_db_Name, NULL as default_Schema_name, u.uid FROM [?].dbo.sysUsers u LEFT JOIN ([?].dbo.sysMembers m JOIN [?].dbo.sysUsers r ON m.groupuid = r.uid) ON m.memberuid = u.uid LEFT JOIN dbo.sysLogins l ON u.sid = l.sid WHERE (u.islogin = 1 OR u.isntname = 1 OR u.isntgroup = 1) and u.name not in (''public'',''dbo'',''guest'') ORDER BY u.name ' ELSE INSERT INTO #TUser EXEC sp_MSforeachdb ' SELECT ''?'', u.name, CASE WHEN (r.principal_id IS NULL) THEN ''public'' ELSE r.name END GroupName, l.name LoginName, l.default_database_name, u.default_schema_name, u.principal_id FROM [?].sys.database_principals u LEFT JOIN ([?].sys.database_role_members m JOIN [?].sys.database_principals r ON m.role_principal_id = r.principal_id) ON m.member_principal_id = u.principal_id LEFT JOIN [?].sys.server_principals l ON u.sid = l.sid WHERE u.TYPE <> ''R'' and u.TYPE <> ''S'' and u.name not in (''public'',''dbo'',''guest'') order by u.name '; SELECT DBName, Name, GroupName,LoginName FROM #TUser where Name not in ('information_schema') and GroupName not in ('public') ORDER BY DBName,[Name],GroupName; DROP TABLE #TUser; END" '@ $command = New-AzConnectedMachineRunCommand -ResourceGroupName "test_query" -MachineName $server1 -Location "westeurope" -RunCommandName "RunCommandName" -SourceScript $SQLCmd In a second, you will receive the output of the command, and you must send it to the log analytics workspace (aka LAW). In this phase, you can also review the output before sending it to LAW, for example, removing some text or filtering some results. In my case, I’m adding the information about the server where the script runs to each record. $array = ($command.InstanceViewOutput -split "r?n" | Where-Object { $.Trim() }) | ForEach-Object { $line = $ -replace '\', '\\' ù$array = $array | Where-Object { $_ -notmatch "DBName,Name,GroupName,LoginName" } | Where-Object {$_ -notmatch "------"} The last phase is designed to send the output to the log analytics workspace using the dce \ dcr. $staticData = @" [{ "TimeGenerated": "$currentTime", "RawData": "$raw", }]"@; $body = $staticData; $headers = @{"Authorization"="Bearer $bearerToken";"Content-Type"="application/json"}; $uri = "$endpoint_uri/dataCollectionRules/$dcrImmutableId/streams/$($streamName)?api-version=2023-01-01" $rest = Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers When the data arrives in log analytics workspace, you can query this data, and you can create a dashboard or why not an alert. Now you will see how you can implement this solution. For the log analytics, dce and dcr, you can follow the official docs: Tutorial: Send data to Azure Monitor Logs with Logs ingestion API (Resource Manager templates) - Azure Monitor | Microsoft Learn After you create the dcr and the log analytics workspace with its custom table. You can proceed with the Automation account. Create an automation account using the creating wizard You can proceed with the default parameter. When the Automation Account creation is completed, you can create a credential in the Automation Account. This allows you to avoid the exposition of the credential used to connect to Azure You can insert here the enterprise application and the key. Now you are ready to create the runbook (basically the script that we will schedule) You can give the name you want and click create. Now go in the automation account than Runbooks and Edit in Portal, you can copy your script or the script in this link. Remember to replace your tenant ID, you will find in Entra ID section and the Enterprise application You can test it using the Test Pane function and when you are ready you can Publish and link a schedule, for example daily at 5am. Remember, today we talked about database permissions, but the scenarios are endless: checking a requirement, deploying a small fix, or removing/adding a configuration — at scale. At the end, as you see, Azure Arc is not only another agent, is a chance to empower every environment (and every other cloud provider 😉) with Azure technology. See you in the next techie adventure. **Disclaimer** The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
Managed Identity support for Azure Key Vault in SQL Server running on Linux
We are happy to announce that, you can now use Managed Identity to authenticate to Azure Key Vault from SQL Server running on Azure VM (Linux) available from SQL Server 2022 CU18 onwards. This blog will walk you through the process of using a user-assigned managed identity to access Azure Key Vault and configure Transparent Data Encryption(TDE) for a SQL database. Managed Identity: Microsoft Entra ID, formerly Azure Active Directory, provides an automatically managed identity to authenticate to any Azure service that supports Microsoft Entra authentication, such as Azure Key Vault, without exposing credentials in the code. Refer Managed identities for Azure resources - Managed identities for Azure resources | Microsoft Learn for more details. VM Setup and Prerequisites: Before diving into the setup, it's essential to ensure that your Azure Linux VM has SQL Server installed and that the VM has identities assigned with the necessary key vault permissions. Set up SQL Server running on Azure Linux VM. Refer SQL Server on RHEL VM in Azure: RHEL: Install SQL Server on Linux - SQL Server | Microsoft Learn, SQL Server on SLES VM in Azure: SUSE: Install SQL Server on Linux - SQL Server | Microsoft Learn, SQL Server on Ubuntu VM in Azure: Ubuntu: Install SQL Server on Linux - SQL Server | Microsoft Learn for more details. Create user-assigned Managed Identity. Refer https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal for more details. Go to Azure Linux VM resource in the Azure portal and click on Identity tab under security blade. Go to the User assigned tab in the right side panel and click on Add. Select the user-assigned managed identity and click on Add. Create a Key Vault and Keys. Refer Integrate Key Vault with SQL Server on Windows VMs in Azure (Resource Manager) - SQL Server on Azure VMs | Microsoft Learn for more details. Assign Key Vault Crypto Service Encryption User role to the user-assigned managed identity to perform wrap and unwrap operations. Go to the key vault resource that you created, and select the Access control (IAM)setting. Select Add> Add role assignment. Search for Key Vault Crypto Service Encryption User and select the role. Select Next. In the Members tab, select Managed identity option and click on Select members option, and then search for the user-assigned managed identity that you created in Step 3. Select the managed identity and then click on Select button. Setting the primary identity on Azure Linux VM To set the managed identity as the primary identity for Azure Linux VM, you can use the mssql-conf tool packaged with SQL Server. Here are the steps: Use the mssql-conf tool to manually set the primary identity. Run the following commands: sudo /opt/mssql/bin/mssql-conf set network.aadmsiclientid <client id of the managed identity> sudo /opt/mssql/bin/mssql-conf set network.aadprimarytenant <tenant id> 3. Restart the SQL Server: sudo systemctl restart mssql-server Enable TDE using EKM and managed identity: Refer Managed Identity Support for Extensible Key Management (EKM) with Azure Key Vault (AKV) - SQL Server on Azure VMs | Microsoft Learn for configuration steps for Azure Windows VM. These steps remain same for SQL Server running on an Azure Linux VM. 1.Enable EKM in SQL Server running on the Azure VM. 2.Create credential and encrypt the database. When using the CREATE CREDENTIAL command in this context, you only need to provide the 'Managed Identity' in the IDENTITY argument. Unlike earlier scenarios, you do not need to include a SECRET argument. This simplifies the process and enhances security by not requiring a secret to be passed. Conclusion: Using managed identity to access Azure Key Vault in SQL Server running on an Azure Linux VM boosts security, streamlines key management, and supports compliance. With data protection being paramount, Azure Key Vault’s integration along with managed identity offers a robust solution. Stay tuned for more insights on SQL Server on Linux! Official Documentation: Managed Identity Support for Extensible Key Management (EKM) with Azure Key Vault (AKV) - SQL Server on Azure VMs | Microsoft Learn Extensible Key Management using Azure Key Vault - SQL Server Setup Steps for Extensible Key Management Using the Azure Key Vault Azure Key Vault Integration for SQL Server on Azure VMsAnnouncing Public Preview of DiskANN in SQL Server 2025
We are excited to announce the public preview of DiskANN in SQL Server 2025, a significant advancement in our AI capabilities. This release comes with full vector support, enabling the storing and querying of embeddings, which are essential for modern AI applications.
