MicrosoftDocs
diff --git a/‎azure-sql/database/auditing-overview.md‎
Lines changed: 10 additions & 10 deletions b/‎azure-sql/database/auditing-overview.md‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎azure-sql/managed-instance/aad-security-configure-tutorial.md‎
Lines changed: 1 addition & 1 deletion b/‎azure-sql/managed-instance/aad-security-configure-tutorial.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎azure-sql/managed-instance/auditing-configure.md‎
Lines changed: 18 additions & 54 deletions b/‎azure-sql/managed-instance/auditing-configure.md‎
Lines changed: 18 additions & 54 deletions
@@ -4,8 +4,8 @@ titleSuffix: Azure SQL Database and Azure Synapse Analytics
 description: SQL Auditing for Azure SQL Database and Azure Synapse Analytics tracks database events and writes them to an audit log in your Azure storage account, Log Analytics workspace, or Event Hubs.
 author: WilliamDAssafMSFT
 ms.author: wiassaf
-ms.reviewer: srsaluru, vanto, mathoma
-ms.date: 03/30/2026
+ms.reviewer: peskount, srsaluru, vanto, mathoma
+ms.date: 04/15/2026
 ms.service: azure-sql-database
 ms.subservice: security
 ms.topic: concept-article
@@ -56,11 +56,11 @@ You can use SQL Database auditing to:
 
 ### Recommended auditing approach for large OLTP workloads
 
-For environments with many databases running heavy OLTP workloads, using server‑level auditing with default settings can lead to very large audit volumes across the logical server. Since all events from all databases are written into the same audit folder, querying audit logs for a single database becomes slow and operationally expensive. To improve performance and reduce noise:
+For environments with many databases running heavy OLTP workloads, using server-level auditing with default settings can lead to very large audit volumes across the logical server. Since all events from all databases are written into the same audit folder, querying audit logs for a single database becomes slow and operationally expensive. To improve performance and reduce noise:
+
+   - **Switch to database-level auditing**. Each database writes to its own audit log folder, reducing the total volume scanned and making retrieval faster.
+   - **Review the audit configuration**. Determine whether capturing all batch-completed events is necessary, or if a custom filtered configuration can meet your security and compliance requirements.
 
-   - **Switch to database‑level auditing**. Each database writes to its own audit log folder, reducing the total volume scanned and making retrieval faster.
-   - **Review the audit configuration**. Determine whether capturing all batch‑completed events is necessary, or if a custom filtered configuration can meet your security and compliance requirements.
-    
 ## Auditing limitations
 
 - Enabling auditing on a paused **Azure Synapse SQL pool** isn't supported. To enable auditing, resume the **Synapse SQL pool**.
@@ -69,7 +69,7 @@ For environments with many databases running heavy OLTP workloads, using server
 
 > [!NOTE]
 > For Azure Synapse Analytics, auditing to a storage account behind a VNet requires the server's **system-assigned managed identity** with the **Storage Blob Data Contributor** role. User-assigned managed identities (UAMI) aren't supported for Synapse auditing. If you need to audit to a storage account that uses Microsoft Entra-only authentication, configure the system-assigned managed identity on the server and grant it the Storage Blob Data Contributor role on the target storage account. For more information, see [Write audit to a storage account behind VNet and firewall](audit-write-storage-account-behind-vnet-firewall.md).
-- Due to performance constraints, we don't audit the **tempdb** and **temporary tables**. While the batch completed action group captures statements against temporary tables, it might not correctly populate the object names. However, the source table is always audited, ensuring that all inserts from the source table to temporary tables are recorded.
+- Due to performance constraints, we don't audit the `tempdb` and **temporary tables**. While the batch completed action group captures statements against temporary tables, it might not correctly populate the object names. However, the source table is always audited, ensuring that all inserts from the source table to temporary tables are recorded.
 - Auditing for **Azure Synapse SQL pools** supports default audit action groups **only**.
 - When you configure auditing for a [logical server in Azure](logical-servers.md) or Azure SQL Database with the log destination as a storage account, the authentication mode must match the configuration for that storage account. If using storage access keys as the authentication type, the target storage account must be enabled with access to the storage account keys. If the storage account is configured to only use authentication with Microsoft Entra ID ([formerly Azure Active Directory](/entra/fundamentals/new-name)), auditing can be configured to use managed identities for authentication.
 
@@ -79,8 +79,9 @@ For environments with many databases running heavy OLTP workloads, using server
 
 ## Remarks
 
+- Events initiated by `SQLDBControlPlaneFirstPartyApp` in the Activity log are an internal Azure function of the [Azure SQL Database control plane](/azure/azure-resource-manager/management/control-plane-and-data-plane#control-plane). Events initiated by `SQLDBControlPlaneFirstPartyApp` are part of an internal synchronization operation between the SQL engine and Azure Resource Manager. These events are a normal part of Azure SQL Database management and are required for correct resource representation and operation in Azure.
 - **Premium storage** with **BlockBlobStorage** is supported. Standard storage is supported. However, for audit to write to a storage account behind a virtual network or firewall, you must have a **general-purpose v2 storage account**. If you have a general-purpose v1 or Blob Storage account, [upgrade to a general-purpose v2 storage account](/azure/storage/common/storage-account-upgrade). For specific instructions see, [Write audit to a storage account behind VNet and firewall](audit-write-storage-account-behind-vnet-firewall.md). For more information, see [Types of storage accounts](/azure/storage/common/storage-account-overview#types-of-storage-accounts).
-- When customers enable SQL auditing and also configure **outbound networking** restrictions, they must allow list the fully qualified domain names of their auditing storage account to ensure audit events can successfully reach the destination. If the storage endpoint isn't allowlisted, audit traffic is blocked, resulting in audit event loss. After adding the required storage account FQDNs to the allow list, customers must **re‑save** their auditing configuration to resume normal audit event flow.
+- When customers enable SQL auditing and also configure **outbound networking** restrictions, they must allow list the fully qualified domain names of their auditing storage account to ensure audit events can successfully reach the destination. If the storage endpoint isn't allowlisted, audit traffic is blocked, resulting in audit event loss. After adding the required storage account FQDNs to the allow list, customers must **re-save** their auditing configuration to resume normal audit event flow.
 - **Hierarchical namespace** for all types of **standard storage account** and **premium storage account with BlockBlobStorage** is supported.
 - Audit logs are written to **Append Blobs** in an Azure Blob Storage on your Azure subscription
 - Audit logs are in .xel format and can be opened with [SQL Server Management Studio (SSMS)](/ssms/sql-server-management-studio-ssms).
@@ -98,5 +99,4 @@ For environments with many databases running heavy OLTP workloads, using server
 - [What's New in Azure SQL Auditing](/shows/data-exposed/server-audit-redesign-for-azure-sql-database-data-exposed)
 - [Get started with Azure SQL Managed Instance auditing](../managed-instance/auditing-configure.md)
 - [Auditing for SQL Server](/sql/relational-databases/security/auditing/sql-server-audit-database-engine)
-
-- [Set up Auditing for Azure SQL Database and Azure Synapse Analytics](auditing-setup.md)
+- [Set up Auditing for Azure SQL Database and Azure Synapse Analytics](auditing-setup.md)
@@ -423,7 +423,7 @@ Cross-database queries are supported for Microsoft Entra accounts with Microsoft
 
 - SQL Agent management and job executions are supported for Microsoft Entra logins.
 - Microsoft Entra logins can execute database backup and restore operations.
-- [Auditing](auditing-configure.md) of all statements related to Microsoft Entra logins and authentication events.
+- [Auditing](auditing.md) of all statements related to Microsoft Entra logins and authentication events.
 - Dedicated administrator connection for Microsoft Entra logins that are members of the **sysadmin** server-role.
 - Microsoft Entra logins are supported with using the [sqlcmd utility](/sql/tools/sqlcmd-utility) and [SQL Server Management Studio](/ssms/sql-server-management-studio-ssms) tool.
 - Logon triggers are supported for logon events coming from Microsoft Entra logins.
 
@@ -4,7 +4,7 @@ description: Learn how to get started with Azure SQL Managed Instance auditing u
 author: sravanisaluru
 ms.author: srsaluru
 ms.reviewer: vanto, randolphwest, mathoma
-ms.date: 03/20/2026
+ms.date: 04/15/2026
 ms.service: azure-sql-managed-instance
 ms.subservice: security
 ms.topic: how-to
@@ -19,15 +19,7 @@ f1_keywords:
 
 [!INCLUDE [appliesto-sqlmi](../includes/appliesto-sqlmi.md)]
 
-This article teaches you to configure auditing for [Azure SQL Managed Instance](sql-managed-instance-paas-overview.md). Auditing tracks database events and writes them to an audit log in your Azure storage account. 
-
-Auditing also:
-
-- Helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations.
-- Enables and facilitates adherence to compliance standards, although it doesn't guarantee compliance. For more information, see the [Microsoft Azure Trust Center](https://www.microsoft.com/trust-center/compliance/compliance-overview) where you can find the most current list of SQL Managed Instance compliance certifications.
-
-> [!IMPORTANT]  
-> The auditing of Azure SQL Managed Instance is optimized for availability and performance. During high activity, or high network load, Azure SQL Managed Instance allows operations to proceed and might not record some audited events.
+This article teaches you to configure [auditing with SQL Server Audit in Azure SQL Managed Instance](auditing.md). Auditing tracks database events and writes them to an audit log in your Azure storage account.
 
 ## Set up auditing for your instance to Azure Storage
 
@@ -94,7 +86,7 @@ The following section describes the configuration of auditing on your SQL manage
 
             :::image type="content" source="media/auditing-configure/7_sas_configure.png" alt-text="Screenshot showing the SAS configuration.":::
 
-        - The SAS token appears at the bottom. Copy the token by selecting on the copy icon, and save it (for example, in Notepad) for future use.
+        - The SAS token appears at the bottom. Copy the token by selecting the copy icon, and save it (for example, in Notepad) for future use.
 
           :::image type="content" source="media/auditing-configure/8_sas_copy.png" alt-text="Screenshot showing how to copy SAS token.":::
 
@@ -142,7 +134,7 @@ The following section describes the configuration of auditing on your SQL manage
 
         :::image type="content" source="media/auditing-configure/12_mi_SSMS_sign_in_to_azure.png" alt-text="Screenshot showing how to Sign in to Azure.":::
 
-     1. Select a subscription, storage account, and blob container from the dropdowns, or create your own container by selecting on **Create**. Once you're finished, select **OK**:
+     1. Select a subscription, storage account, and blob container from the dropdowns, or create your own container by selecting **Create**. Once you're finished, select **OK**:
 
         :::image type="content" source="media/auditing-configure/13-subscription-account-container.png" alt-text="Select Azure subscription, storage account, and blob container.":::
 
@@ -155,8 +147,8 @@ The following section describes the configuration of auditing on your SQL manage
 
 After you configure the blob container as target for the audit logs, create and enable a server audit specification or database audit specification as you would for SQL Server:
 
-   - [Create server audit specification T-SQL guide](/sql/t-sql/statements/create-server-audit-specification-transact-sql)
-   - [Create database audit specification T-SQL guide](/sql/t-sql/statements/create-database-audit-specification-transact-sql)
+   - [Create server audit specification T-SQL guide](/sql/t-sql/statements/create-server-audit-specification-transact-sql?view=azuresqldb-mi-current&preserve-view=true)
+   - [Create database audit specification T-SQL guide](/sql/t-sql/statements/create-database-audit-specification-transact-sql?view=azuresqldb-mi-current&preserve-view=true)
 
 Use the following T-SQL statement to enable the server audit:
 
@@ -168,9 +160,9 @@ Use the following T-SQL statement to enable the server audit:
 
 For additional information:
 
-- [Auditing differences between Azure SQL Managed Instance and a database in SQL Server](#audit-differences-between-databases-in-azure-sql-managed-instance-and-databases-in-sql-server)
-- [CREATE SERVER AUDIT](/sql/t-sql/statements/create-server-audit-transact-sql)
-- [ALTER SERVER AUDIT](/sql/t-sql/statements/alter-server-audit-transact-sql)
+- [Auditing differences between Azure SQL Managed Instance and a database in SQL Server](auditing.md#audit-differences-between-databases-in-azure-sql-managed-instance-and-databases-in-sql-server)
+- [CREATE SERVER AUDIT](/sql/t-sql/statements/create-server-audit-transact-sql?view=azuresqldb-mi-current&preserve-view=true)
+- [ALTER SERVER AUDIT](/sql/t-sql/statements/alter-server-audit-transact-sql?view=azuresqldb-mi-current&preserve-view=true)
 
 ## Auditing of Microsoft Support operations
 
@@ -214,8 +206,8 @@ Audit logs from a SQL managed instance can be sent to Azure Event Hubs or Azure
 
 1. Create and enable a server audit specification or database audit specification as you would for SQL Server:
 
-   - [Create Server audit specification T-SQL guide](/sql/t-sql/statements/create-server-audit-specification-transact-sql)
-   - [Create Database audit specification T-SQL guide](/sql/t-sql/statements/create-database-audit-specification-transact-sql)
+   - [Create Server audit specification T-SQL guide](/sql/t-sql/statements/create-server-audit-specification-transact-sql?view=azuresqldb-mi-current&preserve-view=true)
+   - [Create Database audit specification T-SQL guide](/sql/t-sql/statements/create-database-audit-specification-transact-sql?view=azuresqldb-mi-current&preserve-view=true)
 
 1. Enable the server audit created in step 8:
 
@@ -271,7 +263,7 @@ GO
 
 There are several methods you can use to view blob auditing logs.
 
-- You can use the system function [sys.fn_get_audit_file (T-SQL)](/sql/relational-databases/system-functions/sys-fn-get-audit-file-transact-sql) to return the audit log data in tabular format.
+- You can use the system function [sys.fn_get_audit_file (T-SQL)](/sql/relational-databases/system-functions/sys-fn-get-audit-file-transact-sql?view=azuresqldb-mi-current&preserve-view=true) to return the audit log data in tabular format.
 
 - You can explore audit logs by using a tool such as [Azure Storage Explorer](https://azure.microsoft.com/features/storage-explorer/). In Azure Storage, auditing logs are saved as a collection of blob files within a container that was defined to store the audit logs. For more information about the hierarchy of the storage folder, naming conventions, and log format, see the [Blob Audit Log Format Reference](../database/audit-log-format.md).
 
@@ -287,38 +279,10 @@ If audit logs are written to Azure Monitor logs, they're available in the Log An
 
 Azure Monitor logs gives you real-time operational insights using integrated search and custom dashboards to readily analyze millions of records across all your workloads and servers. For more information about Azure Monitor logs search language and commands, see [Azure Monitor logs search reference](/azure/azure-monitor/logs/log-query-overview).
 
-## Audit differences between databases in Azure SQL Managed Instance and databases in SQL Server
-
-The key differences between auditing in databases in Azure SQL Managed Instance and databases in SQL Server are:
-
-- With Azure SQL Managed Instance, auditing works at the server level and stores `.xel` log files in Azure Blob storage.
-- In SQL Server, audit works at the server level, but stores events in the file system and Windows event logs.
-
-XEvent auditing in managed instances supports Azure Blob storage targets. File and Windows logs are **not supported**.
-
-The key differences in the `CREATE AUDIT` syntax for auditing to Azure Blob storage are:
-
-- A new syntax `TO URL` is provided and enables you to specify the URL of the Azure Blob storage container where the `.xel` files are placed.
-- A new syntax `TO EXTERNAL MONITOR` is provided to enable Event Hubs and Azure Monitor log targets.
-- The syntax `TO FILE` is **not supported** because Azure SQL Managed Instance can't access Windows file shares.
-- Shutdown option is **not supported**.
-- `queue_delay` of 0 is **not supported**.
-
-## Permissions
-
-To set up auditing, you need database permissions within SQL managed instance, and you also need permissions to the Azure resources that are used for storing and accessing the audit logs.
-
-To set up SQL managed instance auditing you need to following database permissions:
-
-|Database permissions  |Configure audit  |View audit logs using T-SQL  |
-|---------|---------|---------|
-|**VIEW DATABASE SECURITY AUDIT** |No|Yes|
-|**ALTER ANY DATABASE AUDIT**      | Yes        | No        |
-|**CONTROL DATABASE**          | Yes        | Yes        |
-
-To configure auditing to Azure storage, you need the **Storage blob data contributor** role on the storage account or higher permissions. To configure auditing to Event Hubs or Log Analytics, you need the **Monitoring Contributor** role or higher permissions on the resource group where the Event Hub or Log Analytics workspace is provisioned.
-
-## Next step
+## Related content
 
-> [!div class="nextstepaction"]
-> [Auditing for Azure SQL Database and Azure Synapse Analytics](../database/auditing-overview.md)
+- [SQL Server Audit in Azure SQL Managed Instance](auditing.md)
+- [Create a Server Audit](/sql/relational-databases/security/auditing/create-a-server-audit-and-server-audit-specification?view=azuresqldb-mi-current&preserve-view=true)
+- [Create a server audit and database audit specification](/sql/relational-databases/security/auditing/create-a-server-audit-and-database-audit-specification?view=azuresqldb-mi-current&preserve-view=true)
+- [View a SQL Server Audit Log](/sql/relational-databases/security/auditing/view-a-sql-server-audit-log?view=azuresqldb-mi-current&preserve-view=true)
+- [Write SQL Server Audit events to the Security log](/sql/relational-databases/security/auditing/write-sql-server-audit-events-to-the-security-log?view=azuresqldb-mi-current&preserve-view=true)