improve acrolinx score

markingmyname · markingmyname · commit ef5e78bb8503 · 2026-03-30T17:10:34.000-05:00
diff --git a/includes/database-migration-service-sql-permissions.md b/includes/database-migration-service-sql-permissions.md
@@ -1,68 +1,69 @@
 ---
 author: WilliamDAssafMSFT
 ms.author: wiassaf
+ms.date: 03/30/2026
 ms.service: azure-sql-database
 ms.topic: include
-ms.date: 04/12/2023
 ---
 
+# Permissions required for SQL Server Assessment
+
+The authentication method you use to connect to a source SQL Server instance needs certain minimal permissions to query the requisite information. The required permissions are as follows:
+
+| Database | Permission | Objects |
+| --- | --- | --- |
+| `master` | CONNECT ANY DATABASE | |
+| `master` | SELECT | `sys.sql_expression_dependencies` |
+| `master` | EXECUTE | `sys.xp_regenumkeys` |
+| `master` | VIEW DATABASE STATE | |
+| `master` | VIEW SERVER STATE | |
+| `master` | VIEW ANY DEFINITION | |
+| `msdb` | EXECUTE | dbo.agent_datetime |
+| `msdb` | SELECT | dbo.sysjobsteps |
+| `msdb` | SELECT | dbo.syssubsystems |
+| `msdb` | SELECT | dbo.sysjobhistory |
+| `msdb` | SELECT | dbo.syscategories |
+| `msdb` | SELECT | dbo.sysjobs |
+| `msdb` | SELECT | dbo.sysmaintplan_plans |
+| `msdb` | SELECT | dbo.syscollector_collection_sets |
+| `msdb` | SELECT | dbo.sysmail_profile |
+| `msdb` | SELECT | dbo.sysmail_profileaccount |
+| `msdb` | SELECT | dbo.sysmail_account |
+| All User Databases | VIEW DATABASE STATE | |
+| All User Databases | SELECT | `sys.sql_expression_dependencies` |
 
-# Permissions required for SQL Server Assessment 
-The login used to connect to a source SQL Server instance needs certain minimal permissions to query the requisite information. The required permissions are as follows:
-
-|Database|Permission|Object(s)|
-|-|-|-|
-|master|CONNECT ANY DATABASE||
-|master|SELECT|sys.sql_expression_dependencies|
-|master|EXECUTE|sys.xp_regenumkeys|
-|master|VIEW DATABASE STATE||
-|master|VIEW SERVER STATE||
-|master|VIEW ANY DEFINITION||
-|msdb|EXECUTE|dbo.agent_datetime|
-|msdb|SELECT|dbo.sysjobsteps|
-|msdb|SELECT|dbo.syssubsystems|
-|msdb|SELECT|dbo.sysjobhistory|
-|msdb|SELECT|dbo.syscategories|
-|msdb|SELECT|dbo.sysjobs|
-|msdb|SELECT|dbo.sysmaintplan_plans|
-|msdb|SELECT|dbo.syscollector_collection_sets|
-|msdb|SELECT|dbo.sysmail_profile|
-|msdb|SELECT|dbo.sysmail_profileaccount|
-|msdb|SELECT|dbo.sysmail_account|
-|All User Databases|VIEW DATABASE STATE||
-|All User Databases|SELECT|sys.sql_expression_dependencies|
-  
 ## Special considerations for Always On Availability Groups
-For SQL Server instances that host availability group replicas, it's recommended to provision a Windows Domain account with required permissions for assessment. 
-  
-When SQL Server Authentication or a local Windows login is used, mismatched SIDs can prevent the custom login from resolving on the other replicas of the Always On Availability Group. To prevent this issue, after the login is created on the first of all the instances that host an Always On Availability Group, note the SID of the login created. Provide this SID as a parameter when creating the login in the instances hosting the remaining replicas of the Always On Availability Group.
-   
-## Configure the custom login for Assessment
 
-The following are sample scripts for creating a login and provisioning it with the necessary permissions.
+For SQL Server instances that host availability group replicas, provision a Windows domain account with the required permissions for assessment.
+
+When you use SQL Server Authentication or a local Windows authentication, mismatched SIDs can prevent the custom authentication from resolving on the other replicas of the Always On Availability Group. To prevent this problem, after you create the authentication on the first instance that hosts an Always On Availability Group, note the SID of the authentication. Provide this SID as a parameter when creating the authentication in the instances hosting the remaining replicas of the Always On Availability Group.
+
+## Configure the custom authentication for assessment
+
+The following sample scripts show how to create an authentication and grant it the necessary permissions.
+
+### Windows Authentication
 
-### Windows Authentication 
-  
   ```sql
   -- Create a login to run the assessment
   use master;
-	-- If a SID needs to be specified, add here
+    -- If a SID needs to be specified, add here
     DECLARE @SID NVARCHAR(MAX) = N'';
     CREATE LOGIN [MYDOMAIN\MYACCOUNT] FROM WINDOWS;
-	SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROM sys.syslogins where name = 'MYDOMAIN\MYACCOUNT'
-	IF (ISNULL(@SID,'') != '')
-		PRINT N'Created login [MYDOMAIN\MYACCOUNT] with SID = ' + @SID
-	ELSE
-		PRINT N'Login creation failed'
-  GO    
- 
-  -- Create user in every database other than tempdb and model and provide minimal read-only permissions. 
+    SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROM sys.syslogins where name = 'MYDOMAIN\MYACCOUNT'
+    IF (ISNULL(@SID,'') != '')
+        PRINT N'Created login [MYDOMAIN\MYACCOUNT] with SID = ' + @SID
+    ELSE
+        PRINT N'Login creation failed'
+  GO
+
+  -- Create user in every database other than tempdb and model and provide minimal read-only permissions.
   use master;
     EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY CREATE USER [MYDOMAIN\MYACCOUNT] FOR LOGIN [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
     EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
     EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY GRANT VIEW DATABASE STATE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
   GO
- 
+
   -- Provide server level read-only permissions
   use master;
     BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
@@ -71,12 +72,12 @@ The following are sample scripts for creating a login and provisioning it with t
     BEGIN TRY GRANT VIEW SERVER STATE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
     BEGIN TRY GRANT VIEW ANY DEFINITION TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
   GO
- 
+
   -- Required from SQL 2014 onwards for database connectivity.
   use master;
     BEGIN TRY GRANT CONNECT ANY DATABASE TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
   GO
- 
+
   -- Provide msdb specific permissions
   use msdb;
     BEGIN TRY GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
@@ -91,7 +92,7 @@ The following are sample scripts for creating a login and provisioning it with t
     BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_profileaccount] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
     BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_account] TO [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
   GO
- 
+
   -- Clean up
   --use master;
   -- EXECUTE sp_MSforeachdb 'USE [?]; BEGIN TRY DROP USER [MYDOMAIN\MYACCOUNT] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;'
@@ -100,37 +101,37 @@ The following are sample scripts for creating a login and provisioning it with t
    ```
 
 ### SQL Server Authentication
-  
+
    ```sql
   -- Create a login to run the assessment
   use master;
-	-- If a SID needs to be specified, add here
+    -- If a SID needs to be specified, add here
     DECLARE @SID NVARCHAR(MAX) = N'';
-	IF (@SID = N'')
-	BEGIN
-		CREATE LOGIN [evaluator]
-			WITH PASSWORD = '<provide a strong password>'
-	END
-	ELSE
-	BEGIN
-		CREATE LOGIN [evaluator]
-			WITH PASSWORD = '<provide a strong password>'
-			, SID = @SID 
-	END
-	SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROM sys.syslogins where name = 'evaluator'
-	IF (ISNULL(@SID,'') != '')
-		PRINT N'Created login [evaluator] with SID = '+@SID
-	ELSE
-		PRINT N'Login creation failed'
-  GO    
- 
-  -- Create user in every database other than tempdb and model and provide minimal read-only permissions. 
+    IF (@SID = N'')
+    BEGIN
+        CREATE LOGIN [evaluator]
+            WITH PASSWORD = '<provide a strong password>'
+    END
+    ELSE
+    BEGIN
+        CREATE LOGIN [evaluator]
+            WITH PASSWORD = '<provide a strong password>'
+            , SID = @SID
+    END
+    SELECT @SID = N'0x'+CONVERT(NVARCHAR, sid, 2) FROM sys.syslogins where name = 'evaluator'
+    IF (ISNULL(@SID,'') != '')
+        PRINT N'Created login [evaluator] with SID = '+@SID
+    ELSE
+        PRINT N'Login creation failed'
+  GO
+
+  -- Create user in every database other than tempdb and model and provide minimal read-only permissions.
   use master;
     EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY CREATE USER [evaluator] FOR LOGIN [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
     EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
     EXECUTE sp_MSforeachdb 'USE [?]; IF (''?'' NOT IN (''tempdb'',''model''))  BEGIN TRY GRANT VIEW DATABASE STATE TO [evaluator]END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH'
   GO
- 
+
   -- Provide server level read-only permissions
   use master;
     BEGIN TRY GRANT SELECT ON sys.sql_expression_dependencies TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
@@ -139,12 +140,12 @@ The following are sample scripts for creating a login and provisioning it with t
     BEGIN TRY GRANT VIEW SERVER STATE TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
     BEGIN TRY GRANT VIEW ANY DEFINITION TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
   GO
- 
+
   -- Required from SQL 2014 onwards for database connectivity.
   use master;
     BEGIN TRY GRANT CONNECT ANY DATABASE TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
   GO
- 
+
   -- Provide msdb specific permissions
   use msdb;
     BEGIN TRY GRANT EXECUTE ON [msdb].[dbo].[agent_datetime] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
@@ -159,7 +160,7 @@ The following are sample scripts for creating a login and provisioning it with t
     BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_profileaccount] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
     BEGIN TRY GRANT SELECT ON [msdb].[dbo].[sysmail_account] TO [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;
   GO
- 
+
   -- Clean up
   --use master;
   -- EXECUTE sp_MSforeachdb 'USE [?]; BEGIN TRY DROP USER [evaluator] END TRY BEGIN CATCH PRINT ERROR_MESSAGE() END CATCH;'
@@ -169,12 +170,12 @@ The following are sample scripts for creating a login and provisioning it with t
 
 ## How to use the permissions script
 
-The permissions script can be used as follows:
+Use the permissions script as follows:
 
-- Save the appropriate permissions script (with valid password string) as an _.sql_ file, say _c:\workspace\MinPermissions.sql_
-- Connect to the instance(s) using an account with sysadmin permissions and execute the script. You can use **SQL Server Management Studio** or **sqlcmd**. The following example uses a trusted connection.
+- Save the appropriate permissions script (with a valid password string) as a _.sql_ file, such as _c:\workspace\MinPermissions.sql_.
+- Connect to the instances by using an account with sysadmin permissions and run the script. You can use SQL Server Management Studio or **sqlcmd**. The following example uses a trusted connection.
 
-   ```cmd
-      sqlcmd.exe -S sourceserver\sourceinstance -d master -E -i c:\workspace\MinPermissions.sql
-   ```
+  ```cmd
+     sqlcmd.exe -S sourceserver\sourceinstance -d master -E -i c:\workspace\MinPermissions.sql
+  ```
 - Use the minimal permissions account for further connections.
