Merge pull request #36692 from MicrosoftDocs/main

Auto Publish – main to live - 2026-02-23 23:30 UTC

Author: learn-build-service-prod[bot]

docs/connect/odbc/using-azure-active-directory.md

@@ -189,7 +189,11 @@ typedef struct AccessToken
 } ACCESSTOKEN;
 ```
 
-The `ACCESSTOKEN` is a variable-length structure consisting of a 4-byte _length_ followed by _length_ bytes of opaque data that form the access token. Because of how SQL Server handles access tokens, one obtained via an [OAuth 2.0](/azure/active-directory/develop/active-directory-authentication-scenarios) JSON response must be expanded so that each byte is followed by a zero padding byte, similar to a UCS-2 string containing only ASCII characters. However, the token is an opaque value and the length specified, in bytes, must NOT include any null terminator. Because of their considerable length and format constraints, this method of authentication is only available programmatically via the `SQL_COPT_SS_ACCESS_TOKEN` connection attribute. There's no corresponding DSN or connection string keyword. The connection string must not contain `UID`, `PWD`, `Authentication`, or `Trusted_Connection` keywords.
+The `ACCESSTOKEN` is a variable-length structure consisting of a 4-byte _length_ followed by _length_ bytes of opaque data that form the access token. Because of how SQL Server handles access tokens, one obtained via an [OAuth 2.0](/azure/active-directory/develop/active-directory-authentication-scenarios) JSON response must be expanded so that each byte is followed by a zero padding byte, similar to a UCS-2 string containing only ASCII characters. However, the token is an opaque value and the length specified, in bytes, must NOT include any null terminator. Because of their considerable length and format constraints, this method of authentication is only available programmatically via the `SQL_COPT_SS_ACCESS_TOKEN` connection attribute.
+
+The `ACCESSTOKEN` must remain allocated for as long as the connection handle is allocated. Otherwise access violations might occur. The pointer is part of the connection pool key, so a new pointer results in a new pool and new connections. If a token expires, you can renew the access token by updating the data buffer directly to continue using existing connections.
+
+There's no corresponding DSN or connection string keyword. The connection string must not contain `UID`, `PWD`, `Authentication`, or `Trusted_Connection` keywords.
 
 > [!NOTE]
 > The ODBC Driver version 13.1 only supports this authentication on _Windows_. Subsequent versions support this authentication on all platforms.

docs/relational-databases/security/auditing/sql-server-audit-action-groups-and-actions.md

@@ -150,7 +150,7 @@ The following table describes the database-level audit action groups and provide
 | `SCHEMA_OBJECT_CHANGE_GROUP` | This event is raised when a `CREATE`, `ALTER`, or `DROP` operation is performed on a schema. Equivalent to the [Audit Schema Object Management Event Class](../../event-classes/audit-schema-object-management-event-class.md).<br /><br />This event is raised on schema objects. Equivalent to the [Audit Object Derived Permission Event Class](../../event-classes/audit-object-derived-permission-event-class.md). Also equivalent to the [Audit Statement Permission Event Class](../../event-classes/audit-statement-permission-event-class.md). |
 | `SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP` | This event is raised when the permissions to change the owner of schema object such as a table, procedure, or function is checked. This occurs when the `ALTER AUTHORIZATION` statement is used to assign an owner to an object. Equivalent to the [Audit Schema Object Take Ownership Event Class](../../event-classes/audit-schema-object-take-ownership-event-class.md). |
 | `SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP` | This event is raised whenever a grant, deny, or revoke is issued for a schema object. Equivalent to the [Audit Schema Object GDR Event Class](../../event-classes/audit-schema-object-gdr-event-class.md). |
-| `SENSITIVE_BATCH_COMPLETED_GROUP` | This event is raised whenever any batch text, stored procedure, or transaction management operation completes executing on sensitive data classified using [SQL Data Discovery & Classification](../sql-data-discovery-and-classification.md). The event is raised after the batch completes and audits the entire batch or stored procedure text, as sent from the client, including the result. <br /><br /> Available starting with [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)]|
+| `SENSITIVE_BATCH_COMPLETED_GROUP` | This event is raised whenever any batch text, stored procedure, or transaction management operation completes executing on sensitive data classified using [SQL Data Discovery & Classification](../sql-data-discovery-and-classification.md). The event is raised after the batch completes and audits the entire batch or stored procedure text, as sent from the client, including the result.<br /><br />When configured at the database scope, `SENSITIVE_BATCH_COMPLETED_GROUP` only captures batches that originate from and complete execution in the current database context. Cross-database queries (for example, queries that originate from another database and access sensitive data in the current database) aren't captured when you configure the audit group on the current database. To ensure auditing coverage for cross-database access to sensitive data, enable `SENSITIVE_BATCH_COMPLETED_GROUP` in a server audit specification.<br /><br />**Applies to:** [!INCLUDE [sssql22-md](../../../includes/sssql22-md.md)] and later versions. |
 | `SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP` | Indicates that a principal successfully logged in to a contained database. |
 | `USER_CHANGE_PASSWORD_GROUP` | This event is raised whenever the password of a contained database user is changed by using the ALTER USER statement. |
 | `USER_DEFINED_AUDIT_GROUP` | This group monitors events raised by using [sp_audit_write](../../system-stored-procedures/sp-audit-write-transact-sql.md). |