Adding permission steps (#35871)

Author: MashaMSFT

docs/sql-server/azure-arc/media/migrate-to-azure-sql-managed-instance/database-migration-summary.png

@@ -36,6 +36,10 @@ First, you choose an appropriate SQL Managed Instance target and prepare your en
 
 Database migration is available by default for all SQL Server instances enabled by Azure Arc, starting with [!INCLUDE [sssql11-md](../../includes/sssql11-md.md)].
 
+The **Database Migration** pane also has a useful summary of the migration status for your instance, such as the number of total databases, the recommended target, the number of completed migrations, and the number of ongoing migrations: 
+
+:::image type="content" source="media/migrate-to-azure-sql-managed-instance/database-migration-summary.png" alt-text="Screenshot of the summary on the Database Migration pane in the Azure portal." lightbox="media/migrate-to-azure-sql-managed-instance/database-migration-summary.png":::
+
 ## Integrated migration methods
 
 Choose the migration method that best fits your needs on the **Database migration** pane. After an initial configuration to prepare your environment, the migration process automates the rest based on your selection.
@@ -51,7 +55,7 @@ The following table summarizes the two methods built into the migration process:
 | **Description** | Most performant method with near real-time replication. Provides a read-only (R/O) database on the target, so you can query your data in near-real time during the migration to offload R/O workloads on the secondary, or check data during the migration. Best possible minimum downtime migration. | Most compatible migration method. Upload backups to an intermediary Azure blob storage account that the LRS service automatically restores to SQL Managed Instance continuously. No R/O database replica is available on the target. |
 | **Supported versions** | SQL Server 2016 and later on Windows Server 2016 and later | SQL Server 2012 and later on Windows Server 2012 and later |
 | **Supported editions** | Enterprise, Standard, and Developer editions | All editions |
-| **Recommended for** | Business-critical workloads that require minimum downtime during migration and access to a R/O database on the target, with a destination target of either a General Purpose or Business Critical SQL Managed Instance. | General purpose workloads where some planned downtime is acceptable and destination target of a General Purpose SQL Managed Instance. Not recommended for Business Critical SQL managed instance targets. |
+| **Recommended for** | Business-critical workloads that require minimum downtime during migration and access to a read-only database on the target, with a destination target of either a General Purpose or Business Critical SQL Managed Instance. | General purpose workloads where some planned downtime is acceptable and destination target of a General Purpose SQL Managed Instance. Not recommended for Business Critical SQL managed instance targets. |
 
 For an in-depth comparison of the two migration methods, see [Compare Managed Instance link with LRS for migration](/azure/azure-sql/managed-instance/log-replay-service-compare-mi-link).
 
@@ -136,7 +140,7 @@ After your target is ready, start the migration process.
 
 Once you've prepared your environment for [Managed Instance link migration](migration-sql-mi-prepare-link.md), you can migrate your SQL Server databases to Azure SQL Managed Instance. 
 
-Follow these steps to migrate your SQL Server databases to SQL Managed Instance by using the Managed Instance link::
+Follow these steps to migrate your SQL Server databases to SQL Managed Instance by using the Managed Instance link:
 
 1. On the **Database migration** pane, select **Migrate data**.
 1. On the **New data migration** pane, choose **Migrate using real-time replication (online)**:
@@ -173,7 +177,7 @@ Follow these steps to migrate your SQL Server databases to SQL Managed Instance
 
    :::image type="content" source="media/migrate-to-azure-sql-managed-instance/migrate-data-lrs.png" alt-text="Screenshot of the LRS migration option on the Migrate Data page in the Azure portal.":::
 
-1. On the **Select source databases** tab, check the boxes next to the databases that you want to migrate, and then use **Next** to proceed to the next page.:
+1. On the **Select source databases** tab, check the boxes next to the databases that you want to migrate, and then use **Next** to proceed to the next page:
 
    :::image type="content" source="media/migrate-to-azure-sql-managed-instance/select-source-database-lrs.png" alt-text="Screenshot of the select source databases page when you migrate your database with LRS in the Azure portal." lightbox="media/migrate-to-azure-sql-managed-instance/select-source-database-lrs.png":::
 
@@ -197,7 +201,7 @@ The **Monitor and cutover** pane shows useful information about the migration pr
 
 :::image type="content" source="media/migrate-to-azure-sql-managed-instance/monitor-migration.png" alt-text="Screenshot of the monitor migration page in the Azure portal." lightbox="media/migrate-to-azure-sql-managed-instance/monitor-migration.png":::
 
-You can pause, resume, or cancel the migration from the **Monitor and cutover** pane. You can also view logs for information about the migration. Selecting a database takes you to a pane with more details about the source and target.
+You can complete or cancel the migration from the **Monitor and cutover** pane. You can also view logs for information about the migration. Selecting a database takes you to a pane with more details about the source and target.
 
 After the migration finishes, the migration status shows **Ready for cutover**. To cut over to the SQL Managed Instance target, select **Cutover** on the **Monitor and cutover** pane. You can also use the database details pane.
 

docs/sql-server/azure-arc/media/migrate-to-azure-sql-managed-instance/lrs-migration-method.png

@@ -5,15 +5,15 @@ description: Learn about the capabilities of SQL Server migration in Azure Arc.
 author: ajithkr-ms
 ms.author: ajithkr
 ms.reviewer: mikeray, mathoma
-ms.date: 11/18/2025
+ms.date: 11/19/2025
 ms.topic: how-to
 ---
 
 # SQL Server migration in Azure Arc Overview
 
 [!INCLUDE [sqlserver](../../includes/applies-to-version/sqlserver.md)]
 
-This article provides an overview of SQL Server migration in Azure Arc for [SQL Server instances enabled by Azure Arc](overview.md). 
+This article provides an overview of SQL Server migration in Azure Arc for [SQL Server enabled by Azure Arc](overview.md).
 
 ## Overview
 
@@ -31,7 +31,7 @@ SQL Server migration in Azure Arc is available by default for all SQL Server ins
 
 ## Migration targets
 
-Currently, you can only migrate to [Azure SQL Managed Instance](migrate-to-azure-sql-managed-instance.md). 
+Currently, you can only migrate to [Migration to Azure SQL Managed Instance - SQL Server migration in Azure Arc](migrate-to-azure-sql-managed-instance.md).
 
 ## Microsoft Copilot assisted migration
 
@@ -93,11 +93,23 @@ You can obtain a migration assessment for SQL Servers located anywhere, such as:
 
 The assessment is available for any instance of SQL Server enabled by Azure Arc.
 
+## Database migration
+
+On the **Database migration** pane, you can migrate your SQL Server databases to Azure SQL Managed Instance. The migration process is fully managed and automated from the Azure portal. Once you're ready to start, you can use the tiles to assess your SQL Server databases, choose a migration target, and start the migration process.
+
+**Database migration** guides you through the migration with easy to follow tiles for each step of the process:
+
+:::image type="content" source="media/migrate-to-azure-sql-managed-instance/migration-home-page.png" alt-text="Screenshot that shows the migration home page for a SQL Server instance in the Azure portal." lightbox="media/migrate-to-azure-sql-managed-instance/migration-home-page.png":::
+
+The **Database Migration** pane also has a useful summary of the migration status for your instance, such as the number of total databases, the recommended target, the number of completed migrations, and the number of ongoing migrations:
+
+:::image type="content" source="media/migrate-to-azure-sql-managed-instance/database-migration-summary.png" alt-text="Screenshot of the summary on the Database Migration pane in the Azure portal." lightbox="media/migrate-to-azure-sql-managed-instance/database-migration-summary.png":::
+
 ## Related content
 
-- [Migration dashboard](migration-inventory.md)
-- [Assessment for migration to Azure](migration-assessment.md)
-- [Prepare environment for a Managed Instance link migration](migration-sql-mi-prepare-link.md)
-- [Prepare environment for an LRS migration](migration-sql-mi-prepare-log-replay-service.md)
+- [Track migration journey by using migration dashboard - SQL Server enabled by Azure Arc](migration-inventory.md)
+- [Assess migration readiness - SQL Server enabled by Azure Arc](migration-assessment.md)
+- [Prepare environment for a Managed Instance link migration - SQL Server migration in Azure Arc](migration-sql-mi-prepare-link.md)
+- [Prepare environment for LRS migration - SQL Server migration in Azure Arc](migration-sql-mi-prepare-log-replay-service.md)
 - [SQL Server enabled by Azure Arc](overview.md)
 - [Deployment options for SQL Server enabled by Azure Arc](deployment-options.md)

docs/sql-server/azure-arc/media/migration-sql-mi-prepare-log-replay-service/reader-role-assignment-type.png

@@ -67,20 +67,95 @@ You use an Azure Blob Storage account as intermediary storage for backup files b
 
 To create a new storage account and a blob container inside the storage account:
 
-1. [Create a storage account](/azure/storage/common/storage-account-create?tabs=azure-portal).
+1. [Create a storage account](/azure/storage/common/storage-account-create?tabs=azure-portal):
+   1. Search for **Storage accounts** in the Azure portal, and select **Create**.
+   1. On the **Basics** tab, select your subscription and resource group. The region should be the same as your SQL Managed Instance target.
+   1. Leave **Preferred storage type** blank.
+   1. Use default settings for the rest of the tabs, and select **Review + create**.
+   1. After validation passes, select **Create**.
 1. [Create a blob container](/azure/storage/blobs/storage-quickstart-blobs-portal) inside the storage account.
-1. (Optional) [Configure Azure storage behind a firewall](/azure/azure-sql/managed-instance/log-replay-service-migrate#create-a-storage-account).
+   1. Go to your new storage account in the Azure portal.
+   1. Under **Data storage**, select **Containers**.
+   1. Use **Add container** to open the **New container** pane.
+   1. Enter a name for your container, leave options at their defaults, and select **Create** to create your container.
+1. (Optional) If your Azure Storage is behind a firewall, your Azure Blob storage requires [additional configuration](/azure/azure-sql/managed-instance/log-replay-service-migrate#configure-azure-storage-behind-a-firewall) after your SQL managed instance is provisioned.
 
 ## Grant permissions to Azure Blob Storage
 
-SQL Server migration in Azure Arc with LRS uses a managed identity to authenticate to Azure Blob Storage. You need to grant access to the blob storage:
+SQL Server migration in Azure Arc with LRS uses a managed identity to authenticate to Azure Blob Storage.
 
-- [Grant managed identity access to the Azure Blob Storage account](/azure/storage/blobs/authorize-access-azure-active-directory)
-- [Grant managed identity access to SQL Managed Instance](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity). Assign the **Storage Blob Data Reader** role to the primary managed identity of Azure SQL Managed Instance.
+You need to grant the following permissions:
+- [Grant user access to the storage account](#grant-user-access-to-the-storage-account) where you plan to store backups during the migration process.
+- [Grant user access to the resource group](#grant-user-access-to-the-resource-group) that contains the storage account.
+- [Grant managed identity access to the storage account](#grant-managed-identity-access-to-the-storage-account) after your SQL managed instance is provisioned.
 
-Assign the following roles to the user who signs in to the Azure portal and performs the migration:
-- [Storage Blob Data Reader](/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-reader) on the resource group that contains the storage account.
-- **Reader** on the resource group that contains the storage account.
+### Grant user access to the storage account
+
+To access database backups during the migration process, assign the user who signs in to the Azure portal and performs the migration to the [Storage Blob Data Reader](/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-reader) role for the storage account that contains the backups.
+
+To assign the role, follow these steps:
+1. In the Azure portal, go to the resource group that contains your storage account.
+1. Select **Access control (IAM)** from the resource menu.
+1. Use **+ Add** to select **Add role assignment** and open the **Add role assignment** pane.
+1. Search for and select the **Storage Blob Data Reader** role. Then, select **Next**.
+
+   :::image type="content" source="media/migration-sql-mi-prepare-log-replay-service/search-storage-blob-data-reader.png" alt-text="Screenshot of finding the Storage Blob Data Reader role on the IAM page for the storage account in the Azure portal." lightbox="media/migration-sql-mi-prepare-log-replay-service/search-storage-blob-data-reader.png":::
+
+1. Use **+ Select members** to open the **Select members** pane, and search for the user account of the person performing the migration. If multiple people are migrating data, grant all of those users this access. Select the user account, and then use **Select** to save your selection. Check the option to assign access to **User, group, or service principal**.
+1. Select **Review + assign** to go to the **Review + assign** tab, and then select **Review + assign** again to complete the role assignment.
+
+### Grant user access to the resource group
+
+To access database backups during the migration process, the user who signs in to the Azure portal and performs the migration needs to be assigned the **Reader** role on the resource group that contains the storage account.
+
+To assign the role, follow these steps:
+1. In the Azure portal, go to the resource group that contains your storage account.
+1. Select **Access control (IAM)** from the resource menu.
+1. Use **+ Add** to select **Add role assignment** and open the **Add role assignment** pane.
+1. Search for and select the **Reader** role. Then, select **Next**.
+
+   :::image type="content" source="media/migration-sql-mi-prepare-log-replay-service/search-reader-role.png" alt-text="Screenshot of finding the Reader role on the IAM page for the resource group in the Azure portal." lightbox="media/migration-sql-mi-prepare-log-replay-service/search-reader-role.png":::
+
+1. Use **+ Select members** to open the **Select members** pane, and search for the user account of the person performing the migration. If multiple people are migrating data, grant all of those users this access. Select the user account, and then use **Select** to save your selection. Check the option to assign access to **User, group, or service principal** and then use **Next** to continue.
+1. On the **Assignment type** tab, set the **Assignment type** to **Active** and the **Assignment duration** to **Permanent**:
+
+   :::image type="content" source="media/migration-sql-mi-prepare-log-replay-service/reader-role-assignment-type.png" alt-text="Screenshot of setting the Assignment type to Active and the Assignment duration to Permanent on the Assignment type tab in the Azure portal." lightbox="media/migration-sql-mi-prepare-log-replay-service/reader-role-assignment-type.png":::
+
+1. Select **Review + assign** to go to the **Review + assign** tab, and then select **Review + assign** again to complete the role assignment.
+
+### Grant managed identity access to the storage account
+
+After your SQL managed instance is provisioned, you need to assign the managed identity of your SQL managed instance the [Storage Blob Data Reader](/azure/role-based-access-control/built-in-roles/storage#storage-blob-data-reader) role so that it can access your Azure Blob Storage account during the migration process.
+
+First, you must determine what kind of managed identity your SQL managed instance uses. To do so, follow these steps:
+1. Go to your [SQL managed instance](https://portal.azure.com/#view/HubsExtension/ServiceMenuBlade/~/SingleInstance/extension/SqlAzureExtension/menuId/AzureSqlHub/itemId/SingleInstance) in the Azure portal.
+1. Under **Security**, select **Identity**.
+   1. If under **User assigned managed identity**, you see *No user assigned managed identities found*, your SQL managed instance uses the default **system-assigned managed identity**.
+   1. If you see an entry in the **Primary identity** field, then your SQL managed instance uses a custom **user assigned managed identity**. Make note of this identity to use in the step where you're selecting this managed identity when granting **Storage Blob Data Reader** access to the storage account.
+
+To grant access to the storage account, follow these steps:
+1. Go to the Azure Blob Storage account in the Azure portal that you intend to use for the migration.
+1. Select **Access control (IAM)** from the resource menu.
+1. Use **+ Add** to select **Add role assignment** and open the **Add role assignment** pane.
+1. Search for and select the **Storage Blob Data Reader** role. Then, select **Next**.
+1. Under **Assign access to** check the **Managed identity** option.
+1. Use **Select members** to open the **Select members** pane.
+1. If your SQL managed instance uses the default **system-assigned managed identity**:
+   1. Under **Managed identity**, select **SQL managed instance**.
+   1. Search and select the name of your SQL managed instance.
+   1. Use **Select** to save your selection.
+1. If your SQL managed instance uses a **user-assigned managed identity**:
+   1. Under **Managed identity**, select **User assigned managed identity**.
+   1. Search for the **Primary identity** name that you noted earlier from the **Identity** page of your [SQL managed instance](https://portal.azure.com/#view/HubsExtension/ServiceMenuBlade/~/SingleInstance/extension/SqlAzureExtension/menuId/AzureSqlHub/itemId/SingleInstance) and select it.
+   1. Use **Select** to save your selection.
+1. Select **Review + assign** to go to the **Review + assign** tab, and then select **Review + assign** again to complete the role assignment.
+
+Once you've uploaded at least one full backup to this storage account, you can run the following command on your SQL managed instance to verify that it can access your Azure Blob Storage account:
+
+```sql
+RESTORE HEADERONLY
+    FROM URL = 'https://<mystorageaccountname>.blob.core.windows.net/<containername>/full_0_0.bak';
+```
 
 ## Upload backups to your Blob Storage account
 
@@ -180,11 +255,6 @@ If it's important that databases are available as soon as cutover completes, con
 
 Monitoring the migration through the Azure portal is available only to SQL Server instances that meet monitoring [licensing requirements](sql-monitoring.md#prerequisites).
 
-## Next steps
-
-> [!div class="nextstepaction"]
-> [Migrate to Azure SQL Managed Instance](migrate-to-azure-sql-managed-instance.md)
-
 ## Related content
 
 - [SQL Server migration in Azure Arc](migration-overview.md)