Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Implement a secure environment practice sets

DP-300 Implement a secure environment • Complete Question Bank

DP-300 Implement a secure environment — All Questions With Answers

Complete DP-300 Implement a secure environment question bank — all 0 questions with answers and detailed explanations.

213
Questions
Free
No signup
Certifications/DP-300/Practice Test/Implement a secure environment/All Questions
Question 1mediummultiple choice
Read the full Implement a secure environment explanation →

You are configuring Azure SQL Database firewall rules for a new application. The application runs on Azure VMs in the same region. To minimize latency and security risk, which approach should you use?

Question 2easymultiple choice
Read the full Implement a secure environment explanation →

You need to audit all successful and failed login attempts to an Azure SQL Database. Which feature should you enable?

Question 3hardmultiple choice
Read the full Implement a secure environment explanation →

Your company has a strict policy that Azure SQL Database backups must be encrypted with customer-managed keys stored in Azure Key Vault. You configure TDE with AKV integration. After a key rotation, you find that long-running queries start failing with encryption errors. What is the most likely cause?

Question 4easymultiple choice
Read the full Implement a secure environment explanation →

You are designing a secure environment for Azure SQL Database. Which authentication method provides the strongest security and supports multi-factor authentication?

Question 5hardmultiple choice
Read the full Implement a secure environment explanation →

Your Azure SQL Database is configured with Advanced Threat Protection (ATP). You receive an alert about a SQL injection attack. After investigation, you confirm the attack was blocked. However, you need to ensure that future similar attacks are automatically prevented without manual intervention. What should you configure?

Question 6mediummultiple choice
Read the full Implement a secure environment explanation →

A developer reports that they cannot connect to an Azure SQL Database using Azure AD authentication. The developer is a member of an Azure AD group that has been granted db_datareader role in the database. The connection string uses Active Directory Password authentication. What is the most likely issue?

Question 7easymultiple choice
Read the full Implement a secure environment explanation →

You need to ensure that all connections to an Azure SQL Database are encrypted. Which setting should you enforce?

Question 8mediummultiple choice
Read the full Implement a secure environment explanation →

You are deploying an Azure SQL Database that will store sensitive customer data. Compliance requirements dictate that the data must be encrypted at rest using a customer-managed key that is rotated every 90 days. You configure TDE with Azure Key Vault. What additional step is critical to ensure data remains accessible after key rotation?

Question 9mediummulti select
Read the full Implement a secure environment explanation →

Which TWO of the following are best practices for securing Azure SQL Database?

Question 10hardmulti select
Read the full Implement a secure environment explanation →

Which THREE of the following are required to configure Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault for Azure SQL Database?

Question 11easymulti select
Read the full Implement a secure environment explanation →

Which TWO of the following are valid methods to connect to Azure SQL Database securely?

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

You are the database administrator for a healthcare company that uses Azure SQL Database to store patient records. The database is named PatientDB. The security team mandates that all database access must be audited, and any suspicious activity must be alerted in real-time. Additionally, compliance requires that all data at rest be encrypted using a customer-managed key stored in Azure Key Vault. You have configured the following: - TDE with customer-managed key in AKV (key vault name: KV-Health, key name: PatientKey) - Azure SQL Auditing enabled, writing logs to a storage account (StorageAcctLogs) - Advanced Threat Protection (ATP) enabled with alerts sent to the security team's email - Firewall rules allowing only the application server's public IP (203.0.113.50)

A week later, the security team reports that they received an ATP alert about a potential SQL injection attack from IP 198.51.100.25. However, when they check the audit logs, they find no entries from that IP. They also notice that the database remains accessible. The security team wants to know why the audit logs do not contain the suspicious IP even though ATP detected it. What is the most likely reason?

Question 13mediummultiple choice
Read the full Implement a secure environment explanation →

You manage an Azure SQL Database named SalesDB that is used by a sales application. The application connects using a SQL login named 'sales_user' with a password. Recently, the security team discovered that 'sales_user' has been compromised. They have reset the password in Azure SQL Database. However, the application continues to connect successfully using the old credentials. You suspect the application might be caching the password. The security team wants to immediately revoke access for the compromised login and ensure that only a new login with a complex password is used. You also want to minimize downtime. What should you do first?

Question 14easymultiple choice
Read the full Implement a secure environment explanation →

You are configuring Azure SQL Database firewall rules. You need to allow a range of IP addresses (192.168.1.0 to 192.168.1.255) to connect to the database. Which firewall rule should you create?

Question 15mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database. You need to ensure that all connections to the database use TLS 1.2 or higher. Currently, some client applications are connecting using TLS 1.0. What should you do?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a secure environment for Azure SQL Managed Instance. The company requires that all database backups be encrypted using customer-managed keys stored in Azure Key Vault. Which combination of actions should you take?

Question 17mediummulti select
Read the full Implement a secure environment explanation →

You need to configure authentication for Azure SQL Database. Which TWO options are supported?

Question 18hardmulti select
Read the full Implement a secure environment explanation →

Your organization has an Azure SQL Database server. You need to ensure that only applications running on Azure virtual machines in a specific virtual network can connect to the database. Which THREE actions should you take?

Question 19easymultiple choice
Read the full Implement a secure environment explanation →

You are reviewing a JSON representation of an Azure SQL Database firewall rule. What is the effect of this rule?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "startIPAddress": "10.0.0.0",
    "endIPAddress": "10.0.0.255"
  }
}
```
Question 20mediummultiple choice
Read the full Implement a secure environment explanation →

You are troubleshooting a connection issue from Azure SQL Database to Azure Storage using a managed identity. The above credential was created. What is missing from this configuration?

Exhibit

Refer to the exhibit.

```
ALTER DATABASE SCOPED CREDENTIAL MyCred
WITH IDENTITY = 'Managed Identity';
```
Question 21hardmultiple choice
Read the full Implement a secure environment explanation →

Your company is planning to migrate on-premises SQL Server databases to Azure SQL Managed Instance. The security team requires that all database connections be encrypted and that the server's identity be verified using a certificate from a trusted public certificate authority (CA). What should you configure?

Question 22easymultiple choice
Read the full Implement a secure environment explanation →

You are setting up Azure SQL Database and need to ensure that only specific Azure services (e.g., Azure Data Factory) can access the database. What should you configure?

Question 23mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database and needs to audit all data modifications (INSERT, UPDATE, DELETE) for compliance. You enable SQL Database auditing and configure a storage account for logs. However, you notice that some DELETE operations are not being audited. What could be the cause?

Question 24mediummultiple choice
Read the full Implement a secure environment explanation →

You are implementing row-level security (RLS) in Azure SQL Database to restrict access to sales data based on the user's Azure AD identity. Which function should you use in the security policy?

Question 25hardmultiple choice
Review the full subnetting walkthrough →

You are the database administrator for a company that uses Azure SQL Database. The company has a strict security policy requiring that all database connections be encrypted using TLS 1.2 or higher and that the server certificate be validated to prevent man-in-the-middle attacks. Additionally, the company wants to ensure that only applications running on Azure virtual machines (VMs) in a specific virtual network (VNet) can access the database. The VMs use a subnet named 'AppSubnet'. You have configured the following: 1. The server 'Allow Azure Services' setting is OFF. 2. A virtual network rule is added for 'AppSubnet' with the service endpoint for Microsoft.Sql enabled. 3. The server firewall has no other rules. 4. The 'Minimum TLS version' is set to 1.2. 5. All client applications are configured to use 'Encrypt=True' and 'TrustServerCertificate=False' in their connection strings.

After deployment, you discover that connections from the VMs are failing with error: 'The certificate chain was issued by an authority that is not trusted'. What is the most likely cause of this issue?

Question 26mediummultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for an Azure SQL Database. You need to ensure that only specific client IP addresses can connect to the database, while all other traffic is blocked. You also need to allow Azure services to access the database. What should you configure?

Question 27hardmulti select
Read the full Implement a secure environment explanation →

You are designing a secure architecture for Azure SQL Managed Instance. You need to ensure that all connections to the instance are encrypted and that the instance can only be accessed from a specific virtual network. Which TWO configurations should you implement?

Question 28hardmultiple choice
Read the full Implement a secure environment explanation →

You are reviewing an Azure RBAC role assignment for an Azure SQL Database. The role assignment shown in the exhibit is intended to allow a user to read data from the database. However, the user reports they cannot connect to the database. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "Microsoft.Sql/servers/databases/read"
      ],
      "Principal": {
        "AzureAD": "devops@contoso.com"
      },
      "Scope": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/rg1/providers/Microsoft.Sql/servers/sqlsrv1/databases/db1"
    }
  ]
}
```
Question 29easymultiple choice
Read the full Implement a secure environment explanation →

You are the database administrator for a company that uses Azure SQL Database. The company has a strict security policy requiring that all database connections be encrypted and that the server's firewall only allows connections from a list of approved IP addresses. You have configured the server-level firewall rules accordingly and enabled the 'Force encryption' setting on the server. However, after deployment, you notice that an application running on an Azure virtual machine is able to connect to the database even though its public IP address is not in the approved list. The virtual machine is in the same region as the database. What is the most likely cause?

Question 30mediummultiple choice
Read the full Implement a secure environment explanation →

A company manages an Azure SQL Database that stores sensitive customer data. The security team mandates that all connections to the database use Azure Active Directory (Azure AD) authentication and that no SQL authentication logins exist. You are tasked with implementing this requirement. What should you do first?

Question 31hardmulti select
Read the full Implement a secure environment explanation →

You are configuring security for an Azure SQL Managed Instance. The instance will host a critical application that requires always encrypted with secure enclaves. Which TWO actions must you take to support this feature? (Choose two.)

Question 32easymultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. The exhibit shows an Azure role assignment with a condition. When user@contoso.com tries to read data from the database 'proddb', what will be the effect of this condition?

Exhibit

Refer to the exhibit.

```json
{
  "role": "Azure SQL Database Contributor",
  "scope": "/subscriptions/12345/resourceGroups/ProdRG/providers/Microsoft.Sql/servers/prodserver/databases/proddb",
  "assignee": "user@contoso.com",
  "condition": "((!(ActionMatches{'Microsoft.Sql/servers/databases/read'})) OR (@Request[Microsoft.Sql/servers/databases/read:DataAction] NotExists))",
  "conditionVersion": "2.0"
}
```
Question 33mediumdrag order
Read the full Implement a secure environment explanation →

Drag and drop the steps to restore an Azure SQL Database to a point in time in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 34mediumdrag order
Read the full Implement a secure environment explanation →

Drag and drop the steps to configure a failover group for an Azure SQL Database in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 35mediummatching
Read the full Implement a secure environment explanation →

Match each Azure Database for PostgreSQL pricing tier to its key feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Single node, suitable for development and small workloads

Balanced compute and memory for most production workloads

High memory-to-core ratio for memory-intensive workloads

Low-cost option with ability to burst CPU performance

Question 36mediummatching
Read the full Implement a secure environment explanation →

Match each Azure SQL Database migration tool to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed service for online and offline migrations

Tool for migrating from other database platforms to SQL Server

Assesses compatibility and recommends improvements

Cross-platform tool for managing and migrating databases

Question 37easymultiple choice
Read the full Implement a secure environment explanation →

You need to ensure that all users accessing Azure SQL Database from outside the corporate network are required to use multi-factor authentication (MFA). What should you configure?

Question 38mediummultiple choice
Read the full Implement a secure environment explanation →

You are the database administrator for a company that uses Azure SQL Database. You need to implement a security solution that automatically detects and alerts on suspicious activities, such as SQL injection attempts. Which feature should you enable?

Question 39hardmultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Managed Instance. You need to configure a server-level firewall rule to allow access from a specific Azure service, but you want to minimize the attack surface. What is the best practice?

Question 40easymultiple choice
Read the full Implement a secure environment explanation →

You need to encrypt sensitive columns in an Azure SQL Database table so that data is encrypted at rest and in transit between the application and database. Which feature should you use?

Question 41mediummultiple choice
Read the full Implement a secure environment explanation →

You are configuring Microsoft Defender for SQL for Azure SQL Database. You need to ensure that alerts are sent to the security operations team via email and also integrated with Microsoft Sentinel. What should you configure?

Question 42hardmultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database with a server-level Microsoft Entra ID admin. You need to implement a solution where database-level roles are automatically assigned based on the user's group membership in Microsoft Entra ID. What should you use?

Question 43easymultiple choice
Read the full Implement a secure environment explanation →

You need to audit all successful and failed login attempts to an Azure SQL Database. Which feature should you enable?

Question 44mediummultiple choice
Read the full Implement a secure environment explanation →

Your organization needs to comply with a regulation that requires data to be encrypted at rest using a customer-managed key stored in Azure Key Vault. You have an Azure SQL Database. What should you configure?

Question 45hardmultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for an Azure SQL Database. You need to allow a user to restore a database from a backup to a new database, but the user should not have permission to delete the original database. What is the minimum permission required?

Question 46mediummulti select
Read the full Implement a secure environment explanation →

Which TWO actions are required to enable Microsoft Entra ID authentication for an Azure SQL Database?

Question 47hardmulti select
Read the full Implement a secure environment explanation →

Which THREE features can help protect Azure SQL Database from data exfiltration?

Question 48easymulti select
Read the full Implement a secure environment explanation →

Which TWO are valid methods to connect to an Azure SQL Database without exposing a public endpoint?

Question 49mediummultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are reviewing an ARM template for an Azure SQL Database. The template configures backup retention. What is the effect of this configuration?

Exhibit

Refer to the exhibit.

```json
{
  "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies",
  "apiVersion": "2023-05-01-preview",
  "name": "Default",
  "properties": {
    "retentionDays": 7,
    "diffBackupIntervalInHours": 12
  }
}
```
Question 50hardmultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are troubleshooting an Azure SQL Database auditing configuration. The exhibit shows the blob auditing policy. The storage account access key is null, and the subscription ID is all zeros. What is the most likely issue?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://storagesample.blob.core.windows.net",
    "storageAccountAccessKey": null,
    "retentionDays": 90,
    "auditActionsAndGroups": [
      "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
      "FAILED_DATABASE_AUTHENTICATION_GROUP"
    ],
    "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
    "isStorageSecondaryKeyInUse": false,
    "queueDelayTime": 0
  }
}
```
Question 51easymultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You run these commands in an Azure SQL Database. What is the result?

Exhibit

Refer to the exhibit.

```sql
CREATE USER [user@contoso.com] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [user@contoso.com];
```
Question 52easymultiple choice
Read the full Implement a secure environment explanation →

You are configuring a new Azure SQL Database. The company policy requires that all connections use Microsoft Entra authentication and that no SQL authentication accounts exist. What should you do to prevent creation of SQL authenticated logins?

Question 53mediummultiple choice
Read the full VPN explanation →

Your Azure SQL Managed Instance is configured to allow connections only from a specific virtual network. You need to ensure that clients from on-premises can connect using a point-to-site VPN. What additional configuration is required?

Question 54easymultiple choice
Read the full Implement a secure environment explanation →

You need to audit all successful and failed login attempts on an Azure SQL Database. Which feature should you enable?

Question 55mediummultiple choice
Read the full Implement a secure environment explanation →

You have an Azure SQL Database with Always Encrypted enabled for sensitive columns. You need to grant a developer the ability to encrypt data using a column master key stored in Azure Key Vault. What permissions must be assigned to the developer's Microsoft Entra identity in the key vault?

Question 56easymultiple choice
Read the full Implement a secure environment explanation →

You are designing a security strategy for Azure SQL Managed Instance. The compliance team requires that all database backups be encrypted at rest using a customer-managed key. Which feature should you enable?

Question 57mediummultiple choice
Read the full Implement a secure environment explanation →

You have an Azure SQL Database that is accessed by a web application. The application uses a service principal (Microsoft Entra application) to connect. You need to rotate the client secret for the service principal without downtime. What should you do?

Question 58hardmultiple choice
Read the full Implement a secure environment explanation →

Your company has a strict policy that all Azure SQL Databases must have Microsoft Defender for SQL enabled. You need to enforce this policy across all subscriptions using a scalable, automated approach. What should you do?

Question 59easymulti select
Read the full Implement a secure environment explanation →

Which TWO of the following are valid methods to secure data in transit for Azure SQL Database?

Question 60mediummulti select
Read the full Implement a secure environment explanation →

Which THREE of the following are required to configure Microsoft Entra authentication for an Azure SQL Managed Instance?

Question 61hardmulti select
Read the full Implement a secure environment explanation →

Which TWO of the following are best practices for managing firewall rules for Azure SQL Database?

Question 62easymultiple choice
Read the full Implement a secure environment explanation →

You need to ensure that an Azure SQL Database uses Microsoft Entra-only authentication. You have configured the server to disallow SQL authentication. What additional step is required to prevent users from creating SQL logins?

Question 63hardmultiple choice
Read the full NAT/PAT explanation →

You are deploying an Azure SQL Database that will contain highly sensitive personal data. The security policy requires that the data be encrypted at rest, in transit, and in use. Additionally, the encryption keys must be stored in a hardware security module (HSM) and be customer-managed. Which combination of features should you implement?

Question 64mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database with Azure Active Directory (now Microsoft Entra ID) authentication. A new security policy requires that all database users must be authenticated via Microsoft Entra ID only. You need to disable SQL authentication for an Azure SQL Database logical server. What should you do?

Question 65easymultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for an Azure SQL Managed Instance. You need to ensure that all connections to the instance use encrypted connections. What should you configure?

Question 66hardmultiple choice
Read the full Implement a secure environment explanation →

Your organization has Azure SQL Database with several databases. You need to implement a solution that allows a junior DBA to view the security logs for failed logins but not modify any security settings. What is the minimum role assignment needed on the logical server?

Question 67mediummulti select
Read the full Implement a secure environment explanation →

Which TWO actions should you take to implement a secure environment for Azure SQL Database that meets the principle of least privilege?

Question 68hardmulti select
Read the full Implement a secure environment explanation →

Which THREE of the following are valid methods to configure network security for Azure SQL Managed Instance?

Question 69easymulti select
Read the full Implement a secure environment explanation →

Which TWO of the following are required to enable Microsoft Defender for SQL for Azure SQL Database?

Question 70easymultiple choice
Read the full Implement a secure environment explanation →

You have an Azure SQL Database that stores sensitive customer data. You need to ensure that the data is encrypted at rest using a customer-managed key stored in Azure Key Vault. What should you configure?

Question 71hardmultiple choice
Read the full Implement a secure environment explanation →

Your organization uses Azure SQL Database with a geo-replication configuration. The primary server is in the East US region and the secondary is in West US. You need to ensure that if a regional outage occurs, failover can be initiated manually and the secondary database will have the same security settings as the primary. What should you configure?

Question 72mediummultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for Azure SQL Managed Instance. You need to configure a custom time zone for the instance because the application uses a specific time zone. What should you do?

Question 73easymultiple choice
Read the full Implement a secure environment explanation →

You need to ensure that only specific Azure services can access your Azure SQL Database server. You want to allow traffic from Azure services but block all other traffic. What should you configure?

Question 74hardmulti select
Read the full Implement a secure environment explanation →

Which THREE of the following are best practices for managing keys in Azure Key Vault for use with Azure SQL Database TDE?

Question 75mediummultiple choice
Read the full Implement a secure environment explanation →

Your company plans to use Azure SQL Managed Instance for a mission-critical application. You need to ensure that all connections to the database are encrypted and that the server's identity is verified. Which configuration should you enforce?

Question 76easymulti select
Read the full Implement a secure environment explanation →

Which TWO actions are required to enable Microsoft Entra ID authentication for Azure SQL Database?

Question 77hardmultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are deploying an Azure SQL Database audit policy using an ARM template. What is the MOST significant security concern with the configuration shown?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.Sql/servers/databases/auditingSettings",
  "apiVersion": "2022-05-01-preview",
  "properties": {
    "state": "Enabled",
    "auditActionsAndGroups": [
      "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
      "FAILED_DATABASE_AUTHENTICATION_GROUP"
    ],
    "isAzureMonitorTargetEnabled": true,
    "storageEndpoint": "https://mystorageaccount.blob.core.windows.net",
    "storageAccountAccessKey": "...",
    "retentionDays": 90
  }
}
```
Question 78easymultiple choice
Read the full Implement a secure environment explanation →

You are implementing a new Azure SQL Database and need to ensure that connections from client applications are encrypted using TLS 1.2 or higher. Which server-level firewall rule setting should you configure?

Question 79mediummultiple choice
Read the full Implement a secure environment explanation →

Your organization has a regulatory requirement to audit all data modifications in an Azure SQL Database. You enable Azure SQL Database auditing and configure it to send logs to a Log Analytics workspace. However, you notice that DELETE operations on a specific table are not being audited. What is the most likely cause?

Question 80hardmulti select
Read the full Implement a secure environment explanation →

Which THREE security features are available in Azure SQL Database to protect data at rest?

Question 81hardmultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are configuring a backup retention policy for an Azure SQL Database via ARM template. You need to ensure that point-in-time restore (PITR) is available for the maximum supported period. What is the issue with the current configuration?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies",
  "apiVersion": "2022-05-01-preview",
  "properties": {
    "retentionDays": 35,
    "diffBackupIntervalInHours": 12
  }
}
```
Question 82mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database and needs to restrict access to a specific column containing credit card numbers. Only users with the 'CreditCardViewer' role should see the full number; others should see only the last four digits. Which feature should you implement?

Question 83easymulti select
Read the full Implement a secure environment explanation →

Which TWO actions should you take to secure Azure SQL Database against SQL injection attacks?

Question 84easymultiple choice
Read the full Implement a secure environment explanation →

You need to ensure that Azure SQL Database can only be accessed from a specific virtual network in Azure. Which configuration should you apply?

Question 85hardmultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are configuring an Azure SQL Database security alert policy. What is the most significant misconfiguration?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.Sql/servers/databases/securityAlertPolicies",
  "apiVersion": "2022-05-01-preview",
  "properties": {
    "state": "Enabled",
    "emailAddresses": ["admin@contoso.com", "dba@contoso.com"],
    "emailAccountAdmins": true,
    "disabledAlerts": ["SqlInjection", "AccessAnomaly"],
    "retentionDays": 0
  }
}
```
Question 86mediummultiple choice
Read the full Implement a secure environment explanation →

Your company is migrating an on-premises SQL Server database to Azure SQL Managed Instance. You need to ensure that the database is protected by Microsoft Defender for Cloud (formerly Azure Security Center) with advanced threat protection. What should you enable?

Question 87mediummulti select
Read the full Implement a secure environment explanation →

Which THREE are valid methods to authenticate to Azure SQL Database using Microsoft Entra ID?

Question 88hardmultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are deploying an Azure SQL Database with Transparent Data Encryption (TDE) enabled via ARM template. The database will contain highly sensitive data, and your security policy requires that the encryption key be managed by your organization using Azure Key Vault. What additional configuration is needed?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
  "apiVersion": "2022-05-01-preview",
  "properties": {
    "status": "Enabled"
  }
}
```
Question 89mediummultiple choice
Read the full Implement a secure environment explanation →

You are responsible for an Azure SQL Database that stores customer personally identifiable information (PII). You need to ensure that users with the 'CustomerService' role can see only the last four digits of Social Security numbers. Which feature should you use?

Question 90mediummultiple choice
Read the full Implement a secure environment explanation →

Your organization uses Azure SQL Database with Microsoft Entra ID authentication. You need to ensure that a specific user can only read data from the Sales schema. The user should not be able to modify any data. What should you do?

Question 91hardmultiple choice
Read the full Implement a secure environment explanation →

You are the database administrator for a company that uses Azure SQL Managed Instance. The security team has detected unusual query activity from a specific client IP address. You need to immediately block all connections from that IP address while maintaining connectivity for all other users. Which solution should you implement?

Question 92easymultiple choice
Read the full Implement a secure environment explanation →

Your company is migrating on-premises SQL Server databases to Azure SQL Database. As part of security compliance, you must ensure that all data at rest is encrypted using customer-managed keys stored in Azure Key Vault. Which Azure SQL Database feature should you enable?

Question 93hardmultiple choice
Read the full Implement a secure environment explanation →

You attempt to create a new Azure SQL Database server with public network access enabled. What will happen?

Exhibit

Refer to the exhibit. You are reviewing an Azure Policy assignment for an Azure SQL Database server. The policy definition is as follows:

{
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      {
        "field": "Microsoft.Sql/servers/publicNetworkAccess",
        "equals": "Enabled"
      }
    ]
  },
  "then": {
    "effect": "deny"
  }
}
Question 94mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database and requires that all connections use Azure Active Directory (now Microsoft Entra ID) authentication. You need to ensure that no SQL authentication logins exist in the database. What should you do?

Question 95easymultiple choice
Read the full Implement a secure environment explanation →

You need to audit all failed login attempts to an Azure SQL Database. Which feature should you enable?

Question 96hardmultiple choice
Read the full Implement a secure environment explanation →

Your company has an Azure SQL Database that contains sensitive financial data. You need to ensure that database administrators cannot view the actual data while still being able to perform administrative tasks such as backups and index maintenance. Which feature should you implement?

Question 97mediummultiple choice
Read the full Implement a secure environment explanation →

You have an Azure SQL Database that uses a firewall rule allowing access from a specific range of IP addresses. A developer reports that they cannot connect from a new IP address that falls outside the allowed range. You need to temporarily allow the developer's IP address for 24 hours without affecting existing rules. What should you do?

Question 98easymultiple choice
Read the full Implement a secure environment explanation →

Your organization uses Azure SQL Database and wants to automatically detect and alert on potential SQL injection attacks. Which Azure service should you enable?

Question 99mediummulti select
Read the full Implement a secure environment explanation →

Which TWO actions are valid for implementing column-level encryption in Azure SQL Database using Always Encrypted? (Choose two.)

Question 100hardmulti select
Read the full Implement a secure environment explanation →

Which THREE actions are required to configure Microsoft Entra ID authentication for an Azure SQL Database? (Choose three.)

Question 101mediummulti select
Read the full Implement a secure environment explanation →

Which TWO are valid methods for auditing Azure SQL Database activity? (Choose two.)

Question 102hardmulti select
Read the full Implement a secure environment explanation →

Which THREE are best practices for securing Azure SQL Database? (Choose three.)

Question 103hardmultiple choice
Read the full Implement a secure environment explanation →

What will be the result of this command?

Exhibit

Refer to the exhibit. You execute the following PowerShell command to set the auditing policy for an Azure SQL Database:

Set-AzSqlDatabaseAudit -ResourceGroupName "RG1" -ServerName "srv1" -DatabaseName "db1" -AuditActionGroup "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP" -StorageAccountResourceId $storage.Id -RetentionInDays 90
Question 104mediummultiple choice
Read the full Implement a secure environment explanation →

What does this query return?

Exhibit

Refer to the exhibit. You have an Azure SQL Database and you run the following KQL query in Azure Monitor:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where Category == "SQLSecurityAuditEvents"
| where action_id_s == "LGIF"
| project TimeGenerated, client_ip_s, application_name_s, succeeded_s
Question 105mediummultiple choice
Read the full Implement a secure environment explanation →

Your company has an Azure SQL Database that stores sensitive customer data. You need to ensure that data is encrypted at rest and in transit. The database is currently using Transparent Data Encryption (TDE) with service-managed keys. Compliance requirements now mandate that you use customer-managed keys stored in Azure Key Vault. Additionally, all connections must use encrypted connections. What should you do?

Question 106easymultiple choice
Read the full Implement a secure environment explanation →

You are the database administrator for a company that uses Azure SQL Managed Instance. You need to allow a specific application to connect to the database using a service principal. The application authenticates with Microsoft Entra ID. What should you configure?

Question 107hardmultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database with Elastic Jobs to run maintenance scripts. You need to ensure that the Elastic Job agent can connect to the target databases securely. The agent runs in an Azure virtual network and uses a managed identity. The target databases are in a different Azure region and have public endpoint disabled. What is the most secure way to connect the Elastic Job agent to the target databases?

Question 108mediummultiple choice
Read the full Implement a secure environment explanation →

You are responsible for security compliance of Azure SQL databases. You need to audit all successful and failed login attempts and store the audit logs in a Log Analytics workspace for analysis. You also want to detect potential brute-force attacks. What should you implement?

Question 109easymultiple choice
Read the full Implement a secure environment explanation →

Your organization uses Azure SQL Database and wants to restrict access to only specific Azure services and on-premises IP addresses. The database has a public endpoint. Which two security features should you configure?

Question 110mediummultiple choice
Review the full routing breakdown →

You have an Azure SQL Managed Instance that needs to be accessed from an on-premises application. The connection must be encrypted and the on-premises network uses an ExpressRoute circuit. You need to configure the managed instance to only accept connections from the on-premises network. What should you do?

Question 111hardmultiple choice
Read the full NAT/PAT explanation →

Your company uses Azure SQL Database and needs to protect sensitive columns (e.g., credit card numbers) from being accessed by unauthorized users. You implement Always Encrypted. However, some queries that perform pattern matching on the encrypted column are failing because the column cannot be searched. What should you do to allow pattern matching while maintaining security?

Question 112mediummultiple choice
Read the full Implement a secure environment explanation →

You are deploying Azure SQL Database for a multi-tenant application. Each tenant's data must be isolated. You need to ensure that tenants cannot access each other's data even if there is a SQL injection vulnerability. Which security feature should you implement?

Question 113easymultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database and wants to automatically detect and alert on potential SQL injection attacks. Which Azure service should you enable?

Question 114hardmulti select
Read the full Implement a secure environment explanation →

You have an Azure SQL Database that stores personally identifiable information (PII). You need to classify and label the sensitive columns using Microsoft Purview. Additionally, you want to automatically mask these columns for a specific application user. Which two actions should you take? (Choose two.)

Question 115mediummulti select
Read the full Implement a secure environment explanation →

You manage an Azure SQL Database that is accessed by several applications. You need to implement the principle of least privilege for database access. Which three actions should you take? (Choose three.)

Question 116easymulti select
Read the full Implement a secure environment explanation →

You are configuring security for an Azure SQL Database that will be used by a web application. The application uses a connection string with SQL authentication. You need to protect the database from SQL injection attacks. Which two measures should you implement? (Choose two.)

Question 117mediummultiple choice
Read the full Implement a secure environment explanation →

You are configuring Azure SQL Database for a financial application that must meet PCI DSS compliance. The database contains credit card numbers stored in a column encrypted with Always Encrypted. You need to ensure that database administrators cannot view the plaintext credit card numbers while allowing application users with the proper credentials to access them. What should you implement?

Question 118hardmultiple choice
Read the full Implement a secure environment explanation →

You are the database administrator for a SaaS company that uses Azure SQL Database. The company has a new requirement to audit all SELECT operations on a specific table containing sensitive customer data. You enable auditing on the server and configure a storage account for audit logs. However, after 24 hours, you notice that no SELECT operations are captured in the audit logs. You verify that the table is being accessed frequently. What is the most likely cause?

Question 119easymultiple choice
Read the full Implement a secure environment explanation →

Your Azure SQL Managed Instance stores sensitive healthcare data. You need to restrict access to the database from public networks while allowing a specific on-premises application to connect. The on-premises network has a static public IP address. What is the most secure way to configure connectivity?

Question 120hardmultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database with Microsoft Entra ID (formerly Azure AD) authentication. You need to grant a group of external consultants access to a specific database with read-only permissions. The consultants are from a partner organization that uses their own Microsoft Entra ID tenant. What should you do?

Question 121mediummultiple choice
Read the full Implement a secure environment explanation →

You are troubleshooting a connectivity issue: an application running on an Azure virtual machine (VM) cannot connect to an Azure SQL Database. The VM is in the same region as the SQL Database. The VM can ping other resources, but the SQL connection fails. The SQL Database has a firewall rule allowing the VM's private IP address. What is the most likely cause?

Question 122easymultiple choice
Read the full Implement a secure environment explanation →

You need to ensure that all connections to an Azure SQL Database use encryption. The application uses the JDBC driver. What should you configure in the connection string?

Question 123hardmultiple choice
Read the full VPN explanation →

Your company uses Azure SQL Database with Microsoft Defender for Cloud. You receive an alert indicating a potential SQL injection attack. The alert shows that the attack originated from the IP address of your company's VPN gateway. You have verified that no legitimate users are using the VPN at that time. What should you do to immediately stop the attack while preserving legitimate access?

Question 124mediummultiple choice
Read the full Implement a secure environment explanation →

You are implementing row-level security (RLS) in Azure SQL Database to enforce data isolation for multiple tenants. Each tenant has a TenantID. The RLS predicate function uses the SESSION_CONTEXT variable set by the application. You need to ensure that users cannot bypass the RLS by setting arbitrary SESSION_CONTEXT values. What should you do?

Question 125mediummultiple choice
Read the full Implement a secure environment explanation →

You need to audit schema changes on an Azure SQL Database. Specifically, you must capture details of any DDL statements executed by any user. The audit logs must be stored in a Log Analytics workspace for analysis. What should you configure?

Question 126hardmultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are reviewing an Azure Resource Manager template for deploying an Azure SQL Database server. The template sets publicNetworkAccess to Disabled, minimalTlsVersion to 1.2, and azureAdOnlyAuthentication to true. However, the deployment fails with an error. What is the most likely cause?

Exhibit

{
  "properties": {
    "publicNetworkAccess": "Disabled",
    "minimalTlsVersion": "1.2",
    "azureAdOnlyAuthentication": true,
    "administratorLogin": "admin123",
    "administratorLoginPassword": "P@ssw0rd!"
  }
}
Question 127easymultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are configuring Azure SQL Database Transparent Data Encryption (TDE) with customer-managed keys (CMK) stored in Azure Key Vault. The deployment uses a user-assigned managed identity. However, after deployment, the TDE status shows 'Inaccessible'. What is the most likely cause?

Exhibit

{
  "identity": {
    "type": "UserAssigned",
    "userAssignedIdentities": {
      "/subscriptions/123/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-sql-access": {}
    }
  },
  "properties": {
    "serverKeyType": "AzureKeyVault",
    "uri": "https://kv-sql-keys.vault.azure.net/keys/sql-key/abc123",
    "serverKeyName": "sql-key"
  }
}
Question 128mediummultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are reviewing a script that is executed as part of a data migration to Azure SQL Database. The script attempts to insert a row with a specific OrderID into an Orders table that has an identity column. The script runs successfully in a test environment but fails in production with an error. The production environment has the same schema. What is the most likely cause?

Exhibit

SET IDENTITY_INSERT dbo.Orders ON;
INSERT INTO dbo.Orders (OrderID, CustomerName) VALUES (1001, 'Contoso');
SET IDENTITY_INSERT dbo.Orders OFF;
Question 129easymulti select
Read the full Implement a secure environment explanation →

Which TWO of the following are valid methods to authenticate to Azure SQL Database using Microsoft Entra ID? (Choose two.)

Question 130mediummulti select
Read the full Implement a secure environment explanation →

Which THREE of the following are features that help protect against data exfiltration in Azure SQL Database? (Choose three.)

Question 131hardmulti select
Read the full Implement a secure environment explanation →

Which TWO of the following are required steps to configure Azure SQL Database to use a customer-managed key (CMK) for Transparent Data Encryption (TDE) with Azure Key Vault? (Choose two.)

Question 132mediummultiple choice
Read the full Implement a secure environment explanation →

Your organization uses Azure SQL Database with Azure SQL Managed Instance for a multi-tenant SaaS application. You need to ensure that each tenant's data is isolated and that a compromised tenant cannot access other tenants' data. What is the most secure approach?

Question 133hardmultiple choice
Read the full Implement a secure environment explanation →

Your company is migrating on-premises SQL Server databases to Azure SQL Managed Instance. You need to ensure that database backups are encrypted at rest using customer-managed keys stored in Azure Key Vault. You also need to allow the backup service to access the keys. What should you configure?

Question 134easymultiple choice
Read the full Implement a secure environment explanation →

You have an Azure SQL Database that stores financial data. You need to audit all SELECT operations on the 'Transactions' table and store the audit logs in an Azure Storage account. What should you use?

Question 135mediummultiple choice
Read the full NAT/PAT explanation →

You are the database administrator for a healthcare organization that uses Azure SQL Database. You need to implement column-level encryption for a column containing patient Social Security numbers (SSNs). The SSNs must be encrypted at rest and in transit, and only authorized client applications should be able to decrypt them. Which technology should you use?

Question 136easymultiple choice
Read the full Implement a secure environment explanation →

Your organization has a policy that all Azure SQL Database connections must use Microsoft Entra authentication. You need to ensure that application developers cannot accidentally use SQL authentication. What should you do?

Question 137mediummultiple choice
Read the full Implement a secure environment explanation →

You manage an Azure SQL Database that is part of a business-critical application. You need to ensure that network traffic between the application hosted on Azure VMs and the database is encrypted and does not traverse the public internet. What should you configure?

Question 138easymultiple choice
Read the full Implement a secure environment explanation →

Your organization requires that all changes to sensitive data in an Azure SQL Database be logged for compliance. You need to capture who changed what data and when, and store the logs in a Log Analytics workspace for analysis. What should you configure?

Question 139mediummulti select
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database and needs to comply with GDPR. You must implement data classification and protection. Which TWO actions should you take? (Choose two.)

Question 140hardmulti select
Read the full Implement a secure environment explanation →

You are designing a secure Azure SQL Database environment for a financial services application. You need to meet the following requirements: - All network traffic to the database must be private and not traverse the public internet. - Only specific Azure resources in a virtual network should be able to connect. - The solution must minimize administrative overhead. Which TWO configurations should you implement? (Choose two.)

Question 141mediummulti select
Read the full Implement a secure environment explanation →

Your organization uses Azure SQL Managed Instance and needs to implement a defense-in-depth strategy. Which THREE security controls should you implement? (Choose three.)

Question 142hardmulti select
Read the full Implement a secure environment explanation →

You are deploying a new Azure SQL Database that will store Personally Identifiable Information (PII). You need to ensure that the data is encrypted at rest and that access to encryption keys is logged. Which THREE actions should you take? (Choose three.)

Question 143mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database with Microsoft Entra ID authentication. You need to ensure that only users from a specific Microsoft Entra ID tenant can access the database. What should you configure?

Question 144hardmultiple choice
Read the full Implement a secure environment explanation →

You are designing a secure environment for Azure SQL Managed Instance. You need to ensure that all connections from client applications use a private endpoint, and no public endpoint is accessible. What should you configure?

Question 145easymultiple choice
Read the full Implement a secure environment explanation →

Your Azure SQL Database contains sensitive financial data. You need to audit all data modifications (INSERT, UPDATE, DELETE) and store the audit logs in a central Azure Storage account for compliance. What should you configure?

Question 146mediummultiple choice
Read the full Implement a secure environment explanation →

Your team uses Azure SQL Database and wants to use Microsoft Entra ID authentication. You need to create a contained database user mapped to a Microsoft Entra ID application (service principal). Which T-SQL command should you use?

Question 147hardmultiple choice
Read the full Implement a secure environment explanation →

You are responsible for securing an Azure SQL Database. You need to implement data masking for a column that contains credit card numbers, ensuring that users with the db_datareader role see a masked version. However, users with the db_owner role should see the unmasked data. What should you configure?

Question 148easymultiple choice
Read the full Implement a secure environment explanation →

Your Azure SQL Database is protected by a failover group. You need to ensure that during a failover to the secondary region, only authenticated applications can connect. What should you configure?

Question 149hardmultiple choice
Read the full Implement a secure environment explanation →

You are reviewing an ARM template for Azure SQL Database. The exhibit shows a resource definition for Transparent Data Encryption (TDE). You need to ensure that the database uses customer-managed keys (CMK) stored in Azure Key Vault instead of service-managed keys. What additional configuration is required?

Exhibit

Refer to the exhibit.

{
  "type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
  "apiVersion": "2022-05-01-preview",
  "name": "current",
  "properties": {
    "state": "Enabled"
  }
}
Question 150mediummultiple choice
Read the full Implement a secure environment explanation →

You are reviewing a PowerShell script that configures auditing for an Azure SQL Database. The script sets an audit rule with the specified parameters. After running the script, you notice that SELECT operations are not being audited. What is the most likely cause?

Exhibit

Refer to the exhibit.

$auditRule = @{
    AuditAction = @("SELECT", "UPDATE", "DELETE")
    AuditActionGroup = @("DATABASE_OBJECT_CHANGE_GROUP")
    RetentionDays = 90
    StorageEndpoint = "https://auditlogs.blob.core.windows.net"
    StorageAccountAccessKey = $storageKey
    StorageAccountSubscriptionId = $subscriptionId
}
Question 151easymultiple choice
Read the full Implement a secure environment explanation →

You run the Azure CLI command shown in the exhibit for an Azure SQL Database named SalesDB. The output shows that the security alert policy is disabled. You need to enable Microsoft Defender for SQL, including vulnerability assessments, for this database. What should you do?

Network Topology
az sql db showname SalesDBresource-group rg-salesserver sql-salesquery "securityAlertPolicy"Refer to the exhibit.
Question 152mediummulti select
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database and wants to implement row-level security (RLS) to restrict access to customer data based on the user's Microsoft Entra ID group membership. Which TWO actions are required?

Question 153hardmulti select
Read the full Implement a secure environment explanation →

Your Azure SQL Database is accessed by multiple applications. You need to ensure that all connections use Transport Layer Security (TLS) 1.2 or higher. Which TWO configurations should you verify or enable?

Question 154mediummulti select
Read the full Implement a secure environment explanation →

Your organization has a compliance requirement to automatically classify and protect sensitive data in Azure SQL Database. You need to configure Microsoft Purview to scan and classify the database. Which THREE actions are required?

Question 155hardmulti select
Read the full Implement a secure environment explanation →

You are configuring a new Azure SQL Database for a multi-tenant SaaS application. You need to ensure that each tenant can only access their own rows. Which THREE features can be used to achieve this?

Question 156mediummultiple choice
Read the full Implement a secure environment explanation →

Your Azure SQL Database uses Always Encrypted to protect sensitive columns. You need to allow a reporting application to query encrypted columns without having access to the column encryption key. What should you configure?

Question 157hardmultiple choice
Read the full Implement a secure environment explanation →

You are reviewing the encryption protector for an Azure SQL Server as shown in the exhibit. The server hosts multiple databases. You need to ensure that the databases are encrypted using the customer-managed key from Azure Key Vault. However, you find that the databases are not using this key. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "serverKeyType": "AzureKeyVault",
    "uri": "https://myvault.vault.azure.net/keys/mykey/123456",
    "serverKeyName": "mykey",
    "kind": "azurekeyvault"
  },
  "id": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Sql/servers/myserver/encryptionProtector/current",
  "name": "current",
  "type": "Microsoft.Sql/servers/encryptionProtector"
}
Question 158mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database with Microsoft Entra ID authentication. You need to ensure that only users with specific Azure AD roles can access the database. What should you configure?

Question 159hardmultiple choice
Read the full NAT/PAT explanation →

Your Azure SQL Managed Instance stores sensitive financial data. You must prevent unauthorized access from Azure services and ensure that only specific virtual networks can connect. You also need to audit all failed login attempts. Which combination of configurations should you implement?

Question 160easymultiple choice
Read the full Implement a secure environment explanation →

You need to audit all schema changes in an Azure SQL Database and store the audit logs in a storage account for long-term retention. What should you enable?

Question 161mediummultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are reviewing the firewall rule JSON for an Azure SQL Server. What does this rule allow?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "startIpAddress": "0.0.0.0",
    "endIpAddress": "0.0.0.0"
  }
}
```
Question 162hardmultiple choice
Read the full Implement a secure environment explanation →

You have an Azure SQL Database that needs to be accessed by an application running on an Azure VM. The VM is in a different subscription. You want to minimize administrative overhead and ensure secure connectivity without exposing the database to the public internet. What should you do?

Question 163easymultiple choice
Read the full Implement a secure environment explanation →

Your organization requires that all Azure SQL Database administrators use multi-factor authentication (MFA) when connecting. Which authentication method must be used?

Question 164mediummultiple choice
Read the full Implement a secure environment explanation →

Refer to the exhibit. You are reviewing the audit settings for an Azure SQL Database. What will this configuration do?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "state": "Enabled",
    "auditActionsAndGroups": [
      "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
      "FAILED_DATABASE_AUTHENTICATION_GROUP"
    ],
    "storageAccountAccessKey": null,
    "storageEndpoint": null,
    "isAzureMonitorTargetEnabled": true
  }
}
```
Question 165hardmulti select
Read the full NAT/PAT explanation →

You have an Azure SQL Database that contains sensitive customer data. You need to classify the data and receive recommendations for protecting it. You also need to detect and alert on suspicious access patterns. Which two Azure services should you enable? (Choose two.)

Question 166mediummulti select
Read the full Implement a secure environment explanation →

You are configuring Azure SQL Database firewall rules. Which THREE actions require the 'Allow Azure services and resources to access this server' setting to be enabled? (Choose three.)

Question 167mediummulti select
Read the full Implement a secure environment explanation →

Your company wants to implement transparent data encryption (TDE) for an Azure SQL Database using a customer-managed key stored in Azure Key Vault. Which TWO prerequisites must be met? (Choose two.)

Question 168hardmulti select
Read the full Implement a secure environment explanation →

You need to ensure that all queries accessing a specific column containing credit card numbers are encrypted both at rest and in transit between the application and Azure SQL Database. Which THREE technologies should you implement? (Choose three.)

Question 169easymultiple choice
Read the full Implement a secure environment explanation →

You need to prevent users from accidentally deleting an Azure SQL Database. What should you configure?

Question 170hardmultiple choice
Read the full Implement a secure environment explanation →

An Azure SQL Database contains personally identifiable information (PII). You need to mask the PII columns from non-administrative users while allowing administrators to see the actual data. Which feature should you use?

Question 171mediummultiple choice
Read the full Implement a secure environment explanation →

You have an Azure SQL Database that needs to be accessed by an application with a static public IP address. You want to allow only that IP address to connect. What should you configure?

Question 172hardmultiple choice
Read the full Implement a secure environment explanation →

You are the database administrator for a large e-commerce company. The company has an Azure SQL Database named SalesDB that stores sensitive customer data including credit card numbers and personal details. The security team has mandated the following requirements:

1. All customer credit card numbers must be encrypted at rest and in transit between the application and the database. The encryption keys must be stored in a hardware security module (HSM) managed by the company. 2. All access to the database must be authenticated using Microsoft Entra ID, and multi-factor authentication (MFA) must be enforced for all administrative users. 3. Any attempts to access the database from unusual geographic locations must be detected and automatically blocked for 24 hours. 4. All schema changes must be audited, and the audit logs must be sent to a central Log Analytics workspace for analysis.

Currently, the database uses SQL authentication, no encryption, and no auditing. You need to implement the required security controls with minimal downtime. What should you do?

Question 173mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Managed Instance and requires that all connections from client applications use Microsoft Entra authentication with multi-factor authentication (MFA). You configure Azure SQL Managed Instance to support Microsoft Entra authentication and create a contained database user for the application. However, when the application attempts to connect, it receives error '18456, state 10' indicating that the login is not recognized. What is the most likely cause?

Question 174hardmultiple choice
Read the full NAT/PAT explanation →

You are the database administrator for a healthcare organization that uses Azure SQL Database. You need to implement column-level encryption for sensitive patient data (e.g., Social Security numbers) using Always Encrypted. The application connecting to the database is a .NET application running on Azure Virtual Machines. The application should be able to perform parameterized queries on encrypted columns without revealing the plaintext to the database. Which configuration is essential for this setup?

Question 175easymultiple choice
Read the full Implement a secure environment explanation →

You are configuring Azure SQL Database firewall rules. You need to allow a team of developers to connect from their office IP range (192.168.1.0/24) to a specific database. The developers should not be able to access other databases on the same logical server. What should you do?

Question 176hardmultiple choice
Read the full Implement a secure environment explanation →

You are reviewing an Azure SQL Database audit policy configuration. The policy is set to audit successful and failed database authentication events. You notice that audit logs are being written to both Azure Blob Storage and Azure Monitor. However, you are concerned about security of the storage account access key in the policy. What is the recommended approach to securely reference the storage account?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "name": "myAuditPolicy",
    "type": "Microsoft.Sql/servers/databases/auditingSettings",
    "apiVersion": "2023-02-01-preview",
    "properties": {
      "state": "Enabled",
      "auditActionsAndGroups": [
        "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
        "FAILED_DATABASE_AUTHENTICATION_GROUP"
      ],
      "storageEndpoint": "https://mystorage.blob.core.windows.net",
      "storageAccountAccessKey": "...",
      "retentionDays": 90,
      "isAzureMonitorTargetEnabled": true
    }
  }
}
```
Question 177mediummultiple choice
Read the full Implement a secure environment explanation →

Your company has an Azure SQL Database that stores financial data. You need to implement auditing to track all data modifications (INSERT, UPDATE, DELETE) and schema changes (DDL). Which audit action group should you configure?

Question 178easymultiple choice
Read the full Implement a secure environment explanation →

You are the DBA for a company that uses Azure SQL Database. You need to ensure that only authorized users can view sensitive columns (e.g., salary) in the Employees table. You want to obfuscate the data for certain users but allow full access to HR managers. Which feature should you use?

Question 179mediummultiple choice
Read the full Implement a secure environment explanation →

You are configuring Azure SQL Database for a multi-tenant application. Each tenant's data is stored in a separate database. You need to ensure that a tenant admin can only manage their own database and not other databases on the same logical server. What is the best approach?

Question 180hardmultiple choice
Read the full Implement a secure environment explanation →

Your organization uses Azure SQL Database and wants to implement a defense-in-depth strategy. You have already enabled Transparent Data Encryption (TDE) and firewall rules. You need to add an additional layer of security that protects against unauthorized access to the physical storage files (e.g., if someone gains access to the storage account). What should you enable?

Question 181easymultiple choice
Read the full Implement a secure environment explanation →

You need to configure Azure SQL Database to allow connections only from Azure services and from a specific on-premises IP range. Which firewall rule configuration should you apply at the server level?

Question 182mediummulti select
Read the full Implement a secure environment explanation →

You are responsible for securing Azure SQL Managed Instance. You need to ensure that only encrypted connections are allowed and that all client connections use the latest TLS protocol. Which TWO configurations should you implement?

Question 183hardmulti select
Read the full Implement a secure environment explanation →

You are deploying Azure SQL Database and need to comply with regulatory requirements that mandate separation of duties for database administration. Specifically, the security team should manage access policies, and the database administrators should manage the data. Which THREE features should you use to implement this?

Question 184easymulti select
Read the full Implement a secure environment explanation →

You are configuring Azure SQL Database auditing. You need to ensure that all database-level authentication failures are logged. Which TWO audit action groups should you include?

Question 185hardmultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for a financial services company that uses Azure SQL Database for a critical trading application. The application connects using a service principal (Microsoft Entra application) and executes stored procedures. You need to implement the following security requirements:

1. All connections must use Microsoft Entra authentication with MFA enforced for the service principal. 2. The application should only be able to execute specific stored procedures (usp_Trade, usp_GetQuote) and no other operations. 3. All data at rest must be encrypted using customer-managed keys stored in Azure Key Vault. 4. Auditing must capture all failed login attempts and all changes to the database schema. 5. The database must be protected against SQL injection attacks from the application layer.

You have already configured Microsoft Entra authentication and enabled TDE with customer-managed key in Azure Key Vault. Which additional steps should you take to meet all remaining requirements?

Question 186mediummultiple choice
Read the full Implement a secure environment explanation →

You are the DBA for a company that uses Azure SQL Managed Instance to host multiple databases for different departments. The security team has mandated that:

- All connections to the managed instance must be encrypted using TLS 1.2 or higher. - SQL Server authentication must be disabled; only Microsoft Entra authentication is allowed. - A dedicated audit log must be created for each database to track all DDL changes and all failed login attempts. - The audit logs must be stored in a central Azure Storage account with 180-day retention. - Database administrators (DBAs) should not be able to view or modify the audit logs.

You have already set the minimal TLS version to 1.2 and disabled SQL Server authentication. What should you do next to meet the remaining requirements?

Question 187easymultiple choice
Read the full Implement a secure environment explanation →

You are a junior DBA at a startup that uses Azure SQL Database for its SaaS application. The application uses a single database and the development team frequently makes schema changes. You need to implement security measures to:

1. Ensure that all connections from the application use TLS encryption. 2. Prevent unauthorized access from the internet. 3. Allow your office IP range (203.0.113.0/24) to connect for management. 4. Enable auditing of all schema changes. 5. Encrypt the database at rest using Azure-managed keys.

You have already enabled Transparent Data Encryption (TDE) with service-managed keys. What should you do next to meet the remaining requirements?

Question 188mediummultiple choice
Read the full Implement a secure environment explanation →

Your company uses Azure SQL Database for a customer-facing application. You need to ensure that only the application can access the database, and that access is restricted to specific IP ranges. The application runs on Azure App Service with a dynamic outbound IP address. What should you do?

Question 189easymultiple choice
Read the full Implement a secure environment explanation →

You are configuring Microsoft Defender for SQL for an Azure SQL Database. You want to receive email notifications when a suspicious activity is detected. What should you configure?

Question 190hardmultiple choice
Read the full Implement a secure environment explanation →

Your Azure SQL Database is configured with a failover group across two regions. You need to ensure that client connections automatically redirect to the secondary region during a regional outage, without changing the connection string. What should you implement?

Question 191mediummultiple choice
Read the full Implement a secure environment explanation →

You need to audit all schema changes (DDL) on an Azure SQL Database for compliance. The audit logs must be retained for 7 years. What should you do?

Question 192hardmultiple choice
Read the full Implement a secure environment explanation →

Your Azure SQL Database contains sensitive customer data. You need to implement column-level encryption so that only authorized users can read specific columns. The encryption must be managed by the application, not the database. What should you use?

Question 193easymultiple choice
Read the full Implement a secure environment explanation →

You have a new Azure SQL Database. You need to ensure that all connections use TLS 1.2 or higher. What should you configure?

Question 194mediummultiple choice
Read the full Implement a secure environment explanation →

Your company is using Azure SQL Database with Microsoft Entra ID authentication. A developer needs to connect to the database using a service principal. What should you provide to the developer?

Question 195mediummulti select
Read the full Implement a secure environment explanation →

You are designing a secure environment for Azure SQL Database. Which TWO of the following are recommended practices for network security?

Question 196hardmulti select
Read the full Implement a secure environment explanation →

You need to protect Azure SQL Database from SQL injection attacks. Which THREE of the following measures should you implement?

Question 197easymulti select
Read the full Implement a secure environment explanation →

You are configuring authentication for Azure SQL Database. Which TWO of the following are supported authentication methods?

Question 198mediummultiple choice
Read the full NAT/PAT explanation →

You are a database administrator for a healthcare company. You have an Azure SQL Database that stores patient records. The database is currently accessible from the public internet via firewall rules. You need to implement a secure environment that meets the following requirements: - All traffic to the database must be private and not traverse the internet. - The database must be accessible from an Azure Virtual Machine in a specific VNet. - The solution must minimize management overhead and cost. - You need to ensure that the database can be failed over to a secondary region in case of an outage.

What should you do?

Question 199hardmultiple choice
Read the full Implement a secure environment explanation →

Your organization is migrating a legacy on-premises SQL Server database to Azure SQL Managed Instance. The database contains sensitive financial data. You need to implement column-level encryption so that even database administrators cannot view the plaintext data. The encryption keys must be stored in Azure Key Vault, and the application must be able to encrypt and decrypt data transparently. The application currently uses Entity Framework Core and runs on Azure App Service. You have the following requirements: - Use a solution that provides the strongest security by ensuring the database never has access to the plaintext. - Minimize changes to the application code. - The application must be able to perform equality searches on encrypted columns.

What should you implement?

Question 200easymultiple choice
Read the full Implement a secure environment explanation →

You are setting up a new Azure SQL Database for a development team. The database will contain test data that mimics production but with some sensitive fields obfuscated. You need to ensure that developers can query the database without seeing the actual sensitive data. The developers will use Microsoft Entra ID authentication. You have the following requirements: - The sensitive data should be automatically masked in query results for all developers except the database administrator. - The masking should be applied without modifying the application code. - The solution should be easy to manage and not require changes to the data model.

What should you implement?

Question 201mediummultiple choice
Read the full Implement a secure environment explanation →

Your company has an Azure SQL Database that is accessed by multiple applications. You need to implement a security solution that meets the following requirements: - Each application must have its own database user with specific permissions. - All authentication must use Microsoft Entra ID. - You need to be able to rotate credentials for each application without impacting other applications. - The solution must support automatic credential rotation for service principals.

What should you do?

Question 202easymultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for a company that stores sensitive customer data in Azure SQL Database. The security team requires that all access to the database be authenticated using Microsoft Entra ID and that no SQL authentication logins exist. You need to verify that SQL authentication is disabled. What should you do?

Question 203mediummulti select
Read the full Implement a secure environment explanation →

You are a database administrator for a healthcare organization that uses Azure SQL Database to store protected health information (PHI). The compliance team requires that you implement controls to prevent unauthorized access and detect potential data exfiltration. Which TWO actions should you take?

Question 204hardmultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for a financial services company. You have deployed an Azure SQL Database and configured auditing using the JSON policy shown in the exhibit. After a security incident, you need to review all successful and failed login attempts to the database. However, you notice that login events are not being captured in the audit logs. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "type": "Microsoft.Sql/servers/auditingSettings",
  "apiVersion": "2021-02-01-preview",
  "properties": {
    "state": "Enabled",
    "auditActionsAndGroups": [
      "DATABASE_LOGOUT_GROUP",
      "DATABASE_ROLE_MEMBER_CHANGE_GROUP",
      "BATCH_COMPLETED_GROUP"
    ],
    "isAzureMonitorTargetEnabled": true,
    "storageEndpoint": "https://auditlogs.blob.core.windows.net/",
    "retentionDays": 365
  }
}
```
Question 205mediummultiple choice
Read the full NAT/PAT explanation →

You are a database administrator for a multinational corporation that uses Azure SQL Managed Instance to host multiple databases for different business units. The security policy requires that all connections to the managed instance must use encrypted connections (TLS 1.2 or higher). Additionally, the company wants to minimize the attack surface by restricting network access. You need to configure the managed instance to enforce encrypted connections and block all public internet traffic. What should you do?

Question 206easymulti select
Read the full Implement a secure environment explanation →

You are a database administrator for a startup that uses Azure SQL Database to run an e-commerce application. The application uses a service principal (Microsoft Entra ID application) to authenticate to the database. You need to grant the service principal the ability to read data from all tables in the 'sales' schema. Which THREE actions should you take?

Question 207hardmultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for a government agency that uses Azure SQL Database to store classified data. The database contains highly sensitive columns (e.g., Social Security Numbers) that must be masked for most users, but fully visible to a small group of compliance officers. The compliance officers authenticate using Microsoft Entra ID. You need to implement a solution that automatically masks the sensitive columns for all users except the compliance officers, without requiring application code changes. The solution must also ensure that the compliance officers are identified by their Microsoft Entra ID user principal name (UPN). What should you do?

Question 208easymultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for a retail company that uses Azure SQL Database. The security team wants to prevent SQL injection attacks by ensuring that all application queries use parameterized statements. Which built-in Azure feature should you enable to help detect and alert on potential SQL injection attempts?

Question 209mediummulti select
Read the full Implement a secure environment explanation →

You are a database administrator for a bank that uses Azure SQL Database to store transaction data. The compliance team requires that you implement a solution to encrypt data at rest and in transit. Additionally, the solution must allow the database to be restored to any point in time within the last 35 days. Which TWO actions should you take?

Question 210hardmultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for a technology company that uses Azure SQL Database to support a multi-tenant SaaS application. Each tenant has its own database. The security team requires that users from one tenant should never be able to access data from another tenant, even if a user's credentials are compromised. You need to implement a solution that enforces tenant isolation at the database level. The solution must be transparent to the application and must not require application code changes. What should you do?

Question 211easymultiple choice
Read the full NAT/PAT explanation →

You are a database administrator for a hospital that uses Azure SQL Database to store patient records. The hospital's security policy requires that all database access be authenticated using Microsoft Entra ID (formerly Azure AD). You have already created a Microsoft Entra ID user for yourself and granted you the 'db_owner' role. You now need to create a new Microsoft Entra ID user for a nurse who needs read-only access to the database. What should you do first?

Question 212hardmulti select
Read the full Implement a secure environment explanation →

You are a database administrator for a manufacturing company that uses Azure SQL Database. The company has a requirement to encrypt sensitive data in transit between the application and the database. Additionally, the company wants to ensure that database administrators (DBAs) cannot view the sensitive data. Which TWO features should you implement?

Question 213mediummultiple choice
Read the full Implement a secure environment explanation →

You are a database administrator for an e-commerce company that uses Azure SQL Database to store order data. The company is implementing a new policy that requires all database access to be audited, including both successful and failed attempts. Additionally, the audit logs must be retained for at least one year for compliance purposes. You need to configure auditing for the database. What should you do?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

DP-300 Practice Test 1 — 10 Questions→DP-300 Practice Test 2 — 10 Questions→DP-300 Practice Test 3 — 10 Questions→DP-300 Practice Test 4 — 10 Questions→DP-300 Practice Test 5 — 10 Questions→DP-300 Practice Exam 1 — 20 Questions→DP-300 Practice Exam 2 — 20 Questions→DP-300 Practice Exam 3 — 20 Questions→DP-300 Practice Exam 4 — 20 Questions→Free DP-300 Practice Test 1 — 30 Questions→Free DP-300 Practice Test 2 — 30 Questions→Free DP-300 Practice Test 3 — 30 Questions→DP-300 Practice Questions 1 — 50 Questions→DP-300 Practice Questions 2 — 50 Questions→DP-300 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Plan and configure a high availability and disaster recovery environmentPlan and implement data platform resourcesMonitor, configure, and optimize database resourcesConfigure and manage automation of tasksPlan and configure high availability and disaster recoveryImplement a secure environment

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Implement a secure environment setsAll Implement a secure environment questionsDP-300 Practice Hub