Question 1mediummultiple choice
Full question →mediummultiple choiceObjective-mapped
A company uses Azure SQL Database to store customer data, including credit card numbers. The security policy requires that database administrators (DBAs) must not be able to view the credit card numbers in plaintext. The column containing the credit card numbers must be encrypted at rest and in transit, and only a specific application (using a dedicated client library) should be able to decrypt the data. Which technology should they implement?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
Transparent Data Encryption (TDE) with a customer-managed key stored in Azure Key Vault.
TDE encrypts the entire database at rest, but DBAs can still query the data because SQL Server automatically decrypts the data when read. The encryption key is available to the service.
B
Distractor review
Dynamic Data Masking (DDM) for the credit card column.
DDM masks the column in query results based on user permissions, but the underlying data is still stored in plaintext. Users with permissions can unmask the data, and it does not protect against DBAs.
C
Best answer
Always Encrypted with a client-side encryption key stored in Azure Key Vault.
Correct. Always Encrypted encrypts the data on the client side, so the SQL Database never sees the plaintext. Only the client application with access to the encryption key can decrypt the data, preventing DBAs from viewing sensitive columns.
D
Distractor review
Row-Level Security (RLS) to restrict DBA access to the credit card column.
RLS restricts row-level access based on user context but does not provide column-level encryption. DBAs can still see the plaintext in the column if they have the appropriate permissions.
Common exam trap
Common exam trap: usable hosts are not the same as total addresses
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
How to think about this question
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
KKey Concepts to Remember
- CIDR notation defines the prefix length.
- Block size helps identify subnet boundaries.
- Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
- The required host count determines the smallest suitable subnet.
TExam Day Tips
- Write the block size before choosing the subnet.
- Check whether the question asks for hosts, subnets or a specific address range.
- Do not confuse /24, /25, /26 and /27 host counts.
Related practice questions
Related AZ-500 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A DevOps team wants Defender for Cloud to identify secrets exposed in GitHub repositories. What should be configured?
Question 2
A public web application should be protected from OWASP-style attacks and network-layer DDoS attacks. Which two Azure services are most relevant?
Question 3
A Sentinel scheduled rule runs every 5 minutes and looks back 1 hour. Analysts see repeated alerts for the same event. Which change best prevents duplicate detections without missing late-arriving logs?
Question 4
A SOC analyst needs a Sentinel query that detects multiple failed sign-ins followed by a successful sign-in for the same user. Which table is the best primary source?
Question 5
A Sentinel watchlist contains high-value administrator accounts. Which KQL pattern best uses it in a detection rule?
Question 6
A SOC wants a Sentinel rule to include account, host, and IP entities so analysts can pivot during investigation. What should be configured in the analytics rule?
FAQ
Questions learners often ask
What does this AZ-500 question test?
CIDR notation defines the prefix length.
What is the correct answer to this question?
The correct answer is: Always Encrypted with a client-side encryption key stored in Azure Key Vault. — Always Encrypted is a technology that encrypts sensitive data at the client side, ensuring that the data is never revealed in plaintext to Azure SQL Database or its administrators. The encryption keys are stored in Azure Key Vault and are only accessible to the authorized client application. Options like Transparent Data Encryption (TDE) encrypt data at rest but DBAs with access can still read the data. Dynamic Data Masking only obfuscates the data in query results but the underlying data is still stored in plaintext. Row-Level Security restricts row access but does not encrypt data.
What should I do if I get this AZ-500 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.