CCNA Design and implement data security Questions

23 questions · Design and implement data security · All types, answers revealed

1
Drag & Dropmedium

Drag and drop the steps to configure Azure Stream Analytics job with event input and Power BI output into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First, set up the event hub as the data source. Then create the Stream Analytics job, configure input and output, write the query, and start it.

2
Multi-Selecthard

Which THREE components are part of a defense-in-depth strategy for data security in Azure?

Select 3 answers
A.Azure Policy to enforce tagging
B.Network security groups (NSGs) on subnets
C.Data classification and labeling
D.Encryption at rest for storage accounts
E.Dynamic data masking for all databases
AnswersB, C, D

NSGs provide network-level security by filtering traffic.

Why this answer

Network security groups (NSGs) are a fundamental component of a defense-in-depth strategy because they provide network-layer segmentation and filtering. By applying NSGs to subnets, you can control inbound and outbound traffic based on source/destination IP addresses, ports, and protocols, creating a perimeter defense that limits lateral movement in case of a breach.

Exam trap

The trap here is that candidates often confuse governance controls (like Azure Policy tagging) with actual security controls, or they assume dynamic data masking is a core defense layer when it is merely a data obfuscation feature that does not prevent unauthorized access or encryption.

3
Multi-Selectmedium

Which TWO actions should you take to ensure that only authorized users can access sensitive data in an Azure Synapse Analytics dedicated SQL pool?

Select 2 answers
A.Configure Azure Active Directory authentication
B.Enable dynamic data masking on all columns
C.Implement row-level security
D.Implement column-level security
E.Enable transparent data encryption
AnswersC, D

Row-level security filters rows based on user identity to prevent unauthorized access.

Why this answer

Row-level security (RLS) and column-level security are the two correct actions because they directly restrict data access at the row and column granularity within a dedicated SQL pool. RLS uses security predicates to filter which rows a user can query, while column-level security denies access to specific columns for unauthorized principals. Both are native features of Azure Synapse dedicated SQL pools that enforce authorization on the data plane.

Exam trap

The trap here is confusing data protection features (masking, encryption) with access control features (RLS, column-level security), leading candidates to select dynamic data masking or TDE instead of the correct granular authorization mechanisms.

4
MCQhard

A company uses Azure Data Factory to copy sensitive data from on-premises SQL Server to Azure Blob Storage. They must ensure that data is encrypted in transit and at rest. Which combination of features should they use?

A.Use Always Encrypted in SQL Server and customer-managed keys in Blob Storage.
B.Set up a VPN between on-premises and Azure, and use Azure Disk Encryption.
C.Configure the copy activity to use TLS and enable Azure Storage Service Encryption.
D.Use HTTPS for the copy activity and enable Azure Storage Service Encryption.
AnswerC

TLS encrypts data in transit; Storage Service Encryption encrypts at rest automatically.

Why this answer

Option C is correct because Azure Data Factory's copy activity uses TLS (Transport Layer Security) to encrypt data in transit between the on-premises SQL Server and Azure Blob Storage, and Azure Storage Service Encryption (SSE) automatically encrypts data at rest using 256-bit AES encryption. This combination satisfies both encryption requirements without additional complexity.

Exam trap

The trap here is that candidates often confuse HTTPS with TLS, thinking HTTPS is the encryption mechanism for Data Factory copy activities, when in fact TLS is the underlying protocol used by the self-hosted integration runtime for secure data transfer.

How to eliminate wrong answers

Option A is wrong because Always Encrypted in SQL Server encrypts data at the column level within the database, but it does not encrypt data in transit during the copy operation; customer-managed keys in Blob Storage are for at-rest encryption but do not address transit encryption. Option B is wrong because a VPN encrypts the network tunnel between on-premises and Azure, but it does not encrypt data at rest in Blob Storage; Azure Disk Encryption is for IaaS VMs, not PaaS Blob Storage. Option D is wrong because HTTPS is a protocol that encrypts data in transit, but it is not the default or recommended encryption method for Data Factory copy activities; TLS is the standard, and while SSE handles at-rest encryption, the option incorrectly specifies HTTPS instead of TLS.

5
Drag & Dropmedium

Drag and drop the steps to set up Azure Purview for data cataloging and lineage tracking into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the Purview account, then register sources, scan them, set classifications, and finally explore the catalog.

6
MCQeasy

A manufacturing company uses Azure Data Lake Storage Gen2 with hierarchical namespace enabled and Azure Databricks for analytics. The security team requires that all data stored in the 'raw' container be encrypted at rest using customer-managed keys. The data is ingested via Azure Data Factory. What should the data engineer configure to meet the requirement?

A.Assign an Azure Policy that requires encryption at rest.
B.Enable Azure Information Protection on the storage account.
C.Configure the storage account to use Azure Key Vault for customer-managed key encryption.
D.Enable the 'require secure transfer' setting on the storage account.
AnswerC

This enables encryption at rest with a customer-managed key.

Why this answer

Option C is correct because Azure Data Lake Storage Gen2 with hierarchical namespace supports encryption at rest using customer-managed keys (CMK) via Azure Key Vault. To meet the security requirement, the data engineer must configure the storage account's encryption settings to use a key from Azure Key Vault, which allows the organization to control and rotate the encryption keys independently of Azure.

Exam trap

The trap here is that candidates may confuse encryption at rest (which is always enabled by default) with the specific requirement for customer-managed keys, leading them to pick Azure Policy or 'require secure transfer' as a catch-all security measure.

How to eliminate wrong answers

Option A is wrong because an Azure Policy can enforce encryption at rest, but it does not specify the use of customer-managed keys; it only ensures that encryption is enabled (which is already default with Microsoft-managed keys). Option B is wrong because Azure Information Protection is a classification and labeling service for data, not an encryption-at-rest mechanism for storage accounts. Option D is wrong because 'require secure transfer' enforces HTTPS for data in transit, not encryption at rest, and does not involve customer-managed keys.

7
MCQmedium

A company uses Azure Key Vault to store secrets for data pipelines. They need to rotate the secrets automatically every 90 days. What should they implement?

A.Use Azure Policy to enforce secret expiration.
B.Assign RBAC roles to a service principal to update the secret.
C.Create a manual process to update the secret in Key Vault.
D.Configure Key Vault secret rotation with an expiration date of 90 days.
AnswerD

Key Vault can automatically rotate secrets based on expiration.

Why this answer

Option C is correct because Key Vault supports automatic rotation with a specified expiration period. Option A is wrong because manual rotation is not automatic. Option B is wrong because Azure Policy does not rotate secrets.

Option D is wrong because RBAC controls access, not rotation.

8
Multi-Selecthard

A company uses Azure Synapse Analytics with a dedicated SQL pool. Data engineers need to implement column-level security so that only users with the 'Manager' role can see salary columns. Which TWO actions should they take?

Select 2 answers
A.Create a stored procedure that checks the user's role and returns the appropriate columns.
B.Grant the 'Manager' role SELECT permission on the security policy.
C.Create a security policy with a filter predicate on the salary column using the function, and set the state to ON with BLOCK predicate.
D.Create an inline table-valued function that returns 1 if the user is a member of the 'Manager' role, else 0.
E.Use GRANT SELECT ON OBJECT::[dbo].[Employee](Salary) TO [Manager] to grant access to the salary column.
AnswersC, D

The security policy with BLOCK prevents updates/inserts that would expose the column.

Why this answer

Option C is correct because column-level security in Azure Synapse Analytics dedicated SQL pools is implemented via a security policy that uses a filter predicate (a function) to restrict access to specific columns. Setting the state to ON with a BLOCK predicate ensures that unauthorized users cannot see the salary column. Option D is correct because the inline table-valued function is the predicate function that checks role membership (e.g., using IS_MEMBER('Manager')) and returns 1 or 0, which the security policy uses to filter rows.

Exam trap

The trap here is that candidates often confuse column-level security with row-level security or assume that GRANT statements can be used to restrict column access, but Azure Synapse dedicated SQL pools require a security policy with a predicate function for column-level restrictions.

9
MCQmedium

You are designing a data solution in Azure that requires all data in transit between Azure Databricks and Azure Storage to be encrypted using a customer-managed key. Which configuration meets this requirement?

A.Enable 'Secure transfer required' on the storage account
B.Configure a service endpoint and a firewall rule to restrict access to Azure Databricks
C.Create a customer-managed key in Azure Key Vault and assign it to the storage account for encryption
D.Set the minimum TLS version to 1.2 on the storage account
AnswerA

This ensures data is encrypted in transit with Microsoft-managed keys, not customer-managed. Customer-managed keys for transit are not supported; client-side encryption would be needed.

Why this answer

Option A is correct because enabling 'Secure transfer required' on the storage account enforces HTTPS for all requests, which encrypts data in transit using TLS. This ensures that all traffic between Azure Databricks and Azure Storage is encrypted, and the encryption keys used for TLS are customer-managed when combined with a customer-managed key for the TLS session (though the question focuses on in-transit encryption, the key management for TLS itself is handled by the platform; the customer-managed key requirement is satisfied by using Azure Key Vault for the storage account's encryption key, but the in-transit encryption is enforced by HTTPS).

Exam trap

The trap here is that candidates confuse encryption at rest (customer-managed keys for Azure Storage Service Encryption) with encryption in transit, and mistakenly select Option C, thinking it covers both, when it only addresses data at rest.

How to eliminate wrong answers

Option B is wrong because configuring a service endpoint and firewall restricts network access to the storage account from Azure Databricks but does not encrypt data in transit; it only controls which source IPs or virtual networks can connect. Option C is wrong because creating a customer-managed key in Azure Key Vault and assigning it to the storage account encrypts data at rest (Azure Storage Service Encryption), not data in transit. Option D is wrong because setting the minimum TLS version to 1.2 only specifies the allowed TLS protocol version for connections but does not enforce encryption itself; encryption is already provided by HTTPS, and this setting does not involve customer-managed keys.

10
MCQmedium

Refer to the exhibit. A custom RBAC role is defined as shown. A user is assigned this role at the resource group scope. Which operation can the user perform?

A.Delete containers
B.Write blob data to containers
C.List containers in a storage account within DataRG
D.Read blob data from containers
AnswerC

The action permits reading container properties and listing containers.

Why this answer

The custom RBAC role includes the 'Microsoft.Storage/storageAccounts/blobServices/containers/read' action, which allows listing containers. Since the user is assigned this role at the resource group scope (DataRG), they can list containers in any storage account within that resource group. The role does not include any data plane actions (e.g., read/write/delete blob data) or container deletion permissions, so only the list operation is permitted.

Exam trap

The trap here is that candidates often confuse control plane container listing permissions with data plane blob read permissions, assuming that 'read' on containers implies access to blob content, whereas Azure RBAC strictly separates these scopes.

How to eliminate wrong answers

Option A is wrong because deleting containers requires the 'Microsoft.Storage/storageAccounts/blobServices/containers/delete' action, which is not included in the role. Option B is wrong because writing blob data requires the 'Microsoft.Storage/storageAccounts/blobServices/containers/write' action (or a data plane permission like 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write'), which is absent. Option D is wrong because reading blob data requires the 'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read' action, which is not granted; the role only grants read access to container metadata (listing), not to blob content.

11
Multi-Selectmedium

Which TWO of the following are valid methods to secure data at rest in Azure Data Lake Storage Gen2?

Select 2 answers
A.Assign RBAC roles for data access
B.Configure storage firewall rules
C.Use customer-managed keys in Azure Key Vault
D.Use Azure Storage Service Encryption (SSE)
E.Enable TLS 1.2 for all connections
AnswersC, D

Customer-managed keys provide additional control over encryption.

Why this answer

Option C is correct because using customer-managed keys (CMK) in Azure Key Vault allows you to control and rotate the encryption keys used for Azure Storage Service Encryption (SSE), providing an additional layer of security for data at rest. This is a valid method to secure data at rest in Azure Data Lake Storage Gen2, as it ensures that only authorized parties with access to the key vault can decrypt the data.

Exam trap

The trap here is that candidates often confuse access control methods (RBAC, firewalls) or transport security (TLS) with data at rest encryption, mistakenly thinking they secure the stored data itself, when in fact only encryption mechanisms like SSE or CMK protect data at rest.

12
MCQmedium

A company uses Azure Synapse Analytics with dedicated SQL pools. They need to allow a data scientist to read all tables in the 'sales' schema but prevent access to columns containing personally identifiable information (PII). Which feature should be used?

A.Dynamic data masking
B.Row-level security
C.Column-level security
D.Azure Active Directory authentication
AnswerC

Column-level security restricts access to specific columns based on user or role.

Why this answer

Column-level security (C) is the correct choice because it allows you to restrict access to specific columns in a table, such as PII columns, while granting read access to all other columns in the 'sales' schema. This is achieved by defining a GRANT SELECT statement on the table with a column list, or by using a security policy with a filter predicate that blocks access to sensitive columns. Unlike Dynamic Data Masking, which obfuscates data at query time but does not prevent the user from seeing the masked values in certain scenarios, Column-level security actually denies access to the specified columns entirely.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking with column-level security, assuming that masking PII is sufficient, but the exam tests the distinction that masking does not prevent data access—it only obfuscates the output, whereas column-level security actually denies read permission on the column.

How to eliminate wrong answers

Option A is wrong because Dynamic Data Masking (DDM) obfuscates PII data at query time but does not prevent the user from reading the underlying data; a user with sufficient privileges can still see the original values by using techniques like casting or applying functions. Option B is wrong because Row-level security (RLS) restricts access to rows based on a predicate, not columns; it cannot hide specific columns within a row. Option D is wrong because Azure Active Directory authentication controls who can connect to the SQL pool but does not provide granular column-level access control within tables.

13
Matchingmedium

Match each performance optimization technique to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Dividing data into smaller manageable segments

Creating structures to speed up data retrieval

Pre-computed and stored query results

Column-based storage for analytics queries

Why these pairings

These techniques improve query performance in Azure Synapse.

14
MCQeasy

You are designing data security for Azure Data Lake Storage Gen2. The requirement is to prevent data from being accessed by anyone outside the corporate network. Which feature should you enable?

A.Use Azure Private Endpoint or service endpoint with a VNet.
B.Assign RBAC roles to deny access to all except corporate users.
C.Configure IP firewall rules to allow only corporate IP ranges.
D.Enable encryption at rest using customer-managed keys.
AnswerA

Private endpoint ensures data is accessed only from within the VNet.

Why this answer

Azure Private Endpoint or service endpoint with a VNet ensures that all traffic to the storage account stays within the corporate network and never traverses the public internet. Private Endpoint assigns a private IP from the VNet to the storage account, effectively isolating it from public access. This meets the requirement to prevent access from outside the corporate network by enforcing network-level isolation.

Exam trap

The trap here is that candidates often confuse network-level security (Private Endpoint) with access control (RBAC) or data protection (encryption), thinking that denying RBAC roles or enabling encryption alone can prevent external access, when only network isolation truly blocks traffic from outside the corporate network.

How to eliminate wrong answers

Option B is wrong because RBAC roles control authorization (who can access data) but do not enforce network boundaries; a user with the correct role could still access data from outside the corporate network. Option C is wrong because IP firewall rules can be bypassed if an attacker spoofs an allowed IP address or if the corporate network uses dynamic public IPs, and they do not provide the same level of isolation as Private Endpoint. Option D is wrong because encryption at rest protects data at the storage layer but does not control network access; data could still be accessed from outside the corporate network if other security measures are not in place.

15
Multi-Selecthard

Which THREE of the following are required to implement column-level security in Azure Synapse Analytics dedicated SQL pool?

Select 2 answers
A.A GRANT statement on specific columns to users or roles
B.A VIEW that selects only the allowed columns
C.A DENY statement on specific columns to users or roles
D.A row-level security policy must be in place
E.The database user must have a default schema
AnswersA, E

GRANT allows access to specified columns.

Why this answer

Option A is correct because column-level security in Azure Synapse Analytics dedicated SQL pool is implemented using GRANT statements on specific columns. By granting SELECT on only certain columns to a user or role, you restrict access to sensitive data at the column level without needing to create views or modify schemas. This is the native mechanism provided by SQL Server and Azure Synapse for column-level security.

Exam trap

The trap here is that candidates often confuse column-level security with row-level security or assume that DENY statements can be used at the column level, but Azure Synapse only supports GRANT for column-level permissions and does not support DENY on individual columns.

16
MCQmedium

A company uses Azure Synapse Analytics dedicated SQL pool. They need to ensure that only users with a specific Azure AD group can query a particular schema. Which approach should they use?

A.Configure a server-level firewall rule to block other users.
B.Use the GRANT statement to grant SELECT on the schema to the Azure AD group.
C.Create a row-level security policy on all tables in the schema.
D.Apply dynamic data masking to the schema.
AnswerB

GRANT schema permission controls access at schema level.

Why this answer

The GRANT statement in Azure Synapse dedicated SQL pool allows you to assign permissions directly to Azure AD groups. By granting SELECT on the schema to the specific Azure AD group, only members of that group can query objects within that schema, meeting the requirement precisely.

Exam trap

The trap here is that candidates often confuse network-level controls (firewall rules) or data obfuscation techniques (masking, RLS) with access control, when the correct solution is a straightforward permission grant using T-SQL's GRANT statement.

How to eliminate wrong answers

Option A is wrong because server-level firewall rules control network access to the entire Azure SQL logical server, not granular schema-level access for specific Azure AD groups. Option C is wrong because row-level security (RLS) restricts access to specific rows within tables based on a predicate function, not entire schemas or tables at the schema level. Option D is wrong because dynamic data masking obfuscates sensitive data in query results but does not prevent users from querying the schema or seeing the underlying data with appropriate permissions.

17
MCQhard

A company has an Azure Data Lake Storage Gen2 account. They want to ensure that only users with the 'Data Reader' role can access files in a specific container, while other users cannot list or read files. The storage account has hierarchical namespace enabled. What is the most secure and manageable approach?

A.Assign the Storage Blob Data Reader role at the storage account level and use row-level security
B.Generate a shared access signature (SAS) token for each user
C.Configure a storage firewall to allow only the Data Reader role's IP addresses
D.Set POSIX-like access control lists (ACLs) on the container folder for the Data Reader role
AnswerD

ACLs provide fine-grained permissions at the file/directory level for specific users/groups.

Why this answer

Option D is correct because Azure Data Lake Storage Gen2 with hierarchical namespace enabled supports POSIX-like access control lists (ACLs) at the container and folder level. By setting ACLs on the specific container folder to grant 'Read' and 'Execute' permissions only to the 'Data Reader' role (or its associated security group), you enforce least-privilege access without affecting other containers. This approach is both secure and manageable, as ACLs are inherited by default and can be centrally managed via Azure RBAC integration.

Exam trap

The trap here is that candidates often confuse row-level security (a database concept) with file-level security in Data Lake Storage, or they assume that a storage firewall can filter by user role, when in fact it only filters by network source IP.

How to eliminate wrong answers

Option A is wrong because row-level security (RLS) is a feature of Azure SQL Database and Azure Synapse SQL, not Azure Data Lake Storage Gen2; it cannot be applied to files in a storage container. Option B is wrong because generating a SAS token for each user is not manageable at scale, introduces token management overhead, and does not leverage Azure AD-based role assignments for centralized access control. Option C is wrong because a storage firewall restricts access based on network IP addresses, not user roles; it cannot differentiate between users who have the 'Data Reader' role and those who do not, and it would block all traffic from non-whitelisted IPs regardless of role membership.

18
MCQmedium

A company uses Azure Synapse Analytics with a dedicated SQL pool. They need to ensure that a team of data scientists can query all tables in the 'sales' schema but cannot modify any data or schema objects. Which role should the team be assigned?

A.db_owner
B.db_datareader
C.db_ddladmin
D.db_datawriter
AnswerB

db_datareader grants read access to all tables.

Why this answer

The `db_datareader` role grants read-only access to all user tables in a database, allowing the team to query all tables in the 'sales' schema without the ability to modify data or schema objects. This aligns perfectly with the requirement for data scientists to perform SELECT queries only.

Exam trap

The trap here is that candidates often confuse `db_datareader` with `db_datawriter` or assume `db_ddladmin` is required for querying, not realizing that read-only access is specifically granted by `db_datareader` without any write or schema modification capabilities.

How to eliminate wrong answers

Option A is wrong because `db_owner` provides full control over the database, including the ability to modify data and schema, which violates the requirement. Option C is wrong because `db_ddladmin` allows execution of Data Definition Language (DDL) commands like CREATE, ALTER, and DROP, enabling schema modifications. Option D is wrong because `db_datawriter` grants INSERT, UPDATE, and DELETE permissions, allowing data modification.

19
MCQeasy

You need to configure encryption for an Azure SQL Database to protect data at rest. Which Azure service or feature should you enable?

A.Dynamic Data Masking
B.Always Encrypted
C.Azure Information Protection
D.Transparent Data Encryption (TDE)
AnswerD

TDE encrypts the database at rest automatically.

Why this answer

Transparent Data Encryption (TDE) is the correct choice because it performs real-time I/O encryption and decryption of the data and log files at rest, protecting against unauthorized access to the physical storage media. TDE uses an AES-256 encryption algorithm and is fully transparent to the application, requiring no changes to the database schema or queries.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking (DDM) with encryption, thinking it protects data at rest, when in fact it only masks output and does not encrypt the underlying storage.

How to eliminate wrong answers

Option A is wrong because Dynamic Data Masking (DDM) is a data masking feature that obfuscates sensitive data in query results to unauthorized users, but it does not encrypt data at rest. Option B is wrong because Always Encrypted is a client-side encryption technology that protects sensitive data in transit and at rest by encrypting columns with keys stored on the client, but it is not a database-level encryption for all data at rest and requires application changes. Option C is wrong because Azure Information Protection (AIP) is a classification and labeling service for documents and emails, not a database encryption feature for Azure SQL Database.

20
Matchingmedium

Match each Azure Synapse Analytics component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Distributed query engine for relational data

Apache Spark runtime for big data processing

Data integration and orchestration

Web-based IDE for developing analytics solutions

Why these pairings

These components are central to Synapse Analytics.

21
Multi-Selecthard

You are designing data security for an Azure Data Lake Storage Gen2 account that stores sensitive customer data. You need to ensure that only authorized users can access the data and that access can be audited. Which TWO actions should you implement?

Select 2 answers
A.Configure diagnostic settings to send logs to a Log Analytics workspace.
B.Use storage account access keys (Shared Key) for authentication.
C.Generate shared access signatures (SAS) with a long expiry time.
D.Configure a firewall to allow access from all Azure services.
E.Enable Azure Active Directory (Azure AD) authentication for the storage account.
AnswersA, E

Diagnostic settings enable auditing of access.

Why this answer

Option A is correct because configuring diagnostic settings to send logs to a Log Analytics workspace enables auditing of data access events, such as read, write, and delete operations, which is essential for compliance and security monitoring. Option E is correct because Azure AD authentication provides fine-grained access control using role-based access control (RBAC) and eliminates the need for shared keys, aligning with the principle of least privilege.

Exam trap

The trap here is that candidates often confuse 'allowing access from all Azure services' (Option D) with a secure configuration, but it actually bypasses authentication and auditing, making it a security risk rather than a control.

22
MCQhard

A company is using Azure Data Factory to copy data from an on-premises SQL Server to Azure Blob Storage. The data must be encrypted in transit using TLS 1.2. The on-premises SQL Server is configured to support TLS 1.2. Which Data Factory property should be configured?

A.The encryptedCredential property in the linked service
B.The typeProperties property in the linked service to include 'Encrypt=True' in the connection string
C.The connectVia property in the linked service
D.The integrationRuntime property in the dataset
AnswerB

The connection string in typeProperties can include 'Encrypt=True' to enforce TLS encryption.

Why this answer

Option B is correct because TLS 1.2 encryption for data in transit between Azure Data Factory and an on-premises SQL Server is enforced by adding 'Encrypt=True' and 'TrustServerCertificate=False' to the connection string within the typeProperties of the linked service. This ensures the SQL Server Native Client uses TLS 1.2 for the connection, aligning with the requirement.

Exam trap

The trap here is that candidates confuse the encryptedCredential property (which encrypts stored credentials at rest) with the connection string encryption settings (which enforce TLS for data in transit), leading them to select Option A incorrectly.

How to eliminate wrong answers

Option A is wrong because the encryptedCredential property stores the encrypted authentication credential (e.g., password) for the linked service, not the encryption protocol for data in transit. Option C is wrong because the connectVia property specifies the integration runtime (e.g., Self-Hosted IR) used for connectivity, not the encryption settings for the SQL Server connection. Option D is wrong because the integrationRuntime property in a dataset defines the compute environment for data movement, not the connection string encryption properties.

23
MCQeasy

You need to audit all data access to an Azure Storage account. Which Azure service should you enable?

A.Azure Storage analytics logs and send to Log Analytics workspace
B.Azure Policy to audit storage account access
C.Azure Monitor metrics
D.Azure Security Center
AnswerA

Storage logs capture access details; Log Analytics enables querying.

Why this answer

Azure Storage analytics logs capture detailed information about successful and failed requests to a storage account, including authentication details, IP addresses, and operation types. By sending these logs to a Log Analytics workspace, you can query and analyze them using KQL, enabling comprehensive auditing of all data access. This is the correct service for auditing because it provides the granular, queryable logs required for security and compliance audits.

Exam trap

The trap here is that candidates confuse Azure Policy (which audits resource configurations) with actual data access auditing, or assume Azure Monitor metrics provide sufficient detail, when only Storage analytics logs sent to Log Analytics offer the per-request, queryable audit trail required.

How to eliminate wrong answers

Option B is wrong because Azure Policy is used to enforce compliance rules on resource configurations (e.g., requiring HTTPS), not to audit individual data access events. Option C is wrong because Azure Monitor metrics provide aggregated performance and error counts (e.g., transactions, latency), not detailed per-request audit logs. Option D is wrong because Azure Security Center (now Microsoft Defender for Cloud) provides security recommendations and threat detection, but it does not natively capture or store granular data access logs for auditing purposes.

Ready to test yourself?

Try a timed practice session using only Design and implement data security questions.