Microsoft Azure Database Administrator Associate DP-300 (DP-300) — Questions 676750

953 questions total · 13pages · All types, answers revealed

Page 9

Page 10 of 13

Page 11
676
Multi-Selecthard

You are deploying Azure SQL Database and need to comply with regulatory requirements that mandate separation of duties for database administration. Specifically, the security team should manage access policies, and the database administrators should manage the data. Which THREE features should you use to implement this?

Select 3 answers
A.Firewall rules to restrict administrative access to specific IP addresses.
B.Transparent Data Encryption (TDE) with customer-managed keys.
C.Dynamic Data Masking to hide sensitive data from non-privileged users.
D.Azure Role-Based Access Control (RBAC) to assign distinct roles.
E.Database-level roles such as db_securityadmin and db_owner.
AnswersC, D, E

Can be used to restrict DBAs from viewing sensitive data.

Why this answer

Dynamic Data Masking (C) is correct because it allows database administrators to manage data while hiding sensitive information from non-privileged users, supporting separation of duties by preventing security team members from viewing actual data. Azure RBAC (D) is correct because it enables distinct role assignments (e.g., SQL Security Manager vs. SQL DB Contributor) to separate who manages access policies from who manages data.

Database-level roles (E) are correct because they provide granular permissions within the database, such as db_securityadmin for managing security policies and db_owner for full data management, enforcing separation at the database level.

Exam trap

The trap here is that candidates often confuse network-level controls (firewall rules) or encryption features (TDE) with access control and role separation mechanisms, failing to recognize that separation of duties requires distinct role assignments and permission boundaries, not just data protection or network restrictions.

677
Multi-Selecteasy

Which TWO of the following are valid options for migrating an on-premises SQL Server database to Azure SQL Database with minimal downtime?

Select 2 answers
A.Use BULK INSERT to export data from on-premises and import to Azure SQL Database.
B.Configure transactional replication between on-premises SQL Server and Azure SQL Database.
C.Use Azure Database Migration Service with online migration mode.
D.Use SQL Server backup to URL and restore to Azure SQL Database.
E.Use the Generate Scripts wizard in SQL Server Management Studio.
AnswersB, C

Correct: Transactional replication provides continuous data synchronization with minimal downtime.

Why this answer

Transactional replication allows continuous synchronization of changes from the on-premises SQL Server publisher to the Azure SQL Database subscriber, enabling migration with minimal downtime by cutting over only after data is in sync. This is a supported hybrid scenario for Azure SQL Database.

Exam trap

The trap here is that candidates confuse Azure SQL Database with Azure SQL Managed Instance or SQL Server on Azure VM, where backup/restore and BULK INSERT are valid; Azure SQL Database does not support native backup/restore or transactional replication as a publisher, only as a subscriber.

678
MCQeasy

You need to configure Azure SQL Database to allow connections only from Azure services and from a specific on-premises IP range. Which firewall rule configuration should you apply at the server level?

A.Create a private endpoint for the server.
B.Create a virtual network service endpoint and add a VNet firewall rule.
C.Set 'Allow Azure Services and resources to access this server' to ON and add a firewall rule for the on-premises IP range.
D.Set 'Allow Azure Services and resources to access this server' to OFF and add a firewall rule for the on-premises IP range.
AnswerC

Allows Azure services and on-premises traffic.

Why this answer

Option C is correct because enabling 'Allow Azure Services and resources to access this server' permits connections from all Azure services (including those from other subscriptions) by adding a special firewall rule that allows Azure IP ranges. Adding a separate firewall rule for the specific on-premises IP range then restricts non-Azure external traffic to only that range. This combination meets the requirement to allow only Azure services and the specified on-premises range.

Exam trap

The trap here is that candidates often think 'Allow Azure Services' must be OFF to secure the database, but they miss that the requirement explicitly asks to allow connections from Azure services, making ON necessary, and then they forget to add the on-premises IP rule separately.

How to eliminate wrong answers

Option A is wrong because a private endpoint assigns a private IP from a virtual network to the database, which does not inherently allow connections from all Azure services or from an on-premises IP range; it requires DNS configuration and VPN/ExpressRoute for on-premises access. Option B is wrong because a virtual network service endpoint and VNet firewall rule allow traffic only from a specific VNet/subnet, not from all Azure services, and it does not directly support on-premises IP ranges without additional VPN/ExpressRoute. Option D is wrong because setting 'Allow Azure Services and resources to access this server' to OFF blocks all Azure service connections, including those from other Azure services, which contradicts the requirement to allow connections from Azure services.

679
MCQeasy

You need to monitor the long-running queries in an Azure SQL Database. Which dynamic management view should you query to see queries that have been running for more than 30 seconds?

A.sys.dm_exec_requests
B.sys.dm_db_resource_stats
C.sys.dm_exec_sessions
D.sys.dm_exec_query_stats
AnswerA

Includes start_time and total_elapsed_time for each request.

Why this answer

Option A is correct because sys.dm_exec_requests shows currently executing requests with elapsed time. Option B is wrong because it shows query statistics, not currently running queries. Option C is wrong because it shows resource usage.

Option D is wrong because it shows session-level waits.

680
Multi-Selectmedium

Which TWO of the following are benefits of using Azure SQL Database failover groups compared to active geo-replication? (Choose Two.)

Select 2 answers
A.Failover groups allow you to fail over multiple databases simultaneously.
B.Failover groups provide a read-write listener endpoint that remains unchanged after a failover.
C.Failover groups automatically fail over without any manual intervention.
D.Failover groups provide a readable secondary replica for read-only workloads.
E.Failover groups eliminate the need for geo-redundant storage.
AnswersA, B

Correct.

Why this answer

Options A and D are correct. Failover groups allow multiple databases to fail over together as a unit (A) and provide a read-write listener endpoint that automatically updates after failover (D). Option B is incorrect because geo-replication also supports readable secondaries.

Option C is incorrect because failover groups do not provide automatic failover without manual or auto-failover policy. Option E is incorrect because failover groups do not require additional costs beyond geo-replication.

681
MCQhard

You are migrating an on-premises SQL Server database to Azure SQL Managed Instance. The database is 2 TB in size and has a high transaction rate. You need to minimize downtime during migration. The source server is running SQL Server 2016 Enterprise Edition. Which migration approach should you recommend?

A.Use Azure Database Migration Service with online mode.
B.Export the database as a BACPAC file and import it into the managed instance.
C.Perform a full backup and restore to the managed instance, then apply log backups.
D.Set up transactional replication from on-premises to the managed instance.
AnswerA

DMS online mode provides near-zero downtime and handles large databases.

Why this answer

Azure Database Migration Service (DMS) with online mode is the correct choice because it supports minimal-downtime migrations for large databases with high transaction rates. It uses continuous data synchronization via change tracking or log shipping to keep the target nearly in sync, allowing a brief cutover window. For a 2 TB database, this avoids the lengthy downtime required by offline methods.

Exam trap

The trap here is that candidates often confuse 'online migration' with 'minimal downtime' and incorrectly assume that transactional replication (Option D) is the best approach for a full database migration, when in fact DMS online mode is the recommended service for large, high-transaction databases to Azure SQL Managed Instance.

How to eliminate wrong answers

Option B is wrong because exporting a 2 TB database as a BACPAC file is an offline process that would cause extended downtime, and BACPAC is not designed for high-transaction workloads due to performance bottlenecks and lack of incremental sync. Option C is wrong because performing a full backup and restore followed by log backups is an offline migration method; while log backups can reduce data loss, the initial restore requires the database to be offline, and applying subsequent log backups still incurs downtime during the final restore. Option D is wrong because transactional replication requires schema and data modifications to be replicated, adds complexity for a full database migration, and is not optimized for a one-time bulk migration; it is better suited for ongoing synchronization of specific objects rather than a complete database move.

682
MCQeasy

You are reviewing an Azure CLI command that creates an elastic job step. The job step is intended to rebuild all indexes on the Sales.Orders table, but the job fails. What is the error in the JSON configuration?

A.The command is missing a semicolon at the end.
B.The target group should specify 'SqlServer' type instead of 'SqlDatabase'.
C.The command should be 'REBUILD INDEX' instead of 'ALTER INDEX'.
D.The job agent version is incompatible with the command.
AnswerA

T-SQL statements should end with a semicolon in elastic job steps.

Why this answer

The 'ALTER INDEX ALL' command should have a semicolon at the end. While not strictly required, the more likely issue is that the command is missing the semicolon. However, the real error is that the 'command' property should be a T-SQL script, and 'ALTER INDEX ALL ON Sales.Orders REBUILD' is missing the semicolon.

Option A is wrong because the syntax is mostly correct. Option C is wrong because the command is correct syntactically. Option D is wrong because the job agent does not require a specific version.

683
Multi-Selectmedium

Your organization has a compliance requirement to automatically classify and protect sensitive data in Azure SQL Database. You need to configure Microsoft Purview to scan and classify the database. Which THREE actions are required?

Select 3 answers
A.Run a scan to discover and classify sensitive data.
B.Create a scan rule set that includes the classification rules for sensitive data types.
C.Register the Azure SQL Database as a data source in Microsoft Purview.
D.Create a Microsoft Entra ID application and grant it access to the database.
E.Enable Microsoft Defender for SQL to automatically classify data.
AnswersA, B, C

The scan performs the classification.

Why this answer

Option A is correct because running a scan is the primary action that discovers and classifies sensitive data in Azure SQL Database using Microsoft Purview. The scan applies the classification rules from the scan rule set to identify patterns like credit card numbers or social security numbers, and then labels the data accordingly for compliance.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for SQL's data classification feature (which is a separate, simpler classification) with Microsoft Purview's full scanning and governance pipeline, leading them to incorrectly select Option E as a required action.

684
Multi-Selecthard

Which TWO methods can be used to automate index maintenance in Azure SQL Database?

Select 2 answers
A.Azure Automation runbooks executing T-SQL scripts
B.SQL Server Agent jobs
C.Azure Data Factory pipelines
D.Elastic jobs with T-SQL steps
E.Automatic tuning
AnswersA, D

Runbooks can connect to Azure SQL Database and run maintenance scripts.

Why this answer

Option A is correct because Azure Automation runbooks can execute T-SQL scripts against Azure SQL Database using the Invoke-SqlCmd cmdlet or similar, enabling scheduled index maintenance tasks such as rebuilding or reorganizing indexes. This method is fully supported in Azure SQL Database, which lacks SQL Server Agent, and allows for flexible, cloud-native automation.

Exam trap

The trap here is that candidates often assume SQL Server Agent (Option B) is available in Azure SQL Database, but it is only supported in Azure SQL Managed Instance, not the single database or elastic pool service tiers.

685
MCQeasy

You need to create a new Azure SQL Database for a development environment. The development team requires the ability to restore the database to any point in time within the last 7 days. Which backup policy configuration should you choose?

A.Configure long-term retention (LTR) for 90 days
B.Configure point-in-time restore for 35 days
C.Use the default backup retention of 7 days
D.Configure point-in-time restore for 1 day
AnswerC

Default PITR is 7 days, which meets the requirement.

Why this answer

The default backup retention for Azure SQL Database is 7 days, which meets the requirement to restore to any point in time within the last 7 days without additional configuration. Point-in-time restore (PITR) is enabled by default with this retention period, allowing automatic backups and restores within that window. No further backup policy changes are needed for this development environment.

Exam trap

The trap here is that candidates often overthink and select a longer retention period (like 35 days) or a different feature (like LTR), not realizing the default 7-day retention already satisfies the exact requirement without extra configuration.

How to eliminate wrong answers

Option A is wrong because long-term retention (LTR) for 90 days is used for archival or compliance purposes beyond the default retention, not for a 7-day point-in-time restore requirement. Option B is wrong because configuring point-in-time restore for 35 days exceeds the required 7-day window and incurs additional storage costs unnecessarily. Option D is wrong because point-in-time restore for 1 day provides only a 1-day recovery window, which is insufficient for the 7-day requirement.

686
MCQmedium

Refer to the exhibit. You execute this PowerShell script to automate database configuration. The script runs without errors, but the database remains in the 'Standard' edition with S2 performance level. What is the most likely reason?

A.The elastic pool does not exist
B.The -RequestedServiceObjectiveName parameter is misspelled
C.The database is being moved into an elastic pool, which overrides the edition and SLO
D.The script requires administrative privileges that the user does not have
AnswerC

When specifying ElasticPoolName, the database inherits the pool's service tier.

Why this answer

Option D is correct because when ElasticPoolName is specified, the database is moved to the elastic pool and the edition and service objective are ignored; the pool's tier determines the performance. Option A is wrong because the command succeeded. Option B is wrong because the parameters are correct syntactically.

Option C is wrong because the pool already exists.

687
MCQhard

Your company uses Azure SQL Managed Instance for a critical OLTP workload. You need to automate index maintenance for all databases in the instance without downtime. The solution must minimize performance impact during business hours. Which approach should you use?

A.Use Elastic Database Jobs to run index maintenance scripts on all databases during off-peak hours, with parallel execution throttled.
B.Use Azure Logic Apps with a SQL connector to run index maintenance on each database, with retry policies.
C.Create an Azure Automation Runbook that connects to each database and runs index maintenance sequentially.
D.Deploy Ola Hallengren’s IndexOptimize stored procedure in each database and schedule it via SQL Server Agent.
AnswerA

Elastic Database Jobs can run T-SQL scripts across databases with scheduling and throttling.

Why this answer

Option A is correct because Elastic Database Jobs can run index maintenance scripts across all databases with configurable schedules and throttling. Option B is wrong because Azure Automation Runbooks can be used but require more setup for multi-database execution and may not have built-in throttling. Option C is wrong because Ola Hallengren scripts are a best practice, but they need a scheduling mechanism; Elastic Database Jobs provide that.

Option D is wrong because Azure Logic Apps are not designed for running T-SQL scripts across multiple databases.

688
MCQmedium

You are monitoring an Azure SQL Database using Intelligent Insights. You receive an alert that 'Query performance degradation' was detected. After reviewing the details, you find that a specific query now has a higher duration and is using a different execution plan. What is the recommended first step to troubleshoot?

A.Restart the database to clear the plan cache
B.Increase the service tier of the database
C.Query the Query Store to compare the previous and current plans
D.Run the Database Engine Tuning Advisor
AnswerC

Query Store allows plan comparison and identification of regression.

Why this answer

Option B is correct because Query Store provides detailed plan history to identify plan regression. Option A is wrong because index tuning may not address plan regression directly. Option C is wrong because restarting the database is disruptive and not a troubleshooting step.

Option D is wrong because increasing DTU does not fix plan regression.

689
Multi-Selecteasy

You need to configure monitoring for an Azure SQL Database to meet the following requirements: - Alert when average DTU consumption exceeds 90% for 10 minutes. - Track failed logins. - Analyze query performance over the last 30 days. Which THREE Azure services or features should you use? (Choose three.)

Select 3 answers
A.SQL auditing
B.Automatic tuning
C.Query Store
D.Azure Monitor metric alerts
E.Azure SQL Assessment
AnswersA, C, D

Audit logs capture failed logins.

Why this answer

Option A correct because Azure Monitor alerts can alert on DTU. Option C correct because audit logs track failed logins. Option D correct because Query Store retains query performance data.

Option B wrong because SQL Assessment checks best practices, not performance. Option E wrong because Autoscale is not manual monitoring.

690
MCQmedium

Your company uses Azure SQL Database with Microsoft Entra ID authentication. You need to ensure that only users with specific Azure AD roles can access the database. What should you configure?

A.Configure an Azure SQL Database firewall rule to allow only Azure AD IP addresses.
B.Assign the SQL Server Contributor role to Azure AD users.
C.Create SQL authenticated users with strong passwords.
D.Create contained database users mapped to Azure AD identities and grant appropriate permissions.
AnswerD

Contained database users allow mapping Azure AD users or groups to SQL permissions.

Why this answer

Option D is correct because Azure SQL Database supports contained database users mapped to Azure AD identities, which allows you to grant granular permissions (e.g., db_datareader, db_owner) to specific Azure AD users or groups. This ensures that only those with the appropriate Azure AD roles (via group membership or direct assignment) can access the database, without relying on SQL Server logins or firewall rules.

Exam trap

The trap here is that candidates often confuse Azure RBAC roles (like SQL Server Contributor) with database-level permissions, mistakenly thinking that assigning a management role grants data access, when in fact it only controls the ability to manage the server resource.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database firewall rules control network access based on IP addresses, not Azure AD roles; they cannot restrict access to specific Azure AD identities. Option B is wrong because the SQL Server Contributor role is an Azure RBAC role that grants management access to the logical server resource, not data-level access to the database; it does not control who can query or authenticate to the database. Option C is wrong because SQL authenticated users bypass Azure AD authentication entirely, which contradicts the requirement to use Azure AD roles for access control.

691
Multi-Selecthard

Which THREE factors should you consider when configuring automatic tuning for an Azure SQL Database? (Choose three.)

Select 3 answers
A.Whether to enable automatic plan guide creation.
B.Whether to allow automatic index dropping.
C.Whether to enable automatic statistics update.
D.Whether to force the last good plan for queries with plan regressions.
E.Whether to allow automatic index creation.
AnswersB, D, E

Automatic tuning can drop unused or duplicate indexes.

Why this answer

Options A, B, and C are correct. Automatic tuning options include CREATE INDEX, DROP INDEX, and FORCE LAST GOOD PLAN. Option D is not an automatic tuning option; it's a manual feature.

Option E is not part of automatic tuning.

692
MCQmedium

You have an Azure SQL Database that uses active geo-replication with a readable secondary in another region. You need to ensure that if a failover occurs, the application can automatically reconnect to the new primary with minimal code changes. What should you configure?

A.Manually update the DNS record to point to the new primary after failover.
B.Configure a failover group listener endpoint and use that in the connection string.
C.Use Azure Traffic Manager with priority routing to the secondary server.
D.Implement retry logic in the application to reconnect to the secondary server after failover.
AnswerD

Retry logic with appropriate connection string allows automatic reconnection.

Why this answer

Option D is correct because using a retry logic with a connection string that includes the failover partner (or using the ApplicationIntent=ReadWrite) and implementing retry logic allows the application to reconnect automatically. Option A is wrong because the listener endpoint is a feature of failover groups, not active geo-replication. Option B is wrong because Traffic Manager can be used but adds complexity.

Option C is wrong because the application needs to handle failover; DNS change is not automatic.

693
MCQhard

A company runs SQL Server 2019 on Azure Virtual Machines in an availability set. They need to achieve high availability for a critical database with automatic failover and no shared storage. The solution must minimize downtime during planned maintenance. What should they implement?

A.Configure Log Shipping to a secondary VM
B.Deploy a Failover Cluster Instance using Azure Shared Disks
C.Create an Always On Availability Group with an availability group listener
D.Use Database Mirroring with automatic failover
AnswerC

Always On AG provides automatic failover and no shared storage.

Why this answer

An Always On Availability Group (AG) with a listener provides high availability with automatic failover at the database level without requiring shared storage. This solution meets the requirement for automatic failover and minimizes downtime during planned maintenance by allowing manual failover to a synchronized secondary replica with minimal disruption.

Exam trap

The trap here is that candidates often confuse Failover Cluster Instances (which require shared storage) with Always On Availability Groups (which do not), or they overlook that Database Mirroring is deprecated and lacks the listener feature for seamless client redirection.

How to eliminate wrong answers

Option A is wrong because Log Shipping provides only manual failover and does not support automatic failover; it also typically results in longer downtime during failover. Option B is wrong because a Failover Cluster Instance using Azure Shared Disks requires shared storage, which is explicitly not allowed by the requirement for no shared storage. Option D is wrong because Database Mirroring with automatic failover requires a witness server and is deprecated in SQL Server 2019; it also does not support an availability group listener for client redirection, making it less suitable for minimizing downtime during planned maintenance.

694
Multi-Selectmedium

Which TWO actions should you take to implement a secure environment for Azure SQL Database that meets the principle of least privilege?

Select 2 answers
A.Assign database roles instead of individual permissions.
B.Enable all database features for maximum functionality.
C.Use contained database users with Azure AD authentication.
D.Use server-level logins for all users.
E.Grant the db_owner role to all application users.
AnswersA, C

Roles simplify permission management and follow least privilege.

Why this answer

Assigning database roles instead of individual permissions (Option A) aligns with the principle of least privilege by grouping necessary permissions into predefined roles, reducing the risk of over-privileging and simplifying permission management. Contained database users with Azure AD authentication (Option C) eliminate the dependency on server-level logins, allowing authentication at the database level and enabling fine-grained access control without granting server-wide privileges.

Exam trap

The trap here is that candidates often confuse server-level logins with contained database users, assuming that server-level logins are required for all Azure SQL Database scenarios, when in fact contained users with Azure AD authentication provide a more secure, least-privilege-compliant alternative.

695
MCQhard

You are reviewing an ARM template for Azure SQL Database. The exhibit shows a resource definition for Transparent Data Encryption (TDE). You need to ensure that the database uses customer-managed keys (CMK) stored in Azure Key Vault instead of service-managed keys. What additional configuration is required?

A.Modify the database resource to include a 'keyVaultUri' property.
B.Enable Always Encrypted on the database.
C.Set the TDE state to 'Disabled' and then re-enable with a customer key.
D.Add a resource of type 'Microsoft.Sql/servers/encryptionProtector' and reference the key vault key.
AnswerD

The encryption protector resource specifies the customer-managed key.

Why this answer

Option A is correct because to use CMK, you must configure an Azure Key Vault and set the database's encryption protector to the key. Option B is wrong because TDE is already enabled; CMK requires a specific protector. Option C is wrong because the encryption protector is set at the server level, not database.

Option D is wrong because Always Encrypted is a different feature.

696
MCQmedium

You have an Azure SQL Database that uses the Hyperscale service tier. You notice that the log rate is consistently high. You need to reduce the log write latency. What should you do?

A.Enable data compression on the tables
B.Increase the log rate limit in the Hyperscale service tier
C.Enable Accelerated Database Recovery
D.Change the service tier to General Purpose
AnswerB

Increasing log rate limit improves log write throughput.

Why this answer

Option B is correct because increasing the log rate limit allows more log throughput, reducing latency. Option A is incorrect because changing tier to General Purpose would reduce performance. Option C is incorrect because data compression does not affect log writes.

Option D is incorrect because enabling Accelerated Database Recovery does not reduce log write latency.

697
Multi-Selectmedium

You are tuning an Azure SQL Database workload. Which TWO actions can help reduce PAGELATCH_EX contention?

Select 2 answers
A.Increase MAXDOP
B.Add multiple data files to the filegroup
C.Use a columnstore index
D.Configure a readable secondary replica
E.Use hash partitioning on a table
AnswersB, E

Distributes allocation pages.

Why this answer

Options B and D are correct. Adding multiple data files distributes allocation pages (PFS, GAM, SGAM), reducing contention. Using a hash partition on the table spreads data across files.

Option A is wrong because read-only replicas do not affect primary contention. Option C is wrong because columnstore indexes are not directly related. Option E is wrong because increasing max degree of parallelism can increase contention.

698
Multi-Selecteasy

Which TWO Azure services can be used to automate the execution of T-SQL scripts on a schedule against Azure SQL Database?

Select 2 answers
A.Azure Logic Apps with SQL connector to execute stored procedures.
B.Azure Automation Hybrid Runbook Worker with PowerShell Invoke-SqlCmd.
C.Azure Functions with timer trigger and SqlConnection.
D.Elastic Database Jobs with T-SQL script execution.
E.Azure Data Factory with a SQL Server Stored Procedure activity.
AnswersB, D

Hybrid Runbook Worker can run scripts on schedule.

Why this answer

Options A and D are correct. Azure Automation Hybrid Runbook Worker can run T-SQL scripts on-premises or in Azure. Elastic Database Jobs are designed to run T-SQL scripts on schedules across databases.

Option B is wrong because Azure Logic Apps can run SQL queries but not T-SQL scripts in a batch. Option C is wrong because Azure Data Factory is for data movement, not script execution. Option E is wrong because Azure Functions are for code execution, but not specifically for scheduled T-SQL.

699
MCQhard

Your company uses Azure SQL Database with active geo-replication. You notice that the secondary database in a different region has a high log write latency. Users report that the primary database performance is normal. What is the most likely cause?

A.Insufficient log IOPS on the secondary database
B.Network latency between the primary and secondary regions
C.High CPU usage on the primary database
D.Excessive read workload on the secondary database
AnswerB

Geo-replication log shipping is affected by network latency.

Why this answer

Option D is correct because log write latency on the secondary is typically due to network latency between regions. Option A is wrong because the primary performance is normal. Option B is wrong because the secondary is readable but not for writes.

Option C is wrong because the secondary does not generate its own log; it applies log from primary.

700
Multi-Selectmedium

You are designing an automation solution to deploy Azure SQL Database schema changes using CI/CD pipelines. The solution must support rollback if a deployment fails and must integrate with Azure DevOps. Which two components should you include in your pipeline?

Select 2 answers
A.Azure Automation runbook to execute T-SQL scripts.
B.Azure Data Factory pipeline to copy schema changes.
C.A PowerShell script that uses Invoke-SqlCmd to deploy to Azure SQL Managed Instance.
D.Azure SQL Database project with DACPAC deployment.
E.Azure SQL Database deployment task in Azure Pipelines.
AnswersD, E

DACPAC is the standard for schema deployment and supports rollback.

Why this answer

Option B is correct because Azure SQL Database deployment task in Azure DevOps can execute schema scripts. Option E is correct because using Azure SQL Database projects with DACPAC allows version-controlled schema deployment. Option A is incorrect because Azure Automation runbooks are more for operational tasks, not CI/CD.

Option C is incorrect because Azure SQL Managed Instance is a different service. Option D is incorrect because Data Factory is for ETL, not schema deployment.

701
MCQhard

Your organization is implementing Microsoft Purview for data governance. You need to scan an Azure SQL Database to automatically classify sensitive data. The security team requires that the scan use a managed identity and that the data classification be stored in Microsoft Purview. What should you configure on the Azure SQL Database?

A.Enable system-assigned managed identity on the database and grant it permissions to access Purview
B.Use SQL authentication with a dedicated login and firewall rule
C.Assign the Microsoft Purview managed identity the db_datareader role and configure the firewall to allow Purview IP ranges
D.Create a user-assigned managed identity and assign it to the database
AnswerC

Managed identity and firewall rules enable Purview to scan.

Why this answer

Option C is correct because Microsoft Purview uses its own managed identity to authenticate to data sources when scanning. To scan an Azure SQL Database, you must grant Purview's managed identity the `db_datareader` role in the database to allow read access for classification, and you must configure the Azure SQL firewall to allow inbound connections from the Purview IP ranges (or enable 'Allow Azure services and resources to access this server'). This satisfies the security team's requirement to use a managed identity and store classification in Purview.

Exam trap

The trap here is that candidates mistakenly think they need to assign a managed identity to the Azure SQL Database itself (Option A or D), when in fact the scan uses Purview's own managed identity to authenticate to the database, requiring only role assignment and firewall configuration on the database side.

How to eliminate wrong answers

Option A is wrong because enabling a system-assigned managed identity on the Azure SQL Database itself is not required; Purview uses its own managed identity to connect, not the database's identity. Option B is wrong because SQL authentication with a dedicated login and firewall rule does not use a managed identity, violating the security team's requirement. Option D is wrong because creating a user-assigned managed identity and assigning it to the database is unnecessary; Purview's own managed identity (system-assigned or user-assigned) is used for authentication, and the database does not need its own identity for this scan.

702
MCQmedium

You run the KQL query shown in the exhibit. The query returns a list of query IDs. What is the purpose of this query?

A.Identify queries consuming the most CPU.
B.Identify the top 10 queries by average duration.
C.Identify queries with the highest total wait time.
D.Identify queries with the highest execution count.
AnswerB

Averages avg_duration per query and returns top 10.

Why this answer

Option C is correct because the query calculates average duration per query and returns the top 10 by average duration, which identifies the slowest queries. Option A is wrong because it does not filter by time range. Option B is wrong because it does not look at resource waits.

Option D is wrong because it does not include CPU time.

703
MCQhard

You are the database administrator for a company that uses Azure SQL Database. The company has a strict security policy requiring that all database connections be encrypted using TLS 1.2 or higher and that the server certificate be validated to prevent man-in-the-middle attacks. Additionally, the company wants to ensure that only applications running on Azure virtual machines (VMs) in a specific virtual network (VNet) can access the database. The VMs use a subnet named 'AppSubnet'. You have configured the following: 1. The server 'Allow Azure Services' setting is OFF. 2. A virtual network rule is added for 'AppSubnet' with the service endpoint for Microsoft.Sql enabled. 3. The server firewall has no other rules. 4. The 'Minimum TLS version' is set to 1.2. 5. All client applications are configured to use 'Encrypt=True' and 'TrustServerCertificate=False' in their connection strings. After deployment, you discover that connections from the VMs are failing with error: 'The certificate chain was issued by an authority that is not trusted'. What is the most likely cause of this issue?

A.The client applications are using an older version of .NET that does not support TLS 1.2.
B.The virtual network rule is missing the service endpoint for Microsoft.Sql on the subnet.
C.The server firewall is blocking traffic from the VNet because 'Allow Azure Services' is OFF.
D.The VMs do not have the necessary root CA certificates installed to validate the Azure SQL Database server certificate.
AnswerD

Correct: The certificate chain validation fails if root CAs are missing.

Why this answer

The error 'The certificate chain was issued by an authority that is not trusted' indicates that the client cannot validate the Azure SQL Database server certificate. With 'TrustServerCertificate=False', the client must trust the server's certificate chain, which requires the root CA certificates (e.g., Baltimore CyberTrust Root) to be installed in the VM's trusted root store. Since the VMs are in Azure, they typically have these certificates, but custom images or hardened VMs may lack them, causing the validation failure.

Exam trap

The trap here is that candidates confuse a certificate trust error with network connectivity or TLS version issues, assuming the problem is with the firewall or TLS configuration rather than the client's certificate store.

How to eliminate wrong answers

Option A is wrong because the error is about certificate trust, not TLS version support; the 'Minimum TLS version' is set to 1.2 and modern .NET versions support it, so an older .NET version would cause a different error (e.g., 'could not establish trust relationship'). Option B is wrong because the scenario states the service endpoint for Microsoft.Sql is already enabled on the subnet, and the virtual network rule is added; missing the endpoint would cause a connectivity timeout or access denied, not a certificate trust error. Option C is wrong because 'Allow Azure Services' OFF only affects connections from outside the VNet (e.g., Azure services not in the VNet); the VNet rule explicitly allows traffic from AppSubnet, so the firewall is not blocking it.

704
Multi-Selectmedium

Which TWO Azure SQL Database features can help you scale out read-intensive workloads without modifying application code?

Select 2 answers
A.Database sharding
B.Geo-replication with readable secondary
C.In-memory OLTP
D.Elastic pool
E.Read scale-out
AnswersB, E

A readable geo-replica can serve read-only queries.

Why this answer

Geo-replication with readable secondary (Option B) is correct because it creates a continuously synchronized read-only replica of your Azure SQL Database in a different Azure region. Applications can connect to this secondary endpoint using the same connection string with 'ApplicationIntent=ReadOnly', enabling read-intensive workloads to be offloaded without any code changes. This provides both scalability for reads and disaster recovery.

Exam trap

The trap here is that candidates often confuse 'Geo-replication with readable secondary' (which requires no code changes) with 'Database sharding' (which requires application logic to distribute data), or they mistakenly think 'In-memory OLTP' can scale out reads when it actually improves write/transaction performance on a single database.

705
MCQhard

Your company runs a mission-critical database on Azure SQL Managed Instance in the East US region. To comply with a new regulatory requirement, you must ensure that the database can be recovered within 15 minutes in the event of a regional disaster, with a maximum data loss of 10 seconds. You also need to minimize compute costs during normal operations. What should you configure?

A.Use a General Purpose instance with a failover group to a secondary instance in a paired region.
B.Configure a zone-redundant Business Critical instance in East US only, without a geo-secondary.
C.Deploy the primary instance as Business Critical with a zone-redundant secondary replica, and configure a failover group to a secondary instance in a paired region using Business Critical with a non-readable secondary.
D.Deploy the primary instance as Business Critical with a readable secondary replica, and configure a failover group to a secondary instance in a paired region using General Purpose.
AnswerC

This meets the RPO and RTO with minimal cost by avoiding an extra readable replica.

Why this answer

Option A is correct because a failover group with a geo-secondary instance using the Business Critical service tier and a secondary replica that is not readable (no read scale-out) provides synchronous commit within the primary region and asynchronous geo-replication, meeting the RPO of 10 seconds and RTO of 15 minutes while minimizing cost by not using a readable secondary for read workloads. Option B is wrong because a readable secondary increases cost without benefit. Option C is wrong because General Purpose does not offer synchronous replication within the region, leading to higher data loss.

Option D is wrong because zone-redundancy does not protect against regional failure.

706
MCQhard

You attempt to create a new Azure SQL Database server with public network access enabled. What will happen?

A.The server will be created, but an audit log will be generated.
B.The server will be created successfully with public network access enabled.
C.The creation will be denied because the policy prohibits public network access.
D.The server will be created, but the databases will be denied creation.
AnswerC

The policy explicitly denies servers with public network access enabled.

Why this answer

Azure Policy can enforce rules that restrict or deny the creation of Azure resources that do not meet specific compliance requirements. If a policy is in place that prohibits public network access for Azure SQL Database servers, the creation request will be denied at the Azure Resource Manager level before the server is provisioned. This is a common security control to enforce a private endpoint or deny public connectivity.

Exam trap

The trap here is that candidates may assume the server is always created and then audited or partially blocked, but Azure Policy denies the entire creation request at the Resource Manager level before any resource is provisioned.

How to eliminate wrong answers

Option A is wrong because the server creation is denied by Azure Policy before any resource is created, so no audit log is generated for the server itself (though the denial action may be logged in the Azure Activity Log). Option B is wrong because the policy explicitly prohibits public network access, so the server cannot be created with that setting enabled; the creation request is blocked. Option D is wrong because the server is never created, so no databases are involved in the denial process.

707
MCQmedium

You are configuring Azure SQL Database for a financial application that must meet PCI DSS compliance. The database contains credit card numbers stored in a column encrypted with Always Encrypted. You need to ensure that database administrators cannot view the plaintext credit card numbers while allowing application users with the proper credentials to access them. What should you implement?

A.Use column-level encryption with a certificate stored in the database
B.Enable Transparent Data Encryption (TDE)
C.Use Always Encrypted with secure enclaves and store the column master key in Azure Key Vault with access granted only to the application
D.Implement Dynamic Data Masking (DDM)
AnswerC

Always Encrypted ensures that only authorized clients can decrypt data, and secure enclaves allow computations without exposing data to DBAs.

Why this answer

Always Encrypted with secure enclaves ensures that credit card numbers are encrypted at all times, including during computation, and that the column master key is stored in Azure Key Vault with access granted only to the application. This prevents database administrators (DBAs) from viewing plaintext data because they never have access to the column master key, while authorized application users can decrypt the data via the client driver. This meets PCI DSS requirements for protecting cardholder data at rest and in use.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking (DDM) with encryption, mistakenly believing that masking prevents administrators from seeing data, when in fact DDM can be bypassed by users with db_owner or CONTROL permissions, whereas Always Encrypted cryptographically enforces separation of duties.

How to eliminate wrong answers

Option A is wrong because column-level encryption with a certificate stored in the database allows DBAs with access to the database to retrieve the certificate and decrypt the data, violating the requirement that administrators cannot view plaintext credit card numbers. Option B is wrong because Transparent Data Encryption (TDE) encrypts data at rest but does not prevent DBAs or users with database access from viewing plaintext data when queried; it protects against physical theft of storage, not unauthorized access by administrators. Option D is wrong because Dynamic Data Masking (DDM) only obfuscates data at the query result level and does not encrypt the underlying data; DBAs with elevated permissions can bypass the mask and view plaintext values.

708
MCQhard

You have configured a failover group using the JSON template shown. The primary server is server1 in East US, and the secondary server is server2 in West US. During a test, you notice that read-only queries against the secondary endpoint are failing. What is the most likely cause?

A.The read-only endpoint failover policy is disabled.
B.The database is not included in the failover group databases list.
C.The failover grace period is set too high.
D.The read-write endpoint failover policy is set to Automatic.
AnswerA

Disabled policy prevents read-only routing to secondary.

Why this answer

Option B is correct because the readOnlyEndpoint failover policy is set to Disabled, meaning read-only routing is not enabled. Option A is wrong because read-write policy is automatic. Option C is wrong because the database is listed correctly.

Option D is wrong because the grace period is set.

709
MCQhard

You are a database administrator for an Azure SQL Database. You need to allow a user to restore a database from a backup to a new database, but the user should not have permission to delete the original database. What is the minimum permission required?

A.db_backupoperator database role
B.db_owner database role
C.CREATE DATABASE permission on the logical server
D.SQL Server Contributor role
AnswerC

CREATE DATABASE permission allows restoring a backup as a new database without delete permissions.

Why this answer

The minimum permission required to restore a database from a backup to a new database in Azure SQL Database is the CREATE DATABASE permission on the logical server. This is because restoring a backup to a new database is essentially creating a new database, and the user does not need any additional permissions on the original database to perform this action. The db_backupoperator and db_owner roles grant excessive permissions on the original database, while the SQL Server Contributor role is an Azure RBAC role that provides broader management capabilities beyond what is needed.

Exam trap

The trap here is that candidates often assume database-level roles like db_backupoperator are sufficient for restore operations, but in Azure SQL Database, restoring to a new database requires server-level CREATE DATABASE permission, not just backup-related roles.

How to eliminate wrong answers

Option A is wrong because the db_backupoperator database role only allows backing up a database, not restoring it to a new database; restoring requires CREATE DATABASE permission at the server level. Option B is wrong because the db_owner database role provides full control over the database, including the ability to delete it, which exceeds the minimum required permission and violates the requirement to prevent deletion. Option D is wrong because the SQL Server Contributor role is an Azure RBAC role that grants permissions to manage the entire logical server, including deleting databases, and is not the minimum permission needed for a single restore operation.

710
MCQeasy

You are reviewing a JSON representation of an Azure SQL Database firewall rule. What is the effect of this rule?

A.Blocks all IP addresses from 10.0.0.0 to 10.0.0.255.
B.Allows all IP addresses except 10.0.0.0 to 10.0.0.255.
C.Allows all IP addresses from 10.0.0.0 to 10.0.0.255.
D.Allows only the IP address 10.0.0.0.
AnswerC

Correct: This is the range defined.

Why this answer

The JSON representation of the Azure SQL Database firewall rule with startIpAddress '10.0.0.0' and endIpAddress '10.0.0.255' defines a range that allows all IP addresses from 10.0.0.0 to 10.0.0.255 inclusive. Azure SQL Database firewall rules use inclusive IP range matching, so any client with an IP in that range is permitted to connect, provided the rule is enabled.

Exam trap

The trap here is that candidates often confuse the inclusive range behavior with a single IP or assume that a range implies blocking, when in fact Azure SQL Database firewall only supports allow rules and the range is inclusive of both endpoints.

How to eliminate wrong answers

Option A is wrong because the rule allows, not blocks, the specified IP range; blocking would require a deny rule, which Azure SQL Database firewall does not support—only allow rules exist. Option B is wrong because the rule explicitly allows the range 10.0.0.0 to 10.0.0.255, not all IPs except that range; that behavior would require a default allow with a separate deny, which is not how Azure SQL firewall works. Option D is wrong because the rule specifies a range (start and end IP), not a single IP; a single IP rule would have identical start and end values (e.g., '10.0.0.0' for both).

711
MCQmedium

Your Azure SQL Database is configured with the Hyperscale service tier. You observe increased redo log latency. Which resource is most likely the bottleneck?

A.Compute node CPU
B.Log service throughput
C.Page server IO
D.Remote storage IOPS
AnswerB

Log service is responsible for redo; latency there causes redo lag.

Why this answer

Option B is correct because in Hyperscale, the log service is a separate component that handles redo; high latency there directly affects redo speed. Option A is wrong because compute node CPU affects query processing, not redo latency specifically. Option C is wrong because page servers handle data reads, not redo.

Option D is wrong because storage IO is distributed and rarely the bottleneck for redo in Hyperscale.

712
MCQmedium

A company is planning to migrate their on-premises SQL Server databases to Azure SQL Managed Instance. They have a database that uses SQL Server Agent jobs with proxies and also uses cross-database queries extensively. What is the main consideration for this migration?

A.Migrate to Azure SQL Managed Instance as it supports SQL Agent and cross-database queries within the same instance.
B.Migrate to SQL Server on Azure Virtual Machines for full control.
C.Migrate to Azure SQL Database elastic query to handle cross-database queries.
D.Migrate to Azure SQL Database instead to reduce costs.
AnswerA

Azure SQL Managed Instance supports both SQL Agent with proxies and cross-database queries.

Why this answer

Azure SQL Managed Instance is the correct target because it provides full support for SQL Server Agent, including proxies, and enables cross-database queries within the same instance. Unlike Azure SQL Database, Managed Instance maintains instance-level scope, allowing queries that reference other databases in the same instance without requiring external data sources or elastic queries.

Exam trap

The trap here is that candidates may assume Azure SQL Database is always the cheaper or simpler option, overlooking that it lacks SQL Agent proxies and native cross-database query support, which are critical for this migration.

How to eliminate wrong answers

Option B is wrong because migrating to SQL Server on Azure Virtual Machines, while offering full control, is unnecessary when Managed Instance already supports the required features and reduces management overhead. Option C is wrong because Azure SQL Database elastic query is designed for querying remote databases across different servers or instances, not for native cross-database queries within the same instance, and it does not support SQL Agent proxies. Option D is wrong because Azure SQL Database does not support SQL Server Agent proxies and has limited cross-database query capabilities (only within elastic pools using elastic query), making it unsuitable for this workload.

713
Multi-Selectmedium

You have an Azure SQL Database that runs a critical workload. You need to automate the monitoring of performance anomalies and receive notifications when certain thresholds are exceeded. Which TWO actions should you implement? (Choose two.)

Select 2 answers
A.Create a Power BI report that refreshes every minute.
B.Enable Query Store and set up email notifications for high query duration.
C.Configure a SQL Agent alert on performance counters.
D.Enable SQL Insights (preview) for intelligent performance monitoring.
E.Create an Azure Monitor alert rule on DTU/CPU and storage metrics.
AnswersD, E

SQL Insights provides advanced monitoring and anomaly detection.

Why this answer

Options A and D are correct. Azure Monitor alerts can be configured on performance metrics, and SQL Insights provides intelligent monitoring. Option B is wrong because SQL Agent does not monitor metrics.

Option C is wrong because email notifications are not native to Query Store. Option E is wrong because Power BI is for reporting, not real-time alerting.

714
MCQhard

You manage a critical Azure SQL Database that supports a financial application. The database is configured with the Business Critical service tier (8 vCores) and uses Always On availability groups for high availability. Recently, the application team noticed that some transactions are experiencing high latency during writes. You investigate and find that the log write latency is averaging 10 ms, and there are occasional HADR_SYNC_COMMIT waits. The application requires durable writes with synchronous commit. You need to reduce write latency without compromising data durability. What should you do?

A.Switch to Premium SSD v2 storage
B.Disable automatic tuning to reduce overhead
C.Reduce the number of secondary replicas to minimize synchronization overhead
D.Increase the number of vCores to 16
AnswerD

More vCores increase log write throughput.

Why this answer

Option C is correct because increasing the number of vCores improves the log write throughput and reduces latency, as the log writer can use more CPU and memory. Option A is wrong because reducing the number of replicas is not possible in Business Critical (always 4). Option B is wrong because Premium SSD v2 may not be available in all regions and is not a direct fix for log write latency.

Option D is wrong because turning off automatic tuning does not affect log write latency.

715
Multi-Selectmedium

Which TWO of the following are valid methods to migrate an on-premises SQL Server database to Azure SQL Database?

Select 2 answers
A.Export the database as a BACPAC file and import into Azure SQL Database
B.Configure transactional replication to replicate changes to Azure SQL Database
C.Use log shipping to continuously copy transaction logs
D.Use the Data Migration Assistant (DMA) to perform an online migration
E.Restore a native SQL Server backup to Azure SQL Database
AnswersA, D

BACPAC is a supported migration method.

Why this answer

A BACPAC file is a logical backup that contains the database schema and data in a compressed format. Azure SQL Database supports importing BACPAC files directly via the Azure portal, PowerShell, or the SqlPackage utility, making this a straightforward and fully supported migration method.

Exam trap

The trap here is that candidates often assume native SQL Server backup restore (Option E) works in Azure SQL Database because it works in Azure SQL Managed Instance, but Azure SQL Database is a different PaaS tier that only supports BACPAC-based import/export.

716
MCQhard

You are a database administrator for a financial services company. The company has multiple Azure SQL Managed Instances in different regions for disaster recovery. Each Managed Instance hosts several databases. You need to automate the process of backing up all databases and copying the backup files to a central Azure Blob Storage account for long-term retention. The backup must be taken daily at 10 PM local time for each region. The solution must be resilient to regional outages and must not use native backup retention more than 7 days. Additionally, you must ensure that backup files are encrypted at rest and in transit. What should you do?

A.Configure a SQL Agent job on each Managed Instance to perform backups to the central storage account directly using BACKUP TO URL.
B.Create an Azure Automation account in each region with a PowerShell runbook that connects to the local Managed Instance, performs a full database backup to a local blob container, and then copies the backup file to the central storage account using AzCopy. Schedule the runbook to run daily at 10 PM local time.
C.Use Elastic Database Jobs to schedule backups across all databases in all Managed Instances.
D.Enable Azure Backup for SQL Server in Azure Backup vault and configure backup policies for each Managed Instance.
AnswerB

Azure Automation runbooks can be scheduled per region and provide resiliency.

Why this answer

Option A is correct. Azure Automation runbooks with PowerShell can schedule backup commands using the BACKUP TO URL command (which supports native SQL Server backup to Azure Blob Storage). This allows you to copy backups to a central storage account.

Using Azure Automation ensures resiliency and can be scheduled per region. Option B is incorrect because SQL Agent is available on Managed Instance, but it would require managing schedules across instances. Option C is incorrect because Elastic Database Jobs is not available for Managed Instance.

Option D is incorrect because Azure Backup for SQL Server is for IaaS VMs, not Managed Instance.

717
MCQeasy

You are monitoring an Azure SQL Database using Intelligent Insights. The built-in intelligence detects a performance issue and suggests a specific index to create. The database is running the Business Critical service tier. You want to automatically implement this recommendation without manual intervention. What should you configure?

A.Enable automatic tuning for 'FORCE LAST GOOD PLAN' in the Azure portal.
B.Set up Query Store to capture the recommended index execution.
C.Configure Azure Advisor to email you the recommendation.
D.Enable automatic tuning for 'CREATE INDEX' in the Azure portal.
AnswerD

Automatic tuning can automatically create and drop indexes based on workload patterns.

Why this answer

Option A is correct because Azure SQL Database's automatic tuning can automatically implement index recommendations. Option B is wrong because automatic tuning for plan correction is separate. Option C is wrong because it only provides recommendations.

Option D is wrong because Query Store is a monitoring tool, not an automatic tuning feature.

718
MCQeasy

You need to run a complex T-SQL script on an Azure SQL Database every hour. The script performs data transformations that must be logged for auditing. Which native Azure service should you use?

A.SQL Agent job on the Azure SQL Database.
B.Elastic Database Jobs with a T-SQL job step.
C.Azure Data Factory with a stored procedure activity.
D.Azure Automation Account with a PowerShell runbook that uses Invoke-SqlCmd.
AnswerB

Elastic Jobs are purpose-built for scheduled T-SQL execution on Azure SQL DB with logging.

Why this answer

Option D is correct because Elastic Database Jobs are designed for scheduled T-SQL script execution across databases with logging. Option A is wrong because SQL Agent is not available in Azure SQL Database single database. Option B is wrong because Data Factory is for ETL, not simple script execution.

Option C is wrong because Automation Runbooks are for PowerShell, not T-SQL directly.

719
Multi-Selecteasy

Which TWO actions should you take to secure Azure SQL Database against SQL injection attacks?

Select 2 answers
A.Enable Transparent Data Encryption
B.Enable auditing for all database operations
C.Configure firewall rules to allow only trusted IP addresses
D.Use parameterized queries in application code
E.Use stored procedures with parameters
AnswersD, E

Prevents SQL injection by separating code from data.

Why this answer

Parameterized queries (Option D) and stored procedures with parameters (Option E) are both effective defenses against SQL injection because they separate SQL code from user input. When using parameterized queries, the database engine treats input as data only, never as executable code, which prevents attackers from injecting malicious SQL statements. This is a fundamental secure coding practice recommended by Microsoft for Azure SQL Database.

Exam trap

The trap here is that candidates often confuse security features like encryption (TDE) or network controls (firewall rules) with application-layer defenses, mistakenly thinking they prevent SQL injection when they only address different threat vectors.

720
MCQeasy

You need to automate the deployment of database schema changes across multiple Azure SQL Databases in a development environment. Which Azure service is designed for this purpose?

A.Azure DevOps using database projects and release pipelines.
B.SQL Agent jobs on each database.
C.Azure Automation Account with PowerShell runbooks.
D.Azure Data Factory with a copy activity.
AnswerA

Azure DevOps provides CI/CD capabilities specifically for database deployments.

Why this answer

Option A is correct because Azure DevOps with database projects and pipelines is the standard tool for automating schema deployments. Option B is wrong because Data Factory focuses on data movement, not schema changes. Option C is wrong because Automation Account is for runbooks, not CI/CD pipelines.

Option D is wrong because SQL Agent is for job scheduling, not deployment automation.

721
MCQeasy

You have an Azure SQL Database that is used by a reporting application. Reports run slowly during the day. You notice that the database is at the S1 tier. You need to improve report performance without changing application code. What should you do?

A.Rebuild fragmented indexes.
B.Scale up the database to a higher service tier.
C.Implement table partitioning.
D.Enable read scale-out to offload reports.
AnswerB

Higher DTU allocation directly improves throughput.

Why this answer

Option B is correct because scaling up to a higher service tier (e.g., S2 or S3) provides more DTUs, improving report performance. Option A is wrong because index maintenance helps but may not be sufficient if resource is the bottleneck. Option C is wrong because read scale-out is only available on Premium/Business Critical.

Option D is wrong because partitioning adds complexity and is not a guaranteed fix.

722
MCQmedium

You are a database administrator for a healthcare company. You have an Azure SQL Database that stores patient records. The database is currently accessible from the public internet via firewall rules. You need to implement a secure environment that meets the following requirements: - All traffic to the database must be private and not traverse the internet. - The database must be accessible from an Azure Virtual Machine in a specific VNet. - The solution must minimize management overhead and cost. - You need to ensure that the database can be failed over to a secondary region in case of an outage. What should you do?

A.Restrict firewall rules to only the VM's public IP and enable active geo-replication.
B.Configure a point-to-site VPN from the VM to the database and set up geo-replication.
C.Create a private endpoint in the VNet, disable public network access, and configure a failover group with a private endpoint in the secondary region.
D.Create a VNet service endpoint and a failover group. Keep public access enabled for failover.
AnswerC

This ensures private connectivity and disaster recovery.

Why this answer

Option B is correct because it meets all requirements: private endpoint ensures private connectivity, failover group provides disaster recovery, and disabling public access enforces security. Option A is wrong because service endpoints still expose the public endpoint. Option C is wrong because a point-to-site VPN adds complexity and cost.

Option D is wrong because a public endpoint with IP restriction does not meet the private traffic requirement.

723
MCQhard

The database 'mydb' is experiencing performance issues during peak hours. Based on the exhibit, what is the most likely cause?

A.Zone redundancy is disabled, causing failover delays.
B.The service tier S3 is not sufficient for the workload.
C.Read scale is disabled, increasing load on primary.
D.The database is auto-pausing frequently due to autoPauseDelay.
AnswerB

S3 has limited DTU which can cause performance issues.

Why this answer

Option A is correct because the S3 tier has low DTU (100 DTU) and is likely overwhelmed. Option B is wrong because auto-pause delay is set to 3600 seconds (1 hour) and would not cause issues during active use. Option C is wrong because zone redundancy does not affect performance.

Option D is wrong because read scale is disabled but not needed for primary workload.

724
MCQmedium

You manage an Azure SQL Database that supports a critical financial application. The database is in the General Purpose tier and uses active geo-replication for disaster recovery. You need to automate the process of failing over to the secondary region in case of a regional outage, but only after confirming that the primary is unreachable for more than 5 minutes. Additionally, you need to send an alert to the operations team when the failover occurs. The solution should use Azure services and minimize manual steps. What should you implement?

A.Use Azure Logic Apps with a timer trigger to check the database status every minute and initiate failover if unreachable.
B.Schedule a SQL Agent job on the secondary to run a script that checks connectivity and fails over.
C.Configure Azure Site Recovery for the SQL database.
D.Configure an Azure Monitor metric alert on the 'Deadlock count' metric (or custom metric) with a threshold of 0 for 5 minutes, then use an action group to trigger an Azure Automation runbook that runs the failover PowerShell cmdlet.
AnswerD

Monitor can detect unavailability and trigger automated failover via runbook.

Why this answer

Option A is correct because Azure Monitor can detect the primary database unavailability (e.g., through heartbeat metrics) and trigger an alert that invokes an Azure Automation runbook to perform the failover. Options B and C require manual intervention. Option D (Azure Site Recovery) is not designed for SQL Database geo-replication failover.

725
Multi-Selectmedium

You are a database administrator for a company that uses Azure SQL Managed Instance. You need to automate the process of patching the operating system and SQL Server engine for all managed instances in a specific region. The automation must minimize downtime and ensure high availability. Which two actions should you include in your automation strategy?

Select 2 answers
A.Use Azure Policy to automatically scale up the instance before patching.
B.Create an Azure Automation runbook to manually apply OS and SQL patches.
C.Configure a maintenance window using Azure Portal or PowerShell.
D.Deploy a failover group to another region and enable read-scale replicas.
E.Enable Azure Update Manager for the managed instances.
AnswersC, D

Allows scheduling updates during off-peak hours.

Why this answer

Option A is correct because Azure SQL Managed Instance automatically applies updates, but you can configure a maintenance window to control the timing. Option C is correct because using a failover group with read-scale replicas ensures that during patching, traffic can be redirected to a secondary replica, minimizing downtime. Option B is incorrect because manual patching is not supported for Azure SQL Managed Instance; Microsoft manages patching.

Option D is incorrect because scaling up is not related to patching automation. Option E is incorrect because enabling Azure Update Manager is not applicable to Azure SQL Managed Instance; it's for IaaS VMs.

726
MCQeasy

Your company is adopting Microsoft Defender XDR for enhanced security. You need to enable Microsoft Defender for SQL for your Azure SQL Database to receive security alerts and vulnerability assessments. What is the first step you must take?

A.Configure Microsoft Intune to manage access.
B.Run a vulnerability assessment scan from the Azure portal.
C.Configure Microsoft Purview to scan the database.
D.Enable Microsoft Defender for SQL on the Azure SQL logical server.
AnswerD

Enabling Defender for SQL activates security alerts and vulnerability assessments.

Why this answer

Microsoft Defender for SQL must be enabled at the logical server level before any security alerts or vulnerability assessments can be applied to the Azure SQL Database. This server-level enablement activates the Defender for SQL features (including vulnerability assessment and threat detection) for all databases under that server, making it the prerequisite step.

Exam trap

The trap here is that candidates may think they need to first run a vulnerability assessment scan (Option B) to see alerts, but the scan itself requires Defender for SQL to be enabled first, making the enablement the true first step.

How to eliminate wrong answers

Option A is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service, not related to enabling security features for Azure SQL Database. Option B is wrong because running a vulnerability assessment scan requires Defender for SQL to already be enabled; attempting to run it first would fail or be unavailable. Option C is wrong because Microsoft Purview is a data governance and catalog service used for data discovery and classification, not for enabling SQL security alerts or vulnerability assessments.

727
MCQmedium

You have an Azure SQL Database that must be automatically restarted every night to clear the procedure cache. You plan to use elastic jobs in Azure SQL Database. What should you create first?

A.A job database
B.An elastic job agent
C.A target group
D.A job credential
AnswerB

The job agent is required before creating jobs, targets, and credentials.

Why this answer

Option A is correct because an elastic job agent is the top-level resource that orchestrates jobs. The job database stores job definitions and history. Option B is created after the agent.

Option C is a target group, not first. Option D is a credential, but the agent must exist first.

728
MCQhard

A company uses Azure SQL Managed Instance. They want to automate backups to a storage account for long-term retention beyond the default 35 days. What should they use?

A.Configure a SQL Server Agent job on the Managed Instance to run a T-SQL BACKUP DATABASE TO URL statement.
B.Use Azure Backup to configure a backup policy for the Managed Instance.
C.Create an Elastic Database Job that runs a T-SQL BACKUP DATABASE TO URL statement.
D.Create an Azure Automation runbook that uses the Backup-SqlDatabase cmdlet with -BackupAction 'Database' -CopyOnly and schedule it.
AnswerD

The Backup-SqlDatabase cmdlet can perform COPY_ONLY backups to a URL when used with the -BackupContainer parameter, and Azure Automation can schedule it.

Why this answer

Option D is correct because Azure SQL Managed Instance does not support native T-SQL BACKUP DATABASE TO URL for automated long-term retention; instead, you must use the Azure Backup service, which leverages the Backup-SqlDatabase cmdlet with the -CopyOnly flag to perform copy-only backups that do not disrupt the backup chain. This method integrates with Azure Backup policies to store backups in a Recovery Services vault for retention beyond 35 days.

Exam trap

The trap here is that candidates mistakenly think they can use T-SQL BACKUP DATABASE TO URL or Elastic Database Jobs on Managed Instance, but Managed Instance does not support user-initiated T-SQL backups—only Azure Backup with the Backup-SqlDatabase cmdlet is valid for custom long-term retention.

How to eliminate wrong answers

Option A is wrong because SQL Server Agent jobs on Managed Instance cannot execute T-SQL BACKUP DATABASE TO URL; Managed Instance does not support backing up to URL via T-SQL—backups are managed by Azure internally. Option B is wrong because Azure Backup does not directly support configuring a backup policy for Managed Instance; it requires the use of the Backup-SqlDatabase cmdlet in a runbook or similar automation to orchestrate backups. Option C is wrong because Elastic Database Jobs are designed for executing T-SQL scripts across multiple databases in Azure SQL Database, not for backing up Managed Instance databases, and they cannot run BACKUP DATABASE TO URL on Managed Instance.

729
MCQhard

You are the database administrator for a company that uses Azure SQL Managed Instance. The security team has detected unusual query activity from a specific client IP address. You need to immediately block all connections from that IP address while maintaining connectivity for all other users. Which solution should you implement?

A.Create a private endpoint for the managed instance and disable public network access.
B.Add a server-level firewall rule at the logical server level to deny the IP address.
C.Add a firewall rule at the managed instance level that denies the specific IP address.
D.Modify the network security group (NSG) associated with the managed instance's subnet to deny the IP address.
AnswerC

Instance-level firewall rules can allow or deny specific IP addresses.

Why this answer

Option C is correct because Azure SQL Managed Instance supports instance-level firewall rules that can explicitly deny a specific client IP address while allowing all other traffic. Unlike Azure SQL Database, which uses server-level firewall rules, Managed Instance firewall rules are configured directly on the instance and can include both allow and deny entries, enabling granular access control without affecting other users.

Exam trap

The trap here is that candidates confuse Azure SQL Database's server-level firewall rules with Managed Instance's instance-level firewall rules, or incorrectly assume that NSG modifications are the correct way to block a single client IP without understanding that NSGs affect the entire subnet.

How to eliminate wrong answers

Option A is wrong because creating a private endpoint and disabling public network access would block all external connections, not just the specific IP, and is a permanent architectural change rather than an immediate targeted block. Option B is wrong because Azure SQL Managed Instance does not have a logical server-level firewall; server-level firewall rules apply only to Azure SQL Database and Azure Synapse, not to Managed Instance. Option D is wrong because modifying the NSG associated with the Managed Instance's subnet would block traffic at the network layer for all instances in that subnet, potentially disrupting other services, and Managed Instance does not expose direct NSG control for individual IP filtering without impacting the entire subnet.

730
MCQeasy

You are reviewing the audit configuration of an Azure SQL Database using the above JSON from Azure Resource Manager. Based on the exhibit, which of the following is true?

A.Audit logs are written using the secondary storage key
B.Auditing is currently disabled
C.Audit logs are retained for 30 days
D.Audit logs are sent to Azure Monitor
AnswerD

isAzureMonitorTargetEnabled is true.

Why this answer

Option B is correct because isAzureMonitorTargetEnabled is true, meaning audit logs are sent to Azure Monitor. Option A is wrong because state is Enabled. Option C is wrong because retentionDays is 90.

Option D is wrong because isStorageSecondaryKeyInUse is false.

731
MCQmedium

A developer reports that they cannot connect to an Azure SQL Database using Azure AD authentication. The developer is a member of an Azure AD group that has been granted db_datareader role in the database. The connection string uses Active Directory Password authentication. What is the most likely issue?

A.The Azure AD group has not been created as a database user.
B.The server firewall is blocking the connection.
C.The developer's IP address is not allowed.
D.Multi-factor authentication is required but not configured.
AnswerA

Azure AD groups must be mapped to a database user using CREATE USER [group] FROM EXTERNAL PROVIDER.

Why this answer

The most likely issue is that the Azure AD group has not been created as a database user in the SQL Database. Even though the group has been granted the db_datareader role at the Azure AD level, Azure SQL Database requires that the group be explicitly mapped to a database user via the CREATE USER [group name] FROM EXTERNAL PROVIDER statement. Without this mapping, the group's membership does not translate into database-level permissions, and the developer's authentication will fail.

Exam trap

The trap here is that candidates often confuse Azure AD group membership with database user creation, assuming that granting a role to an Azure AD group automatically grants database access, when in fact a separate database user must be created for the group.

How to eliminate wrong answers

Option B is wrong because the server firewall blocking the connection would result in a network-level error (e.g., cannot connect to server), not an authentication failure. Option C is wrong because the developer's IP address not being allowed would also cause a network-level error, not an Azure AD authentication issue. Option D is wrong because Multi-Factor Authentication (MFA) is not required for Active Directory Password authentication; MFA is only enforced when using Active Directory Interactive authentication or when conditional access policies are applied, and the connection string here uses Password authentication, which does not support MFA.

732
Multi-Selectmedium

Which TWO options are valid services for scheduling automated tasks for Azure SQL Database? (Choose two.)

Select 2 answers
A.SQL Server Agent
B.Azure Functions
C.Azure Automation
D.Azure Logic Apps
E.Elastic Database Jobs
AnswersC, E

Azure Automation can run PowerShell or Python runbooks on a schedule to perform database tasks.

Why this answer

Azure Automation is correct because it provides a cloud-based automation and configuration service that supports scheduling PowerShell or Python runbooks to execute tasks against Azure SQL Database, such as running T-SQL scripts or performing maintenance operations. It integrates natively with Azure SQL via the Az module and can be triggered on a recurring schedule, making it a valid service for scheduling automated tasks.

Exam trap

The trap here is that candidates often confuse SQL Server Agent (available in SQL Server and Azure SQL Managed Instance) with Elastic Database Jobs (the equivalent for Azure SQL Database), or they assume Azure Functions or Logic Apps are the correct scheduling services when the question specifically asks for services designed for scheduling automated tasks for Azure SQL Database.

733
MCQeasy

You have an Azure SQL Database that uses the General Purpose service tier. The database is critical and you need to protect against a regional outage with an RPO of 1 hour and an RTO of 12 hours. What is the most cost-effective solution?

A.Use geo-restore with the default backup retention.
B.Enable active geo-replication.
C.Configure auto-failover group with a secondary in a different region.
D.Deploy a zone-redundant configuration.
AnswerA

Geo-restore is included with backups and meets the RPO/RTO requirements.

Why this answer

Option C is correct because geo-restore meets an RPO of 1 hour and RTO of 12 hours at no extra cost beyond backup storage. Option A is wrong because it is more expensive than needed. Option B is wrong because it also incurs extra cost.

Option D is wrong because it does not protect against regional failure.

734
MCQmedium

You are managing an Azure SQL Database that runs a critical business application. The database experiences a predictable surge in read-only queries every night at 2:00 AM. You need to configure automatic scaling to handle this surge without manual intervention. What should you do?

A.Create a read replica and redirect read queries to it during the surge.
B.Manually scale up the database service tier before 2:00 AM each day.
C.Move the database to an Elastic Database Pool and rely on its built-in autoscaling.
D.Configure autoscale settings on the Azure SQL Database using Azure Automation runbooks triggered by a metric alert.
AnswerD

This enables automatic scaling based on load.

Why this answer

Option D is correct because Azure SQL Database does not natively support automatic scaling based on load. To achieve this, you must use Azure Automation runbooks triggered by a metric alert (e.g., DTU or CPU percentage) to programmatically scale the database's service tier up or down. This approach allows you to handle the predictable nightly surge without manual intervention, as the runbook can be scheduled or triggered by a threshold alert.

Exam trap

The trap here is that candidates often assume Azure SQL Database has built-in autoscaling like Azure SQL Database serverless (which only pauses/resumes, not scales), or they confuse elastic pool autoscaling with per-database scaling, leading them to select option C incorrectly.

How to eliminate wrong answers

Option A is wrong because creating a read replica and redirecting read queries does not scale the primary database; it only offloads read traffic, and the replica itself is not automatically scaled to handle the surge. Option B is wrong because manually scaling the database before 2:00 AM each day requires ongoing manual intervention, which contradicts the requirement to configure automatic scaling without manual intervention. Option C is wrong because Elastic Database Pools provide resource sharing and autoscaling at the pool level (adding/removing eDTUs), but they do not automatically scale individual databases within the pool; the pool's autoscaling is based on aggregate pool metrics, not per-database surge patterns.

735
MCQeasy

You need to automate the process of scaling an Azure SQL Database to a higher service tier when CPU usage exceeds 80% for 5 consecutive minutes. Which Azure service is best suited for this automation?

A.Azure Logic App triggered by an Azure Monitor metric alert, calling the Azure SQL Database REST API to update the tier.
B.Elastic Database Job that monitors sys.dm_db_resource_stats and executes ALTER DATABASE.
C.Azure Automation Runbook triggered by an Azure Monitor alert, using PowerShell to scale the database.
D.Azure Function triggered by an Azure Monitor alert, using the Azure SDK to scale.
AnswerA

Logic Apps have native integration with Azure Monitor alerts and REST APIs.

Why this answer

Option B is correct because Azure Logic Apps can be triggered by metrics alerts and can call the REST API to update the database tier. Option A is wrong because Azure Automation Runbooks can be triggered by alerts but require more setup. Option C is wrong because Azure Functions can work but Logic Apps are simpler.

Option D is wrong because Elastic Database Jobs cannot scale databases.

736
MCQmedium

After running the above Azure CLI command, you notice that the secondary database is not readable. What is the most likely reason?

A.Geo-replication does not support readable secondaries by default
B.The secondary database capacity is set to 2 DTUs, which is too low
C.The '--secondary-type' parameter is set to 'Geo' instead of 'Readable'
D.The hardware generation is Gen5, which does not support readable secondaries
AnswerC

Setting secondary-type to 'Geo' disables read access; use 'Readable' to allow reads.

Why this answer

Option A is correct. The '--secondary-type Geo' parameter sets the secondary to 'Geo' type, which is not readable. To make it readable, you must specify '--secondary-type Readable' (or 'Named').

Option B is incorrect because the capacity is for the secondary, but it does not affect readability. Option C is incorrect because Gen5 is a valid generation. Option D is incorrect because geo-replication does not support auto-failover; that's failover groups.

737
MCQeasy

Your company plans to migrate several on-premises SQL Server databases to Azure SQL Database. The databases are used by different applications, each with varying performance requirements. You need to choose a deployment option that provides the most cost-effective solution while allowing for independent scaling of each database. Which option should you choose?

A.Create an Azure SQL Database elastic pool and add databases to the pool.
B.Install SQL Server on Azure Virtual Machines and host all databases on a single instance.
C.Migrate all databases to a single Azure SQL Managed Instance.
D.Deploy each database as a single Azure SQL Database with its own DTU-based tier.
AnswerA

Elastic pools provide cost-effective resource sharing with independent scaling.

Why this answer

Azure SQL Database elastic pools allow multiple databases to share a fixed set of resources (eDTUs or vCores), enabling cost savings by pooling underutilized databases while providing the ability to independently scale each database's resource consumption within the pool. This meets the requirement for independent scaling and cost-effectiveness, as opposed to single databases that each require their own dedicated resources.

Exam trap

The trap here is that candidates often choose single databases (Option D) thinking they offer the most straightforward independent scaling, but they overlook the cost inefficiency compared to elastic pools when databases have variable or low utilization.

How to eliminate wrong answers

Option B is wrong because hosting all databases on a single SQL Server on Azure Virtual Machines does not allow independent scaling of each database; all databases share the same instance resources, and scaling requires resizing the VM. Option C is wrong because a single Azure SQL Managed Instance also shares resources across all databases in that instance, preventing independent scaling per database and often incurring higher costs for mixed workloads. Option D is wrong because deploying each database as a single Azure SQL Database with its own DTU-based tier is less cost-effective than an elastic pool when databases have varying and often low utilization, as each database pays for its peak capacity independently.

738
MCQmedium

You are planning a disaster recovery strategy for an Azure SQL Database that supports a critical financial application. The database is deployed in the Brazil South region. Because of data sovereignty requirements, the secondary database must also be located in Brazil, but in a different availability zone. The application requires an RPO of 10 seconds and an RTO of 30 minutes. The database size is 2 TB and you need to minimize egress costs. What should you do?

A.Deploy the database using the Business Critical service tier with zone redundancy and a failover group.
B.Deploy the database using the Hyperscale service tier with zone-redundant configuration.
C.Use the General Purpose service tier with a zone-redundant backup configuration.
D.Configure active geo-replication to a secondary database in a different Brazilian region (e.g., Brazil Southeast).
AnswerB

Hyperscale supports zone redundancy, provides fast failover, and meets the RPO/RTO with asynchronous replication across zones.

Why this answer

Option A is correct because Hyperscale supports zone-redundant configuration with fast failover, and the RPO/RTO can be met with asynchronous replication across zones. Option B is wrong because Business Critical in the same region cannot provide DR across zones. Option C is wrong because General Purpose does not meet the RPO.

Option D is wrong because active geo-replication to a different region violates data sovereignty and increases costs.

739
MCQeasy

You are configuring Azure SQL Database firewall rules. You need to allow a range of IP addresses (192.168.1.0 to 192.168.1.255) to connect to the database. Which firewall rule should you create?

A.Start IP: 192.168.0.0, End IP: 192.168.2.255
B.Start IP: 192.168.1.0, End IP: 192.168.1.255
C.Start IP: 192.168.1.255, End IP: 192.168.1.0
D.Start IP: 192.168.1.0, End IP: 192.168.1.0
AnswerB

Correct: This covers the entire /24 subnet.

Why this answer

Option B is correct because Azure SQL Database firewall rules require a contiguous range of IP addresses defined by a start and end IP. The range 192.168.1.0 to 192.168.1.255 exactly covers the specified /24 subnet, allowing all hosts in that block to connect. This is the standard method for permitting a subnet in Azure SQL firewall configuration.

Exam trap

The trap here is that candidates may confuse Azure SQL firewall rules with on-premises firewall or network ACLs, where reversed ranges or single-IP entries might be accepted, but Azure SQL strictly requires a valid start ≤ end IP and does not support CIDR notation, leading to errors if you try to use a subnet mask or reversed order.

How to eliminate wrong answers

Option A is wrong because it defines a range from 192.168.0.0 to 192.168.2.255, which is a /22 subnet (192.168.0.0/22) and includes addresses outside the required range (e.g., 192.168.0.1 and 192.168.2.1), granting excessive access. Option C is wrong because it reverses the start and end IPs (start 192.168.1.255, end 192.168.1.0), which is invalid; Azure SQL firewall rules require the start IP to be less than or equal to the end IP, and such a rule would be rejected or behave incorrectly. Option D is wrong because it sets both start and end IP to 192.168.1.0, which only allows a single host (192.168.1.0) rather than the full /24 range, thus blocking all other addresses in the subnet.

740
MCQeasy

You need to design a disaster recovery plan for an Azure SQL Managed Instance. The recovery time objective (RTO) is 1 hour, and the recovery point objective (RPO) is 15 minutes. What is the most cost-effective solution?

A.Configure active geo-replication between instances in different regions.
B.Set up log shipping to a secondary instance.
C.Create an auto-failover group with a secondary instance in a paired region.
D.Use point-in-time restore to a secondary region.
AnswerC

Auto-failover groups provide low RTO and RPO for Managed Instance.

Why this answer

Option D is correct because auto-failover groups with a secondary in a paired region provide RTO of ~1 hour and RPO of 5 seconds to 5 minutes, meeting the requirements cost-effectively. Option A is incorrect because active geo-replication is not supported for Managed Instance. Option B is incorrect because log shipping is not natively supported.

Option C is incorrect because point-in-time restore has longer RTO.

741
MCQeasy

You are designing a new Azure SQL Database deployment for a mission-critical application. The application requires 99.99% availability SLA, automated failover within 30 seconds, and read-scale capability for reporting. Which tier and configuration should you choose?

A.Business Critical with zone redundancy and a failover group
B.General Purpose serverless with geo-replication
C.General Purpose with active geo-replication and read-scale
D.Hyperscale with zone redundancy enabled
AnswerA

Business Critical provides zone-redundant high availability, automatic failover, and readable secondaries for reporting.

Why this answer

Business Critical with zone redundancy and a failover group meets all requirements: 99.99% SLA (supported by zone-redundant Business Critical), automated failover within 30 seconds (failover groups provide automatic, fast failover across regions), and read-scale capability (Business Critical includes a readable secondary replica).

Exam trap

The trap here is that candidates confuse 'read-scale' with 'geo-replication read-only secondary' — only Business Critical and Hyperscale offer a built-in readable secondary replica, while General Purpose requires a separate geo-replicated secondary for read-only access, which does not meet the 30-second failover requirement.

How to eliminate wrong answers

Option B is wrong because General Purpose serverless does not support zone redundancy or read-scale replicas, and geo-replication alone does not guarantee 30-second failover or 99.99% SLA. Option C is wrong because General Purpose does not offer read-scale replicas (only Business Critical and Hyperscale do), and active geo-replication failover is manual or requires custom automation, not automated within 30 seconds. Option D is wrong because Hyperscale with zone redundancy does not include a readable secondary replica for read-scale (it uses page servers and a log service, not a dedicated readable secondary), and its failover behavior is not designed for sub-30-second automated failover across regions.

742
MCQhard

A company has an Azure SQL Managed Instance that is experiencing high CPU usage. The DBA observes that a specific query is causing high compile time due to parameter sniffing. The query is executed frequently with varying parameter values. Which approach should the DBA use to reduce CPU usage without changing the T-SQL code?

A.Create a plan guide to force a specific plan
B.Use optimize for ad hoc workloads
C.Add query store and force the last good plan
D.Enable forced parameterization for the database
AnswerD

Forced parameterization treats literals as parameters, reducing recompilations.

Why this answer

Forced parameterization (Option D) converts literal values in the query to parameters, allowing SQL Server to reuse cached execution plans across different parameter values. This reduces CPU usage by eliminating frequent recompilations caused by parameter sniffing, without requiring any changes to the T-SQL code itself.

Exam trap

The trap here is that candidates often confuse 'forced parameterization' with 'plan guides' or 'Query Store forcing,' not realizing that forced parameterization directly reduces compile time by enabling plan reuse, while the other options only manage plan selection without addressing the root cause of frequent recompilations.

How to eliminate wrong answers

Option A is wrong because creating a plan guide to force a specific plan would lock in one plan for all parameter values, which could lead to suboptimal performance for other values and does not address the root cause of high compile time. Option B is wrong because 'optimize for ad hoc workloads' only defers the cost of storing single-use plans, but does not prevent recompilation due to parameter sniffing; it does not reduce compile time for frequently executed queries. Option C is wrong because adding Query Store and forcing the last good plan still relies on a single plan for all executions, which may not be optimal for varying parameter values and does not reduce compile time; it only ensures plan stability after a regression.

743
MCQmedium

You are managing an Azure SQL Managed Instance that hosts a critical database. You need to automate the export of daily backups to a storage account for long-term retention. The solution must minimize administrative overhead and support point-in-time restore within the retention period. What should you use?

A.Configure a long-term retention (LTR) backup policy for the Managed Instance.
B.Configure an Azure Backup policy for the Managed Instance.
C.Schedule a BACPAC export of the database to the storage account.
D.Create a SQL Agent job to perform backups using BACKUP DATABASE TO URL.
AnswerA

LTR policies automate backup exports to storage accounts and support point-in-time restore.

Why this answer

Option B is correct because Managed Instance automated backups can be configured with long-term retention (LTR) policies that store backups in a geo-redundant storage account. Option A is wrong because Azure Backup requires additional configuration and is not the native backup solution for Managed Instance. Option C is wrong because SQL Agent jobs require manual setup and maintenance.

Option D is wrong because BACPAC export is not a backup solution and does not support point-in-time restore.

744
MCQmedium

You manage an Azure SQL Database that has automatic tuning enabled. You receive an alert that the database is experiencing plan regression. The automatic tuning has forced a plan, but performance is still poor. What should you do first?

A.Disable automatic tuning and create a plan guide.
B.Review the Query Store to identify the root cause of regression.
C.Manually revert to the previous plan using Query Store.
D.Scale up the database to reduce resource pressure.
AnswerB

Query Store provides insights into plan changes and performance.

Why this answer

Option B is correct because Query Store can show plan history and regression details, helping analyze why the forced plan is not optimal. Option A is wrong because reverting may cause further regression. Option C is wrong because manual plan guide may be too drastic.

Option D is wrong because scaling up doesn't address plan quality.

745
MCQhard

You have an Azure SQL Database that uses a SQL Agent job to run a critical ETL process every night. The job recently started failing intermittently. You need to automate the monitoring and alerting of job failures, and automatically retry the job twice with a 10-minute interval between retries. What should you configure?

A.Modify the job to use a T-SQL loop that checks job history and re-runs the job step.
B.Use Microsoft Power Automate to poll the job history and re-run the job if failed.
C.Create an Azure Monitor alert on the job failure event and use a webhook to trigger a PowerShell script that retries the job.
D.Configure the job step's 'Retry attempts' and 'Retry interval (minutes)' settings in the SQL Agent job step properties.
AnswerD

SQL Agent job steps have built-in retry configuration.

Why this answer

Option C is correct because SQL Agent jobs have built-in retry settings in the job step properties. Option A is wrong because Azure Monitor alerts can notify but do not automatically retry the job. Option B is wrong because it would require custom logic.

Option D is wrong because Power Automate can trigger retries but requires additional setup and is not native to SQL Agent.

746
MCQeasy

Your organization requires that all Azure SQL Database administrators use multi-factor authentication (MFA) when connecting. Which authentication method must be used?

A.SQL Server authentication
B.Microsoft Entra ID authentication with Conditional Access policy
C.Certificate-based authentication
D.Windows authentication
AnswerB

Entra ID can require MFA via Conditional Access.

Why this answer

Microsoft Entra ID authentication combined with a Conditional Access policy is required to enforce multi-factor authentication (MFA) for Azure SQL Database administrators. Conditional Access policies can mandate MFA as a condition for authentication, which is not possible with SQL Server authentication, certificate-based authentication, or Windows authentication alone. This method integrates with Microsoft Entra ID (formerly Azure AD) to provide the necessary security controls.

Exam trap

The trap here is that candidates often assume certificate-based authentication (Option C) can enforce MFA, but certificates alone do not require a second factor; MFA must be explicitly enforced via a Conditional Access policy with Microsoft Entra ID authentication.

How to eliminate wrong answers

Option A is wrong because SQL Server authentication uses a username and password stored in the database and does not support MFA or integration with Microsoft Entra ID. Option C is wrong because certificate-based authentication relies on client certificates for identity verification and does not inherently enforce MFA; it can be used with Entra ID but requires additional configuration like Conditional Access to require MFA. Option D is wrong because Windows authentication is used for on-premises SQL Server and is not supported for Azure SQL Database; it cannot enforce MFA through Conditional Access policies.

747
MCQmedium

Your company has an Azure SQL Managed Instance in the UK South region. You need to implement a disaster recovery solution that provides automatic failover to a secondary region and allows read-only workloads to use the secondary replica. The solution must minimize data loss. What should you configure?

A.Deploy a second managed instance and use auto-failover groups
B.Create an availability group in the secondary region and configure automatic failover
C.Configure a failover group between two managed instances
D.Enable active geo-replication and configure auto-failover using PowerShell
AnswerA

Failover groups for Managed Instance provide automatic failover and readable secondary.

Why this answer

Option D is correct because a failover group for Azure SQL Managed Instance provides automatic failover and a readable secondary. Option A is for SQL Server on VMs. Option B is for Azure SQL Database, not Managed Instance.

Option C is incorrect because automatic failover is a feature of failover groups, not a separate configuration.

748
MCQeasy

You are the database administrator for a company that uses Azure SQL Database. The company has a strict security policy requiring that all database connections be encrypted and that the server's firewall only allows connections from a list of approved IP addresses. You have configured the server-level firewall rules accordingly and enabled the 'Force encryption' setting on the server. However, after deployment, you notice that an application running on an Azure virtual machine is able to connect to the database even though its public IP address is not in the approved list. The virtual machine is in the same region as the database. What is the most likely cause?

A.The virtual machine is using a private IP address that is automatically allowed.
B.The virtual machine is using a service endpoint that bypasses the firewall.
C.The 'Force encryption' setting is misconfigured; it should be disabled to allow non-encrypted connections.
D.The 'Allow Azure services and resources to access this server' setting is enabled, which allows all Azure IPs to connect.
AnswerD

This setting bypasses firewall rules for Azure services.

Why this answer

Option D is correct because the 'Allow Azure services and resources to access this server' setting, when enabled, adds a firewall rule that permits connections from all Azure IP addresses, including those not in the approved list. This overrides the specific IP-based firewall rules, allowing the Azure VM (even with a public IP not on the approved list) to connect. The setting is designed to allow Azure services like Azure App Service or Azure VMs to bypass IP restrictions, which violates the strict security policy in this scenario.

Exam trap

The trap here is that candidates often assume private IPs or service endpoints automatically bypass firewall rules, but the actual cause is the default 'Allow Azure services' setting, which is frequently overlooked as a blanket permission that overrides specific IP restrictions.

How to eliminate wrong answers

Option A is wrong because Azure SQL Database does not automatically allow private IP addresses; firewall rules are based on public IP addresses, and private IPs are not routable over the internet. Option B is wrong because a service endpoint does not bypass the firewall; it routes traffic over the Azure backbone but still requires the source public IP to be allowed in the firewall rules. Option C is wrong because disabling 'Force encryption' would allow non-encrypted connections, which violates the encryption policy, and does not address the firewall bypass issue.

749
MCQhard

Refer to the exhibit. You are reviewing the configuration of an Azure SQL Database hyperscale service tier. The database 'SalesDB' has read scale enabled with 2 read replicas. You need to ensure that if the primary region fails, the database can be failed over to a secondary region with minimal data loss and that the read replicas in the secondary region are also available. What should you configure?

A.Configure zone redundancy on the Hyperscale database.
B.Create a named replica in a secondary region and configure it as a geo-secondary.
C.Enable active geo-replication to a secondary server in a different region.
D.Create a failover group with a secondary Hyperscale database in another region.
AnswerB

Named replicas can be created in a secondary region and promoted during failover, providing DR and read scalability.

Why this answer

Option D is correct. For Hyperscale, you can configure named replicas that can be placed in a secondary region. These replicas can be promoted to primary in case of failover, and they also support read scaling.

Option A is wrong because zone redundancy only protects within a region. Option B is wrong because failover groups are not supported for Hyperscale in the traditional sense; named replicas are used. Option C is wrong because geo-replication is not a standalone feature for Hyperscale; named replicas provide geo-replication.

750
MCQmedium

Your company has an Azure SQL Database that uses a failover group with a secondary in a different region. You need to ensure that read-only queries are directed to the secondary database to offload the primary. What should you configure?

A.Add ApplicationIntent=ReadOnly to the connection string and use the failover group listener.
B.Use a Traffic Manager profile to route read traffic.
C.Enable read-scale for the database.
D.Configure a separate connection string pointing to the secondary server.
AnswerA

The read-only listener routes to the secondary when ApplicationIntent=ReadOnly is specified.

Why this answer

Option C is correct because the failover group provides a read-only listener endpoint that can be used for read-only queries. Option A is wrong because ApplicationIntent=ReadOnly in the connection string combined with the read-only listener routes to secondary. Option B is wrong because read-only routing is not automatic without the listener.

Option D is wrong because read-scale is a separate feature, not for geo-replicated secondaries.

Page 9

Page 10 of 13

Page 11