You are deploying Azure SQL Database and need to comply with regulatory requirements that mandate separation of duties for database administration. Specifically, the security team should manage access policies, and the database administrators should manage the data. Which THREE features should you use to implement this?
Can be used to restrict DBAs from viewing sensitive data.
Why this answer
Dynamic Data Masking (C) is correct because it allows database administrators to manage data while hiding sensitive information from non-privileged users, supporting separation of duties by preventing security team members from viewing actual data. Azure RBAC (D) is correct because it enables distinct role assignments (e.g., SQL Security Manager vs. SQL DB Contributor) to separate who manages access policies from who manages data.
Database-level roles (E) are correct because they provide granular permissions within the database, such as db_securityadmin for managing security policies and db_owner for full data management, enforcing separation at the database level.
Exam trap
The trap here is that candidates often confuse network-level controls (firewall rules) or encryption features (TDE) with access control and role separation mechanisms, failing to recognize that separation of duties requires distinct role assignments and permission boundaries, not just data protection or network restrictions.