CCNA Implement a secure environment Questions

75 of 213 questions · Page 1/3 · Implement a secure environment · Answers revealed

1
MCQmedium

Your company uses Azure SQL Database with Microsoft Entra ID authentication. You need to ensure that only users from a specific Microsoft Entra ID tenant can access the database. What should you configure?

A.Enable Azure AD conditional access policy to restrict sign-ins to the specific tenant.
B.Set the server firewall to allow only the tenant's IP range.
C.Create a server-level firewall rule with IP range '0.0.0.0' and then use Microsoft Entra ID authentication with a conditional access policy.
D.Configure a network security group (NSG) to block all traffic except from the tenant's IP range.
AnswerC

This allows all IPs but relies on Entra ID to validate the tenant.

Why this answer

Option C is correct because to restrict access to a specific Microsoft Entra ID tenant, you must first set the server-level firewall to allow all Azure IPs (0.0.0.0) so that Azure SQL Database can accept connections from any Azure resource, and then enforce tenant-level restrictions using a conditional access policy. This combination ensures that only users from the specified tenant can authenticate, while the firewall rule handles network-level access from Azure services.

Exam trap

The trap here is that candidates often think a conditional access policy alone can restrict tenant access, but it must be combined with the firewall rule '0.0.0.0' to allow Azure services, as the policy only controls authentication, not network connectivity.

How to eliminate wrong answers

Option A is wrong because a conditional access policy alone cannot restrict access to a specific tenant; it controls sign-in conditions (e.g., location, device) but does not filter by tenant ID. Option B is wrong because setting the server firewall to allow only the tenant's IP range is ineffective, as Microsoft Entra ID authentication relies on identity, not IP addresses, and tenant IP ranges are not static or reliably scoped. Option D is wrong because a network security group (NSG) operates at the virtual network level and cannot be applied to Azure SQL Database's public endpoint; it is used for PaaS resources within a VNet, not for restricting tenant access.

2
MCQmedium

You are the database administrator for a healthcare organization that uses Azure SQL Database. You need to implement column-level encryption for a column containing patient Social Security numbers (SSNs). The SSNs must be encrypted at rest and in transit, and only authorized client applications should be able to decrypt them. Which technology should you use?

A.Row-level security (RLS) to restrict access based on user role.
B.Dynamic data masking (DDM) to mask SSNs for unauthorized users.
C.Transparent Data Encryption (TDE) with customer-managed keys.
D.Always Encrypted with column master key stored in Azure Key Vault.
AnswerD

Always Encrypted encrypts column data at rest and in transit, and only clients with access to the column master key can decrypt.

Why this answer

Always Encrypted is the correct choice because it ensures that sensitive data, such as SSNs, is encrypted both at rest and in transit, and the encryption keys are stored client-side (e.g., in Azure Key Vault). This design ensures that only authorized client applications with access to the column master key can decrypt the data, preventing even database administrators or cloud operators from viewing the plaintext values.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) with column-level encryption, mistakenly thinking TDE protects data from all unauthorized access, when in fact TDE only encrypts data at rest and does not prevent authorized database users from reading sensitive columns in plaintext.

How to eliminate wrong answers

Option A is wrong because Row-Level Security (RLS) controls which rows a user can access based on predicates, but it does not encrypt data or protect it in transit; it only filters rows at query time. Option B is wrong because Dynamic Data Masking (DDM) obfuscates data for unauthorized users at the application layer but does not encrypt the underlying data, leaving it vulnerable to unauthorized decryption or exposure in backups and logs. Option C is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest but does not protect data in transit or prevent authorized database users (e.g., DBAs) from reading the plaintext SSNs; it also does not support client-side key control for granular column-level encryption.

3
MCQhard

Your company uses Azure SQL Database with a server-level Microsoft Entra ID admin. You need to implement a solution where database-level roles are automatically assigned based on the user's group membership in Microsoft Entra ID. What should you use?

A.Use Azure RBAC to assign roles to the Entra ID groups.
B.Configure a SQL Server Agent job to update database roles based on group membership.
C.Create database users from Microsoft Entra ID groups and grant roles to those users.
D.Create a DDL trigger that assigns roles when users log in.
AnswerC

You can create a contained database user for each Entra ID group and grant database roles to that user.

Why this answer

Option C is correct because Azure SQL Database supports creating database users mapped to Microsoft Entra ID (formerly Azure AD) groups. By creating a user for the Entra ID group and then granting database roles to that group user, all members of the group automatically inherit the assigned permissions. This directly satisfies the requirement for role assignment based on group membership without custom scripting or triggers.

Exam trap

The trap here is that candidates confuse Azure RBAC (management-plane access) with database-level permissions (data-plane access), or assume that SQL Server Agent or DDL triggers are available in Azure SQL Database, leading them to choose options that are either not applicable or unsupported in the PaaS environment.

How to eliminate wrong answers

Option A is wrong because Azure RBAC controls access to Azure resources (e.g., the logical server or database) at the management plane, not database-level permissions within the SQL engine; it cannot assign database roles like db_datareader. Option B is wrong because SQL Server Agent is not available in Azure SQL Database (it is a PaaS service with no Agent support), and even if it were, polling group membership would be inefficient and not real-time. Option D is wrong because DDL triggers fire on schema changes (e.g., CREATE TABLE), not on login events; logon triggers are not supported in Azure SQL Database, and they cannot dynamically assign database roles based on group membership.

4
Matchingmedium

Match each Azure Database for PostgreSQL pricing tier to its key feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Single node, suitable for development and small workloads

Balanced compute and memory for most production workloads

High memory-to-core ratio for memory-intensive workloads

Low-cost option with ability to burst CPU performance

Why these pairings

These tiers define the compute and memory resources available for Azure Database for PostgreSQL.

5
MCQmedium

Your company uses Azure SQL Database with Azure Active Directory (now Microsoft Entra ID) authentication. A new security policy requires that all database users must be authenticated via Microsoft Entra ID only. You need to disable SQL authentication for an Azure SQL Database logical server. What should you do?

A.Remove the Azure AD administrator for the server.
B.Remove all SQL logins from the master database.
C.Set the 'Azure AD-only authentication' property to Enabled for the logical server.
D.Set the 'Azure AD-only authentication' property to Enabled for each database.
AnswerC

This is the correct server-level setting to disable SQL authentication.

Why this answer

Option C is correct because enabling the 'Azure AD-only authentication' property at the logical server level explicitly blocks all SQL authentication attempts, forcing every database user to authenticate via Microsoft Entra ID. This property is a server-level toggle that overrides any existing SQL logins or contained database users, ensuring compliance with the policy without needing to manually remove logins.

Exam trap

The trap here is that candidates mistakenly think disabling SQL authentication requires manually removing SQL logins or that the setting can be applied per database, when in fact the 'Azure AD-only authentication' property is a server-level toggle that automatically blocks all SQL authentication attempts without needing to delete any logins.

How to eliminate wrong answers

Option A is wrong because removing the Azure AD administrator only disables Entra ID authentication, leaving SQL authentication intact—the opposite of the required outcome. Option B is wrong because removing SQL logins from the master database does not disable SQL authentication for contained database users or future connections; the server still accepts SQL authentication attempts, and contained database users in user databases remain unaffected. Option D is wrong because the 'Azure AD-only authentication' property is only available at the logical server level, not per database; setting it per database is not a supported operation in Azure SQL Database.

6
Multi-Selecthard

Which THREE actions are required to configure Microsoft Entra ID authentication for an Azure SQL Database? (Choose three.)

Select 3 answers
A.Configure a firewall rule to allow connections from the Microsoft Entra ID service.
B.Set a Microsoft Entra ID administrator for the Azure SQL Database server.
C.Create contained database users in the database mapped to Microsoft Entra identities.
D.Ensure that the Microsoft Entra identity used to connect is a member of the same Azure AD tenant as the server.
E.Ensure that SQL authentication is enabled as a fallback.
AnswersB, C, D

Required to enable Entra ID authentication at the server level.

Why this answer

Option B is correct because setting a Microsoft Entra ID administrator for the Azure SQL Database server is a mandatory step to enable Entra ID authentication at the server level. This action configures the server to accept authentication tokens from the specified Entra ID tenant and allows the creation of contained database users mapped to Entra identities.

Exam trap

The trap here is that candidates often confuse network-level firewall rules with authentication configuration, incorrectly assuming that a special firewall rule is needed for Entra ID traffic, when in fact only IP-based rules are required for network access.

7
MCQhard

Your Azure SQL Managed Instance stores sensitive financial data. You must prevent unauthorized access from Azure services and ensure that only specific virtual networks can connect. You also need to audit all failed login attempts. Which combination of configurations should you implement?

A.Enable Microsoft Defender for SQL and set up anomaly detection alerts.
B.Create a private endpoint, set 'Public network access' to 'Deny', and enable Azure SQL Auditing with a log analytics workspace.
C.Enable SQL vulnerability assessment and configure email notifications.
D.Configure VNet service endpoints and set the firewall to allow only your VNet.
AnswerB

Private endpoint with public access denied secures network; auditing logs failed logins.

Why this answer

Option B is correct because creating a private endpoint for Azure SQL Managed Instance ensures that traffic to the instance traverses the Microsoft backbone network and is only accessible from within the specified virtual network. Setting 'Public network access' to 'Deny' explicitly blocks all public internet traffic, including traffic from other Azure services that do not originate from the approved VNet. Enabling Azure SQL Auditing with a Log Analytics workspace captures all failed login attempts, meeting the audit requirement.

This combination directly addresses the need to prevent unauthorized access from Azure services and enforce VNet-only connectivity while auditing failed logins.

Exam trap

The trap here is that candidates often confuse VNet service endpoints with private endpoints, assuming service endpoints provide the same level of isolation and access control, but service endpoints still leave the resource publicly resolvable and do not block all Azure service traffic.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for SQL and anomaly detection alerts are security monitoring and threat detection features, not network access controls; they do not restrict which virtual networks can connect or block Azure services. Option C is wrong because SQL vulnerability assessment and email notifications are for identifying and reporting database vulnerabilities, not for controlling network access or auditing failed login attempts. Option D is wrong because VNet service endpoints do not provide the same level of isolation as private endpoints; they still expose the instance to the public endpoint and do not prevent access from other Azure services that are not in the VNet, and they do not inherently audit failed logins.

8
MCQmedium

Refer to the exhibit. You are reviewing a script that is executed as part of a data migration to Azure SQL Database. The script attempts to insert a row with a specific OrderID into an Orders table that has an identity column. The script runs successfully in a test environment but fails in production with an error. The production environment has the same schema. What is the most likely cause?

A.The user running the script does not have ALTER permission on the table
B.The table in production does not have an identity column
C.A different session is already using SET IDENTITY_INSERT ON for the same table
D.The identity column in production has a different seed value
AnswerA

SET IDENTITY_INSERT requires ALTER permission on the table.

Why this answer

The script uses SET IDENTITY_INSERT ON to allow explicit insertion into an identity column. In Azure SQL Database, this requires ALTER permission on the table, not just INSERT. The test environment likely granted the user ALTER, but production did not, causing the failure despite identical schema.

Exam trap

The trap here is that candidates assume INSERT permission is sufficient for inserting into an identity column, overlooking that SET IDENTITY_INSERT ON is a schema-modifying operation requiring ALTER permission.

How to eliminate wrong answers

Option B is wrong because the exhibit shows the script uses SET IDENTITY_INSERT ON, which only applies to tables with an identity column; if production lacked one, the script would fail with a different error (e.g., 'Cannot insert explicit value for identity column in table...') or the SET statement would be invalid. Option C is wrong because SET IDENTITY_INSERT ON is session-scoped; multiple sessions can use it simultaneously on different tables, but only one session at a time can have it ON for the same table—if another session already had it ON, the script would fail immediately with an error about a conflicting session, not a permission error. Option D is wrong because a different seed value does not cause an error; it only affects the next auto-generated value, and explicit inserts are allowed regardless of seed.

9
MCQmedium

You are configuring Azure SQL Database for a multi-tenant application. Each tenant's data is stored in a separate database. You need to ensure that a tenant admin can only manage their own database and not other databases on the same logical server. What is the best approach?

A.Use a server-level firewall rule to restrict access to the tenant's IP.
B.Create a contained database user with db_owner role in each tenant's database and use Microsoft Entra authentication.
C.Create a server-level login and assign it as db_owner on all databases.
D.Create a database-level firewall rule for each tenant database.
AnswerB

Contained users are scoped to the database.

Why this answer

Option A is correct because creating a contained database user in each database with appropriate permissions limits the user to that database. Option B is incorrect because server-level login with db_owner on all databases gives cross-database access. Option C is incorrect because a server-level firewall rule does not control permissions.

Option D is incorrect because database-level firewall rule controls network access, not permissions.

10
MCQeasy

You need to ensure that an Azure SQL Database uses Microsoft Entra-only authentication. You have configured the server to disallow SQL authentication. What additional step is required to prevent users from creating SQL logins?

A.Revoke the 'CREATE LOGIN' permission from all users except the Entra admin.
B.Remove the 'loginmanager' fixed server role from all users.
C.Enable auditing to detect login creation attempts and alert the security team.
D.No further action needed; disallowing SQL authentication prevents any SQL login creation.
AnswerA

This prevents users from creating new SQL logins.

Why this answer

Even with SQL authentication disabled, users with appropriate permissions (e.g., 'loginmanager' role) can still create SQL logins if allowed. To prevent this, you must revoke the 'CREATE LOGIN' permission from all non-admin users. Option B is correct.

Option A is wrong because the 'DisallowSqlAuthentication' property does not affect permissions. Option C is wrong because users with 'loginmanager' can create logins. Option D is wrong because auditing does not prevent creation.

11
Multi-Selectmedium

Which THREE of the following are features that help protect against data exfiltration in Azure SQL Database? (Choose three.)

Select 3 answers
A.Always Encrypted
B.Dynamic Data Masking (DDM)
C.Transparent Data Encryption (TDE)
D.Azure SQL Database firewall
E.Row-Level Security (RLS)
AnswersA, D, E

Prevents the database engine from seeing plaintext data.

Why this answer

Always Encrypted is correct because it encrypts sensitive data at the client-side, ensuring that the encryption keys are never revealed to the database engine. This prevents even database administrators or attackers with access to the server from reading the plaintext data, directly protecting against data exfiltration.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking (DDM) with encryption, thinking it prevents data exfiltration, when in fact it only hides data from specific users and does not protect against direct database access or file theft.

12
MCQeasy

You are implementing a new Azure SQL Database and need to ensure that connections from client applications are encrypted using TLS 1.2 or higher. Which server-level firewall rule setting should you configure?

A.Deny public network access
B.Enable contained database authentication
C.Allow Azure Services and resources to access this server
D.Set minimal TLS version to 1.2
AnswerD

Enforces TLS 1.2 or higher for all connections.

Why this answer

Option D is correct because the 'Minimal TLS version' server-level firewall rule setting enforces the minimum TLS version for encrypted connections to Azure SQL Database. By setting this to 1.2, the server will reject any connection attempts using TLS 1.0 or 1.1, ensuring all client applications use TLS 1.2 or higher. This setting is configured in the Azure portal under the 'Networking' blade of the SQL server resource.

Exam trap

The trap here is that candidates confuse network access controls (like firewall rules or service endpoints) with encryption protocol enforcement, assuming that 'Allow Azure Services' or 'Deny public network access' somehow impacts TLS version requirements.

How to eliminate wrong answers

Option A is wrong because 'Deny public network access' controls whether connections from the public internet are allowed, not the encryption protocol version used for those connections. Option B is wrong because 'Enable contained database authentication' relates to authentication of users within the database itself, not to encryption or TLS version enforcement. Option C is wrong because 'Allow Azure Services and resources to access this server' is a firewall rule that permits traffic from other Azure services, but it does not enforce any specific TLS version for those connections.

13
MCQhard

You are a database administrator for a financial services company that uses Azure SQL Database for a critical trading application. The application connects using a service principal (Microsoft Entra application) and executes stored procedures. You need to implement the following security requirements: 1. All connections must use Microsoft Entra authentication with MFA enforced for the service principal. 2. The application should only be able to execute specific stored procedures (usp_Trade, usp_GetQuote) and no other operations. 3. All data at rest must be encrypted using customer-managed keys stored in Azure Key Vault. 4. Auditing must capture all failed login attempts and all changes to the database schema. 5. The database must be protected against SQL injection attacks from the application layer. You have already configured Microsoft Entra authentication and enabled TDE with customer-managed key in Azure Key Vault. Which additional steps should you take to meet all remaining requirements?

A.Create a database role with EXECUTE permission on the required stored procedures and assign it to the service principal. Configure a Conditional Access policy that requires MFA for the service principal. Enable audit for FAILED_DATABASE_AUTHENTICATION_GROUP and SCHEMA_OBJECT_CHANGE_GROUP. Ensure the application uses parameterized queries.
B.Create a database role that only has EXECUTE permission on the required stored procedures. Configure dynamic data masking on sensitive columns. Enable audit for FAILED_DATABASE_AUTHENTICATION_GROUP and SCHEMA_OBJECT_CHANGE_GROUP.
C.Create a contained database user for the service principal with EXECUTE permission. Enable Always Encrypted for sensitive columns. Configure audit for FAILED_DATABASE_AUTHENTICATION_GROUP only.
D.Create a database role with EXECUTE on the stored procedures. Implement row-level security to restrict data access. Use Microsoft Defender for SQL to detect SQL injection attempts.
AnswerA

All requirements met.

Why this answer

Option D is correct because it addresses all remaining requirements: (1) Conditional Access policy enforces MFA for the service principal; (2) EXECUTE permission on specific stored procedures limits operations; (3) Audit action groups for failed logins and schema changes; (4) Parameterized queries prevent SQL injection. Option A is incorrect because dynamic data masking does not prevent SQL injection. Option B is incorrect because row-level security does not prevent SQL injection.

Option C is incorrect because Always Encrypted does not prevent SQL injection and does not enforce MFA.

14
MCQeasy

You have an Azure SQL Database that stores financial data. You need to audit all SELECT operations on the 'Transactions' table and store the audit logs in an Azure Storage account. What should you use?

A.Enable Microsoft Defender for Cloud on the server and review security insights.
B.Create a server audit using SQL Server Audit and specify a file destination.
C.Enable diagnostic settings for the database and send to a Log Analytics workspace.
D.Configure server-level auditing to log to an Azure Storage account.
AnswerD

Server-level auditing can capture all events including SELECT on specific tables and store them in Azure Storage.

Why this answer

Option D is correct because Azure SQL Database supports server-level auditing that can write audit logs directly to an Azure Storage account. This meets the requirement to audit SELECT operations on the 'Transactions' table and store logs in Azure Storage. Server-level auditing captures all database events, including SELECT statements, and can be configured to target a storage container.

Exam trap

The trap here is that candidates often confuse diagnostic settings (which send metrics and logs to Log Analytics) with server-level auditing (which captures detailed database activity like SELECT operations), leading them to choose Option C instead of the correct server-level audit configuration.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud provides security alerts and vulnerability assessments, not granular audit logging of specific table operations like SELECT. Option B is wrong because SQL Server Audit with a file destination is not supported in Azure SQL Database; it only supports Azure Storage, Event Hubs, or Log Analytics as targets. Option C is wrong because diagnostic settings send metrics and resource logs to Log Analytics, not audit logs for specific table-level SELECT operations, and they do not provide the same level of granular auditing as server-level auditing.

15
MCQmedium

Your company has an Azure SQL Database that is accessed by multiple applications. You need to implement a security solution that meets the following requirements: - Each application must have its own database user with specific permissions. - All authentication must use Microsoft Entra ID. - You need to be able to rotate credentials for each application without impacting other applications. - The solution must support automatic credential rotation for service principals. What should you do?

A.Use managed identities for each Azure resource and assign permissions to the database.
B.Create a single Microsoft Entra ID service principal for all applications and assign different database roles.
C.Create SQL logins and users for each application with strong passwords, and configure password rotation policies.
D.Create a Microsoft Entra ID service principal for each application, store the client secret in Azure Key Vault, and create a contained database user mapped to each service principal.
AnswerD

This provides per-application identity, supports credential rotation, and uses Entra ID authentication.

Why this answer

Option D is correct because creating a Microsoft Entra ID service principal for each application, assigning a client secret (which can be rotated automatically via Azure Key Vault), and creating a contained database user mapped to the service principal meets all requirements. Option A is wrong because SQL authentication is not using Microsoft Entra ID. Option B is wrong because managed identity is limited to Azure-hosted applications and cannot be used for all applications.

Option C is wrong because a single service principal would not allow per-application permissions.

16
Multi-Selecteasy

Which TWO are valid methods to connect to an Azure SQL Database without exposing a public endpoint?

Select 2 answers
A.Use Always Encrypted
B.Use a public endpoint with a firewall rule
C.Use a service endpoint
D.Use a site-to-site VPN gateway and connect to public endpoint
E.Use a private endpoint
AnswersC, E

Service endpoint secures traffic to Azure SQL from your VNet without a public IP.

Why this answer

Option C is correct because a service endpoint extends your virtual network private address space and the identity of your VNet to Azure SQL Database over a direct connection on the Azure backbone network. This allows you to secure your logical SQL server to accept traffic only from a specific subnet, eliminating the need for a public endpoint while still using the public endpoint's DNS name internally.

Exam trap

The trap here is that candidates confuse network-level access controls (firewall rules, VPNs) with endpoint exposure, mistakenly thinking that encrypting traffic or routing through a VPN eliminates the public endpoint's existence, when in fact the public DNS name and IP remain reachable from the internet.

17
Multi-Selecteasy

Which TWO of the following are required to enable Microsoft Defender for SQL for Azure SQL Database?

Select 2 answers
A.Configure a Log Analytics workspace.
B.Enable Azure SQL Database auditing.
C.Enable SQL Server Agent.
D.Configure an Azure Key Vault for storing encryption keys.
E.Enable Microsoft Defender for Cloud on the subscription.
AnswersA, E

Defender for SQL uses Log Analytics for data collection.

Why this answer

Option A is correct because Microsoft Defender for SQL needs to be enabled at the subscription or server level. Option D is correct because it requires a Log Analytics workspace to store security logs. Option B is wrong because Azure Key Vault is not required.

Option C is wrong because SQL Server Agent is not required. Option E is wrong because it is not related to Defender for SQL.

18
MCQhard

Your Azure SQL Database is configured with Advanced Threat Protection (ATP). You receive an alert about a SQL injection attack. After investigation, you confirm the attack was blocked. However, you need to ensure that future similar attacks are automatically prevented without manual intervention. What should you configure?

A.Enable Transparent Data Encryption (TDE).
B.Run SQL Vulnerability Assessment weekly.
C.Enable Azure SQL Auditing to log all queries.
D.Configure the firewall to automatically block the attacker's IP address.
AnswerD

The firewall can be set to block IPs after a detected attack.

Why this answer

Option D is correct because configuring the Azure SQL Database firewall to automatically block the attacker's IP address provides a proactive, automated defense against future SQL injection attempts from the same source. Advanced Threat Protection (ATP) can be integrated with Azure Logic Apps or other automation to trigger a firewall rule update that denies traffic from the offending IP, thereby preventing manual intervention. This directly addresses the requirement for automatic prevention of similar attacks.

Exam trap

The trap here is that candidates often confuse detection and logging mechanisms (like auditing or vulnerability assessment) with active prevention controls, failing to recognize that only a firewall rule or network security group can automatically block an IP address without manual intervention.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) protects data at rest by encrypting the database files, but it does not prevent or block SQL injection attacks, which target the query layer. Option B is wrong because running SQL Vulnerability Assessment weekly identifies configuration weaknesses and missing patches, but it does not provide real-time or automated blocking of attack traffic. Option C is wrong because enabling Azure SQL Auditing logs all queries for forensic analysis and compliance, but it does not actively block or prevent future attacks; it only records them after the fact.

19
MCQmedium

You need to audit all schema changes (DDL) on an Azure SQL Database for compliance. The audit logs must be retained for 7 years. What should you do?

A.Enable auditing on the database, log to a storage account, and set the retention policy to 7 years.
B.Create an extended events session to capture DDL events and save to a file.
C.Enable change tracking on the database and query the change tracking tables.
D.Enable SQL Server Audit at the server level and specify a file destination.
AnswerA

Auditing captures DDL events and can retain logs for up to 10 years in storage.

Why this answer

Option B is correct because Azure SQL Database auditing can be configured to log DDL events and store them in a storage account with long-term retention. Option A is wrong because server-level audit policy requires SQL Server on-premises or VM. Option C is wrong because extended events are more for performance troubleshooting.

Option D is wrong because change tracking is for data changes, not schema changes.

20
Multi-Selecthard

You are configuring a new Azure SQL Database for a multi-tenant SaaS application. You need to ensure that each tenant can only access their own rows. Which THREE features can be used to achieve this?

Select 3 answers
A.Always Encrypted with deterministic encryption.
B.Row-Level Security (RLS) with a predicate function.
C.Application logic that filters queries by tenant ID.
D.Dynamic Data Masking for the tenant ID column.
E.A view that includes a WHERE clause filtering by tenant ID.
AnswersB, C, E

RLS filters rows based on the user's context.

Why this answer

Row-Level Security (RLS) allows you to control access to rows in a database table based on the characteristics of the user executing a query. By creating a security policy with a predicate function that filters rows by tenant ID (e.g., using SESSION_CONTEXT or USER_NAME()), you can ensure each tenant only sees their own data without changing the application's query logic.

Exam trap

The trap here is that candidates often confuse data masking (which only hides column values) with row-level access control, or assume that encryption alone can enforce row filtering, when in fact RLS, application logic, or views with WHERE clauses are the correct mechanisms for multi-tenant row isolation.

21
MCQmedium

Your company uses Azure SQL Database for a customer-facing application. You need to ensure that only the application can access the database, and that access is restricted to specific IP ranges. The application runs on Azure App Service with a dynamic outbound IP address. What should you do?

A.Configure a VNet integration for the App Service and set the SQL firewall to allow the VNet subnet.
B.Migrate the database to Azure SQL Managed Instance and use a service endpoint.
C.Create a private endpoint for the SQL Database and connect App Service to it via VNet peering.
D.Add a firewall rule for the App Service's outbound IP address range.
AnswerD

This allows App Service to connect even with dynamic IPs, as the range is known.

Why this answer

Option D is correct because the application runs on Azure App Service with a dynamic outbound IP address, and the requirement is to restrict access to specific IP ranges. By adding a firewall rule for the App Service's outbound IP address range (which can be found in the App Service properties or via the `WEBSITE_OUTBOUND_IP_ADDRESSES` app setting), you allow the application to connect to Azure SQL Database while blocking other traffic. This approach directly addresses the dynamic IP challenge without requiring VNet integration or private endpoints.

Exam trap

The trap here is that candidates often assume VNet integration or private endpoints are always required for secure access, but the question explicitly states the application uses a dynamic outbound IP address, making a firewall rule for the IP range the most straightforward solution that meets the requirement of restricting access to specific IP ranges.

How to eliminate wrong answers

Option A is wrong because VNet integration for App Service does not automatically allow SQL firewall access; you would still need to configure a VNet service endpoint or private endpoint for SQL Database, and the question specifically requires IP-based restriction, not VNet-based. Option B is wrong because migrating to Azure SQL Managed Instance is unnecessary and does not solve the dynamic IP issue; service endpoints still require VNet integration and do not directly address IP-based firewall rules. Option C is wrong because a private endpoint for SQL Database requires the App Service to be in the same VNet or connected via VNet peering, but App Service with dynamic outbound IPs cannot directly use a private endpoint without VNet integration, and the question explicitly states the application uses dynamic outbound IPs, not a static VNet.

22
MCQmedium

Your company uses Azure SQL Database. You need to ensure that all connections to the database use TLS 1.2 or higher. Currently, some client applications are connecting using TLS 1.0. What should you do?

A.Configure the server firewall to block non-TLS traffic.
B.Set the 'Minimum TLS version' property of the logical server to 1.2.
C.Set the 'tls_version' database parameter to 1.2 in the master database.
D.Update the client applications to only use TLS 1.2.
AnswerB

Correct: This enforces TLS 1.2 for all connections.

Why this answer

Option B is correct because setting the 'Minimum TLS version' property of the Azure SQL logical server to 1.2 enforces that all incoming connections must use TLS 1.2 or higher. This server-level setting overrides any client-side configuration, blocking connections that attempt to use TLS 1.0 or 1.1. It is the simplest and most effective way to enforce the minimum TLS version across all client applications without requiring changes to each client.

Exam trap

The trap here is that candidates may think updating client applications (Option D) is sufficient, but the exam tests the understanding that server-side enforcement is required to guarantee compliance across all clients, especially when you cannot control or update every client application.

How to eliminate wrong answers

Option A is wrong because the server firewall controls IP-based access, not TLS protocol version enforcement; blocking non-TLS traffic does not prevent clients from connecting with TLS 1.0. Option C is wrong because Azure SQL Database does not expose a 'tls_version' database parameter in the master database; TLS version is controlled at the logical server level, not through database-scoped configuration. Option D is wrong because while updating client applications to use TLS 1.2 is a valid approach, it is not a server-side enforcement mechanism and does not guarantee that all clients will comply; the question asks what you should do to ensure all connections use TLS 1.2 or higher, which requires server-side enforcement.

23
MCQhard

You are the database administrator for a healthcare company that uses Azure SQL Database to store patient records. The database is named PatientDB. The security team mandates that all database access must be audited, and any suspicious activity must be alerted in real-time. Additionally, compliance requires that all data at rest be encrypted using a customer-managed key stored in Azure Key Vault. You have configured the following: - TDE with customer-managed key in AKV (key vault name: KV-Health, key name: PatientKey) - Azure SQL Auditing enabled, writing logs to a storage account (StorageAcctLogs) - Advanced Threat Protection (ATP) enabled with alerts sent to the security team's email - Firewall rules allowing only the application server's public IP (203.0.113.50) A week later, the security team reports that they received an ATP alert about a potential SQL injection attack from IP 198.51.100.25. However, when they check the audit logs, they find no entries from that IP. They also notice that the database remains accessible. The security team wants to know why the audit logs do not contain the suspicious IP even though ATP detected it. What is the most likely reason?

A.The storage account for audit logs is not accessible, so logs are not being written.
B.The firewall rule allowing only the application server's IP is misconfigured, allowing the attacker's IP.
C.The firewall rule blocks connections from the attacker's IP, so no audit log entries are generated because the connection never reaches the database.
D.The TDE configuration with customer-managed key is interfering with auditing.
AnswerC

ATP can detect blocked attempts via network telemetry, but audit logs only record successful connections.

Why this answer

Option C is correct because Advanced Threat Protection (ATP) can detect suspicious activity at the network level before the connection is fully established, while Azure SQL Auditing only logs events after a connection is accepted and authenticated. Since the firewall rule blocks connections from IP 198.51.100.25, the attacker's IP never reaches the database engine, so no audit log entries are generated for that IP. ATP alerts can be triggered by network-level patterns (e.g., SQL injection signatures) even when the connection is denied by the firewall, explaining the discrepancy.

Exam trap

The trap here is that candidates assume ATP and auditing share the same logging scope, but ATP can alert on blocked connections at the network layer, while auditing only logs successful or failed authentication attempts after the firewall allows the connection.

How to eliminate wrong answers

Option A is wrong because if the storage account were inaccessible, audit logs would fail to write, but the security team would likely see errors or missing logs for all IPs, not just the attacker's IP; the question states logs exist for other IPs (e.g., the application server). Option B is wrong because the firewall rule is correctly configured to allow only 203.0.113.50, and the attacker's IP 198.51.100.25 is explicitly blocked; the database remains accessible only to the allowed IP, not to the attacker. Option D is wrong because TDE with customer-managed key in Azure Key Vault encrypts data at rest and does not interfere with auditing or network-level logging; auditing operates independently of TDE.

24
MCQhard

Refer to the exhibit. You are deploying an Azure SQL Database audit policy using an ARM template. What is the MOST significant security concern with the configuration shown?

A.Enabling Azure Monitor target could allow unauthorized access to logs
B.The storage account access key is exposed in the template
C.Retention of 90 days may be too short for compliance
D.Including successful authentication events may expose sensitive login activity
AnswerB

Hardcoding keys is insecure; use a managed identity or Key Vault reference.

Why this answer

The ARM template exposes the storage account access key in plaintext as a parameter value. This is a critical security concern because anyone with access to the template (e.g., in source control or deployment logs) can retrieve the key and gain unrestricted access to the storage account, including reading, modifying, or deleting audit logs. Azure SQL Database audit policies should use managed identities or Azure AD authentication to avoid embedding secrets.

Exam trap

The trap here is that candidates may focus on audit event types or retention periods as security concerns, but the real risk is the plaintext storage account key in the template, which is a classic secret exposure vulnerability.

How to eliminate wrong answers

Option A is wrong because enabling Azure Monitor target does not inherently allow unauthorized access; access is controlled by Azure RBAC and the Log Analytics workspace permissions, not by the audit policy configuration itself. Option C is wrong because retention of 90 days is a common compliance requirement (e.g., HIPAA, PCI DSS) and is not inherently a security concern; the question asks for the most significant security concern, not a compliance or operational one. Option D is wrong because including successful authentication events is a standard audit practice for security monitoring and does not expose sensitive login activity in a way that violates security; the concern is about the storage key exposure, not the event types.

25
MCQeasy

You are a database administrator for an Azure SQL Managed Instance. You need to ensure that all connections to the instance use encrypted connections. What should you configure?

A.Set the 'Force Encryption' option to Yes on the server properties.
B.Enable Transparent Data Encryption (TDE).
C.Enable Always Encrypted for sensitive columns.
D.Configure a firewall rule to allow only specific IP addresses.
AnswerA

This enforces encrypted connections.

Why this answer

Option A is correct because setting 'Force Encryption' to Yes on the Azure SQL Managed Instance server properties enforces the use of TLS (Transport Layer Security) for all client connections. This configuration ensures that any client attempting to connect without encryption will be rejected, thereby meeting the requirement that all connections use encrypted connections. The setting is applied at the instance level and overrides client-side encryption preferences.

Exam trap

The trap here is that candidates often confuse encryption in transit (Force Encryption) with encryption at rest (TDE) or column-level encryption (Always Encrypted), leading them to select a security feature that does not address the specific requirement of encrypting all connections.

How to eliminate wrong answers

Option B is wrong because Transparent Data Encryption (TDE) encrypts data at rest (the database files on disk), not data in transit between the client and the server; it does not enforce encrypted connections. Option C is wrong because Always Encrypted protects sensitive columns by encrypting data at the client side and keeping the encryption keys from the database engine, but it does not enforce encryption for the entire connection or for all data transmitted. Option D is wrong because configuring a firewall rule to allow only specific IP addresses controls network access based on source IP, but it does not enforce encryption on the connections that are allowed through.

26
MCQhard

Your company uses Azure SQL Database with Microsoft Defender for Cloud. You receive an alert indicating a potential SQL injection attack. The alert shows that the attack originated from the IP address of your company's VPN gateway. You have verified that no legitimate users are using the VPN at that time. What should you do to immediately stop the attack while preserving legitimate access?

A.Disable the public endpoint on the SQL Database
B.Change the SQL Database server admin password
C.Remove the firewall rule that allows the VPN gateway IP address
D.Add the attacker's IP address to a block list in Microsoft Defender for Cloud
AnswerC

This will block the attacker while allowing other legitimate IPs.

Why this answer

Option C is correct because the attack is originating from the VPN gateway's IP address, and the firewall rule allowing that IP is the only entry point for the attacker. By removing that specific firewall rule, you immediately block the malicious traffic while preserving legitimate access through other firewall rules (e.g., for on-premises or other VPN ranges). This directly stops the SQL injection attack at the network layer without affecting other users or services.

Exam trap

The trap here is that candidates may think changing the admin password or disabling the public endpoint is the fastest fix, but the question specifically asks to 'immediately stop the attack while preserving legitimate access,' which requires a targeted network-level block rather than a broad or authentication-based change.

How to eliminate wrong answers

Option A is wrong because disabling the public endpoint would block all external access to the database, including legitimate users who rely on the public endpoint (e.g., via other IPs or Azure services), which is an overly broad and disruptive action. Option B is wrong because changing the server admin password does not stop an ongoing SQL injection attack that exploits application-layer vulnerabilities; the attacker is already authenticated or bypassing authentication via injection, so a password change is ineffective. Option D is wrong because Microsoft Defender for Cloud does not support adding IP addresses to a block list; it provides alerts and recommendations but relies on Azure Firewall, NSGs, or SQL firewall rules for actual blocking, and the alert's IP is the VPN gateway (not the attacker's true IP), so blocking it would also block legitimate VPN users.

27
MCQhard

Your Azure SQL Database is configured with a failover group across two regions. You need to ensure that client connections automatically redirect to the secondary region during a regional outage, without changing the connection string. What should you implement?

A.Enable read scale-out and configure application retry logic.
B.Deploy Azure Traffic Manager in front of the SQL Database and configure failover routing.
C.Configure the failover group with a listener endpoint and use that in the connection string.
D.Use private endpoints in both regions and configure DNS with a CNAME record.
AnswerC

The listener endpoint automatically points to the current primary, enabling transparent failover.

Why this answer

Option B is correct because the failover group listener provides a read-write listener endpoint that automatically redirects to the new primary after failover. Option A is wrong because private endpoints do not provide automatic redirection. Option C is wrong because read scale-out is for read-only traffic.

Option D is wrong because traffic manager works at DNS level but adds complexity; failover group listener is the built-in solution.

28
Multi-Selectmedium

Your company wants to implement transparent data encryption (TDE) for an Azure SQL Database using a customer-managed key stored in Azure Key Vault. Which TWO prerequisites must be met? (Choose two.)

Select 2 answers
A.The Azure SQL Server must have a system-assigned managed identity.
B.The Key Vault must have an access policy granting necessary permissions to the SQL Server identity.
C.The database must contain a column master key.
D.The Key Vault must be in a different region than the SQL Server.
E.The database must be taken offline during key configuration.
AnswersA, B

Managed identity is used to authenticate to Key Vault.

Why this answer

Option A is correct because Azure SQL Database uses the server's system-assigned managed identity to authenticate to Azure Key Vault when accessing the customer-managed key for TDE. Without this identity, the SQL Server cannot prove its identity to Key Vault to retrieve the key. Option B is correct because the Key Vault must have an access policy that grants the SQL Server's managed identity the 'get', 'wrapKey', and 'unwrapKey' permissions, which are required for TDE operations.

Exam trap

The trap here is that candidates often confuse TDE prerequisites with Always Encrypted prerequisites, mistakenly thinking a column master key (Option C) is needed, or they assume the database must be offline (Option E) for key configuration, which is not the case for TDE.

29
MCQhard

Your organization uses Azure SQL Database and wants to implement a defense-in-depth strategy. You have already enabled Transparent Data Encryption (TDE) and firewall rules. You need to add an additional layer of security that protects against unauthorized access to the physical storage files (e.g., if someone gains access to the storage account). What should you enable?

A.Infrastructure encryption (double encryption) using platform-managed keys
B.Dynamic Data Masking
C.Microsoft Defender for SQL
D.Always Encrypted with secure enclaves
AnswerA

Adds a second layer of encryption at the storage infrastructure level.

Why this answer

Infrastructure encryption (double encryption) using platform-managed keys adds a second layer of encryption at the storage infrastructure level, below the TDE layer. This protects data at rest even if the physical storage files (e.g., Azure Storage blobs) are accessed directly, because the storage infrastructure itself is encrypted with a separate, platform-managed key. This fulfills the defense-in-depth requirement for protecting against unauthorized access to physical storage.

Exam trap

The trap here is that candidates often confuse TDE with infrastructure encryption, assuming TDE alone protects against physical storage access, but TDE only encrypts database pages, not the underlying storage infrastructure, which is why double encryption is needed for defense-in-depth.

How to eliminate wrong answers

Option B is wrong because Dynamic Data Masking only obfuscates data in query results for non-privileged users; it does not encrypt data at rest or protect physical storage files. Option C is wrong because Microsoft Defender for SQL provides threat detection and vulnerability assessments, not encryption of data at rest or physical storage protection. Option D is wrong because Always Encrypted with secure enclaves protects data in use and in transit by encrypting columns with client-held keys, but it does not encrypt the underlying storage files or protect against physical storage access.

30
MCQmedium

Your organization has a regulatory requirement to audit all data modifications in an Azure SQL Database. You enable Azure SQL Database auditing and configure it to send logs to a Log Analytics workspace. However, you notice that DELETE operations on a specific table are not being audited. What is the most likely cause?

A.The diagnostic settings for the database are misconfigured
B.The audit action group does not include 'DATABASE_OPERATION_GROUP'
C.Audit logs are being written to a storage account instead of Log Analytics
D.The table has been configured to ignore auditing for read operations
AnswerB

Data modification auditing requires appropriate action groups.

Why this answer

Azure SQL Database auditing uses audit action groups to define which operations are logged. By default, the audit policy includes 'SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP', 'FAILED_DATABASE_AUTHENTICATION_GROUP', and 'BATCH_COMPLETED_GROUP', but 'DATABASE_OPERATION_GROUP' is required to capture DDL and DML operations like DELETE. If this group is not explicitly added to the audit specification, DELETE operations on specific tables will not be recorded, even though general auditing is enabled.

Exam trap

The trap here is that candidates often confuse the destination of audit logs (diagnostic settings) with the scope of audited actions (audit action groups), leading them to incorrectly blame misconfigured diagnostic settings or the log destination for missing DELETE operations.

How to eliminate wrong answers

Option A is wrong because diagnostic settings control the destination of logs (e.g., Log Analytics, storage, Event Hubs), not which operations are audited; misconfiguration there would affect log delivery, not the scope of audited actions. Option C is wrong because the destination of audit logs (storage account vs. Log Analytics) does not change which operations are audited; the audit action groups determine what is captured, regardless of where logs are sent.

Option D is wrong because Azure SQL Database does not support table-level configuration to ignore auditing for read operations; auditing is applied at the database level via action groups, and DELETE is a write operation, not a read operation.

31
MCQeasy

You need to ensure that all connections to an Azure SQL Database are encrypted. Which setting should you enforce?

A.Configure firewall rules to allow only specific IP addresses.
B.Set 'Force encryption' to 'Yes' on the server.
C.Enable Transparent Data Encryption (TDE).
D.Enable SQL Auditing.
AnswerB

This setting enforces encrypted connections to the database.

Why this answer

Option B is correct because setting 'Force encryption' to 'Yes' on the Azure SQL Database server enforces TLS encryption for all client connections. This setting ensures that any client connecting to the database must use an encrypted connection, rejecting any unencrypted attempts. It is the direct mechanism to mandate encryption in transit, as opposed to encryption at rest or auditing.

Exam trap

The trap here is confusing encryption in transit (TLS/SSL) with encryption at rest (TDE), leading candidates to select TDE when the question specifically asks about securing connections.

How to eliminate wrong answers

Option A is wrong because configuring firewall rules to allow only specific IP addresses controls network access but does not enforce encryption of the connection itself. Option C is wrong because Transparent Data Encryption (TDE) encrypts data at rest on disk, not data in transit between the client and the database. Option D is wrong because SQL Auditing logs database events for compliance and monitoring, but it does not enforce or require encrypted connections.

32
Multi-Selecthard

You need to ensure that all queries accessing a specific column containing credit card numbers are encrypted both at rest and in transit between the application and Azure SQL Database. Which THREE technologies should you implement? (Choose three.)

Select 3 answers
A.Enforce TLS 1.2 or higher for client connections
B.Always Encrypted with column encryption key stored in Azure Key Vault
C.Transparent Data Encryption (TDE)
D.Row-Level Security
E.Dynamic Data Masking
AnswersA, B, C

TLS encrypts data in transit between application and database.

Why this answer

Option A is correct because enforcing TLS 1.2 or higher for client connections encrypts data in transit between the application and Azure SQL Database. TLS ensures that all queries and their results, including the credit card column, are protected from interception during network transmission.

Exam trap

The trap here is that candidates often confuse Dynamic Data Masking or Row-Level Security with encryption, but neither provides actual encryption of data at rest or in transit, which is explicitly required by the question.

33
MCQmedium

You manage an Azure SQL Database named SalesDB that is used by a sales application. The application connects using a SQL login named 'sales_user' with a password. Recently, the security team discovered that 'sales_user' has been compromised. They have reset the password in Azure SQL Database. However, the application continues to connect successfully using the old credentials. You suspect the application might be caching the password. The security team wants to immediately revoke access for the compromised login and ensure that only a new login with a complex password is used. You also want to minimize downtime. What should you do first?

A.Revoke the CONNECT permission from 'sales_user' using REVOKE CONNECT FROM sales_user; then create a new login and update the application connection string.
B.Change the password again and ensure the application is restarted to clear the cache.
C.Enable auditing to monitor future logins and leave the login as is.
D.Drop the 'sales_user' login using DROP LOGIN sales_user; then create a new login and update the application.
AnswerA

Revoking CONNECT immediately blocks the login without deleting it, allowing time to update.

Why this answer

Option A is correct because immediately revoking the CONNECT permission from the compromised login 'sales_user' terminates any existing active sessions and prevents new connections using the old credentials, without deleting the login object. This allows you to create a new login with a complex password and update the application connection string with minimal downtime, as the database and other server-level objects remain intact.

Exam trap

The trap here is that candidates often assume dropping the login (Option D) is the most secure and immediate action, but they overlook that revoking CONNECT permission achieves the same security goal with less risk of breaking dependent objects and allows for a smoother transition to a new login.

How to eliminate wrong answers

Option B is wrong because simply changing the password again does not invalidate already established connections; the application may still be using a cached connection pool with the old password, and restarting the application does not guarantee that all cached credentials are cleared at the SQL Server level. Option C is wrong because enabling auditing only logs login attempts but does not revoke access; the compromised login would still be able to connect. Option D is wrong because dropping the login immediately terminates all active connections and removes the server-level principal, which could cause longer downtime if the application connection string is not updated simultaneously, and it also removes any associated permissions that might need to be recreated.

34
MCQmedium

What does this query return?

A.All security audit events for the database.
B.Failed login events at the server level.
C.Failed login attempts to the database, including client IP and application name.
D.Successful login events with client IP and application name.
AnswerC

LGIF indicates login failure; the query returns the specified fields for those events.

Why this answer

The query returns failed login attempts to the database, including client IP and application name. This is because the query filters for events where `action_id` = 'LGIF' (login failed) and `state` = 'ABORT' (indicating the login was aborted), and selects the `client_ip` and `application_name` columns from the `sys.dm_exec_sessions` DMV joined with `sys.dm_exec_connections` to capture client connection details. The `state` = 'ABORT' specifically identifies failed attempts, not successful logins or server-level events.

Exam trap

The trap here is that candidates confuse the `state` = 'ABORT' filter with a general session state indicator, assuming it means the session was aborted for any reason (e.g., user disconnect), rather than recognizing it specifically denotes a failed login attempt in the context of `action_id` = 'LGIF'.

How to eliminate wrong answers

Option A is wrong because the query specifically filters for login failures (`action_id` = 'LGIF' and `state` = 'ABORT'), not all security audit events, which would include a broader set of actions like DDL changes, permission changes, or successful logins. Option B is wrong because the query uses `sys.dm_exec_sessions` and `sys.dm_exec_connections`, which are database-level DMVs that capture session and connection information for the current database context, not server-level login events (which would require server-scoped views like `sys.dm_exec_sessions` at the server level or the `sys.server_principals` catalog view). Option D is wrong because the query filters for `state` = 'ABORT', which indicates a failed login, not a successful one; successful logins would have a different `state` value (e.g., 'CONNECTED' or no abort state).

35
Matchingmedium

Match each Azure SQL Database migration tool to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Managed service for online and offline migrations

Tool for migrating from other database platforms to SQL Server

Assesses compatibility and recommends improvements

Cross-platform tool for managing and migrating databases

Why these pairings

These tools facilitate migration to Azure SQL Database.

36
MCQeasy

Your Azure SQL Managed Instance stores sensitive healthcare data. You need to restrict access to the database from public networks while allowing a specific on-premises application to connect. The on-premises network has a static public IP address. What is the most secure way to configure connectivity?

A.Enable the public endpoint without any firewall rules
B.Enable the public endpoint and create a firewall rule allowing only the on-premises static IP address
C.Configure a service endpoint on the VNet where the Managed Instance is deployed
D.Disable the public endpoint and configure a point-to-site VPN for the on-premises application
AnswerB

This allows secure access from the specific on-premises IP while blocking all other public traffic.

Why this answer

Enabling the public endpoint with a firewall rule that restricts access to only the on-premises static IP address is the most secure way to allow a specific external application to connect while blocking all other public traffic. This approach leverages Azure SQL Managed Instance's built-in public endpoint firewall, which evaluates source IP addresses against configured rules before allowing connections, ensuring that only the trusted on-premises application can reach the sensitive healthcare data.

Exam trap

The trap here is that candidates often confuse Azure SQL Managed Instance's public endpoint firewall with Azure SQL Database's firewall, or incorrectly assume that service endpoints or VPNs are always more secure than a simple IP-based firewall rule, when in fact a properly configured firewall rule with a static IP is the most secure and efficient solution for this specific scenario.

How to eliminate wrong answers

Option A is wrong because enabling the public endpoint without any firewall rules would allow any public IP address to attempt connections, exposing the sensitive healthcare data to the entire internet and violating security best practices. Option C is wrong because service endpoints are used to secure Azure service resources to a virtual network, but Azure SQL Managed Instance is always deployed inside a VNet and does not support service endpoints for public access; service endpoints are for PaaS services like Azure SQL Database, not Managed Instance. Option D is wrong because disabling the public endpoint and configuring a point-to-site VPN would require the on-premises application to establish a VPN connection, which adds complexity and latency, and is less secure than a simple firewall rule when the on-premises network has a static public IP; the question asks for the most secure way to configure connectivity, and a firewall rule with a specific IP is more straightforward and equally secure for this scenario.

37
MCQeasy

You are configuring Azure SQL Database firewall rules. You need to allow a team of developers to connect from their office IP range (192.168.1.0/24) to a specific database. The developers should not be able to access other databases on the same logical server. What should you do?

A.Create a private endpoint for the database.
B.Add a server-level firewall rule for the IP range 192.168.1.0/24.
C.Add a database-level firewall rule for the IP range 192.168.1.0/24.
D.Configure a virtual network service endpoint for the server.
AnswerC

Database-level rules restrict access to the specific database.

Why this answer

Database-level firewall rules in Azure SQL Database allow you to restrict access to a specific database on a logical server, rather than the entire server. By adding a rule for the IP range 192.168.1.0/24 at the database level, the developers can connect only to that database, and they will be blocked from accessing other databases on the same server. This is the correct approach because server-level rules would grant access to all databases, which violates the requirement.

Exam trap

The trap here is that candidates often assume server-level firewall rules are sufficient for all scenarios, but the DP-300 exam tests the distinction that database-level rules are required when you need to restrict access to a specific database on a logical server.

How to eliminate wrong answers

Option A is wrong because a private endpoint connects the database to a virtual network privately, but it does not restrict access to a specific database; it still requires firewall rules to control which clients can connect. Option B is wrong because a server-level firewall rule for the IP range would allow the developers to access all databases on the logical server, not just the specific one. Option D is wrong because a virtual network service endpoint integrates the server with a VNet but does not provide per-database access control; it still relies on server-level firewall rules and would allow access to all databases.

38
MCQhard

Your Azure SQL Database contains sensitive customer data. You need to implement column-level encryption so that only authorized users can read specific columns. The encryption must be managed by the application, not the database. What should you use?

A.Implement Always Encrypted with column master key stored in Azure Key Vault.
B.Use dynamic data masking to obfuscate the sensitive columns for unauthorized users.
C.Use Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault.
D.Create a row-level security policy to restrict access to the sensitive rows.
AnswerA

Always Encrypts ensures column-level encryption and that the database never sees plaintext.

Why this answer

Always Encrypted is the correct choice because it ensures that sensitive data is encrypted at the column level and that the encryption keys are never revealed to the database engine. By storing the column master key in Azure Key Vault and using client-side encryption, the application manages the encryption and decryption process, so only authorized users with access to the key can read the plaintext data. This meets the requirement that encryption be managed by the application, not the database.

Exam trap

The trap here is that candidates often confuse dynamic data masking with encryption, or assume TDE provides column-level control, but the key differentiator is that Always Encrypted keeps encryption keys client-side, fulfilling the 'managed by the application' requirement.

How to eliminate wrong answers

Option B is wrong because dynamic data masking only obfuscates data at query time for unauthorized users but does not encrypt the data at rest or in transit, and the database still holds the plaintext values, so it does not meet the requirement for application-managed encryption. Option C is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest but does not provide column-level granularity, and the encryption is managed by the database engine, not the application. Option D is wrong because row-level security restricts access to rows based on predicates but does not encrypt the data, and it is managed by the database, not the application.

39
MCQmedium

You are a database administrator for Azure SQL Managed Instance. You need to configure a custom time zone for the instance because the application uses a specific time zone. What should you do?

A.Deploy a virtual machine running SQL Server instead.
B.Set the time zone for each database using ALTER DATABASE.
C.Use ALTER INSTANCE SET TIMEZONE to set the desired time zone.
D.Configure the time zone in the Azure portal under the instance settings.
AnswerC

This is the correct command to change the time zone.

Why this answer

Azure SQL Managed Instance runs on top of a Windows operating system, and the time zone for the entire instance is controlled at the host level. The `ALTER INSTANCE SET TIMEZONE` command is the correct T-SQL method to change the time zone for the instance, which then applies to all databases within that instance. This command allows you to set a custom time zone that the application requires, without needing to deploy a separate VM or configure each database individually.

Exam trap

The trap here is that candidates might assume time zone is a database-level setting (like in some other database systems) or that it can be configured through the Azure portal, but Azure SQL Managed Instance requires the T-SQL command `ALTER INSTANCE SET TIMEZONE` because the time zone is tied to the underlying Windows OS hosting the instance.

How to eliminate wrong answers

Option A is wrong because deploying a virtual machine running SQL Server is unnecessary and does not leverage the managed service benefits of Azure SQL Managed Instance; the time zone can be changed directly on the managed instance. Option B is wrong because `ALTER DATABASE` does not have a clause to set the time zone; time zone is an instance-level property, not a database-level property. Option D is wrong because the time zone for Azure SQL Managed Instance is not configurable through the Azure portal; it must be set using the T-SQL command `ALTER INSTANCE SET TIMEZONE`.

40
MCQhard

Your organization is migrating a legacy on-premises SQL Server database to Azure SQL Managed Instance. The database contains sensitive financial data. You need to implement column-level encryption so that even database administrators cannot view the plaintext data. The encryption keys must be stored in Azure Key Vault, and the application must be able to encrypt and decrypt data transparently. The application currently uses Entity Framework Core and runs on Azure App Service. You have the following requirements: - Use a solution that provides the strongest security by ensuring the database never has access to the plaintext. - Minimize changes to the application code. - The application must be able to perform equality searches on encrypted columns. What should you implement?

A.Use Always Encrypted with secure enclaves and randomized encryption.
B.Use dynamic data masking to hide the data from unauthorized users.
C.Use Transparent Data Encryption (TDE) with customer-managed keys in Azure Key Vault.
D.Use Always Encrypted with deterministic encryption and store column master key in Azure Key Vault.
AnswerD

Deterministic encryption enables equality joins and lookups, and the database cannot decrypt the data.

Why this answer

Option A is correct because Always Encrypted with deterministic encryption allows equality searches and ensures the database never sees the plaintext. Client-side drivers handle encryption transparently. Option B is wrong because TDE does not provide column-level encryption.

Option C is wrong because secure enclaves require additional configuration and are not necessary for equality searches. Option D is wrong because dynamic data masking does not encrypt data.

41
MCQeasy

You need to ensure that all users accessing Azure SQL Database from outside the corporate network are required to use multi-factor authentication (MFA). What should you configure?

A.Enable Azure RBAC for the SQL server.
B.Configure a Conditional Access policy in Microsoft Entra ID.
C.Create an Azure Policy to require MFA.
D.Turn on Transparent Data Encryption (TDE).
AnswerB

Conditional Access policies can require MFA based on conditions like network location.

Why this answer

Conditional Access policies in Microsoft Entra ID (formerly Azure AD) allow you to enforce MFA based on network location, device state, or risk level. By configuring a policy that targets the Azure SQL Database application and requires MFA for all access from outside the corporate network, you meet the requirement without altering the database or server configuration.

Exam trap

The trap here is confusing Azure Policy (which governs resource configuration compliance) with Conditional Access (which governs user authentication and access conditions), leading candidates to choose Azure Policy when only Conditional Access can enforce MFA at the sign-in level.

How to eliminate wrong answers

Option A is wrong because Azure RBAC controls management-plane permissions (who can create, delete, or modify the SQL server), not data-plane authentication or MFA enforcement for user connections. Option C is wrong because Azure Policy enforces compliance rules on Azure resource configurations (e.g., requiring TDE or auditing), but it cannot enforce MFA at the authentication layer for database users. Option D is wrong because Transparent Data Encryption (TDE) encrypts data at rest, not in transit or during authentication, and has no effect on MFA requirements.

42
MCQeasy

You need to audit all successful and failed login attempts on an Azure SQL Database. Which feature should you enable?

A.Microsoft Defender for SQL threat detection.
B.SQL Vulnerability Assessment.
C.Enable Microsoft Defender for Cloud's regulatory compliance dashboard.
D.SQL Server Audit with a server-level audit specification that includes SUCCESSFUL_LOGIN_GROUP and FAILED_LOGIN_GROUP.
AnswerD

These audit action groups capture all login attempts.

Why this answer

SQL Server Audit is the correct feature because it allows you to capture both successful and failed login attempts at the server level by defining a server audit specification that includes the SUCCESSFUL_LOGIN_GROUP and FAILED_LOGIN_GROUP audit action groups. These groups specifically log authentication events, which is exactly what is needed to audit all login attempts. Microsoft Defender for SQL, Vulnerability Assessment, and regulatory compliance dashboards do not provide granular login event auditing.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for SQL's threat detection (which does log some security events) with the dedicated, configurable SQL Server Audit feature that is required for explicit login auditing.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for SQL threat detection focuses on identifying anomalous database activities and potential threats, not on auditing individual login success or failure events. Option B is wrong because SQL Vulnerability Assessment is a tool for discovering, tracking, and remediating potential database vulnerabilities, not for capturing login audit logs. Option C is wrong because the regulatory compliance dashboard in Microsoft Defender for Cloud provides a view of compliance posture against standards like CIS or SOC 2, but does not itself generate or store login audit records.

43
MCQeasy

You need to audit all successful and failed login attempts to an Azure SQL Database. Which feature should you enable?

A.Transparent Data Encryption (TDE)
B.SQL Vulnerability Assessment
C.Azure SQL Auditing
D.Diagnostic settings
AnswerC

Auditing can capture login events by auditing the SQL Server audit category.

Why this answer

Azure SQL Auditing is the correct feature because it tracks database events, including both successful and failed login attempts, and writes them to an audit log in your Azure Storage account, Log Analytics workspace, or Event Hubs. This meets the requirement to audit all authentication events for security and compliance purposes.

Exam trap

The trap here is that candidates often confuse Diagnostic settings (which capture metrics and resource logs) with Azure SQL Auditing (which captures detailed database event logs), leading them to select Option D instead of the correct feature for login auditing.

How to eliminate wrong answers

Option A is wrong because Transparent Data Encryption (TDE) performs real-time encryption of data at rest, not logging of login attempts. Option B is wrong because SQL Vulnerability Assessment scans for potential security misconfigurations and vulnerabilities, but does not capture login audit trails. Option D is wrong because Diagnostic settings capture platform-level metrics and resource logs (e.g., for the SQL server or database), but they do not provide the granular, event-level auditing of successful and failed logins that Azure SQL Auditing offers.

44
MCQeasy

You need to prevent users from accidentally deleting an Azure SQL Database. What should you configure?

A.Apply a 'CanNotDelete' Azure Resource Lock on the resource group.
B.Revoke the db_ddladmin role from users.
C.Create an Azure Policy to deny SQL Database creation.
D.Set a deny rule in the SQL Database firewall.
AnswerA

Resource lock prevents deletion of Azure resources.

Why this answer

A 'CanNotDelete' Azure Resource Lock on the resource group prevents any user, including those with high-level permissions like Owner, from deleting the Azure SQL Database. This lock overrides all role-based access control (RBAC) permissions at the resource or resource group level, ensuring accidental deletion is blocked even if a user has delete permissions.

Exam trap

The trap here is that candidates confuse database-level permissions (like db_ddladmin) with Azure Resource Manager-level operations, mistakenly thinking that revoking schema modification rights will prevent database deletion, when in fact deletion is an ARM operation controlled by locks or RBAC at the subscription/resource group scope.

How to eliminate wrong answers

Option B is wrong because revoking the db_ddladmin role prevents users from modifying the database schema (e.g., creating or altering tables), but it does not prevent deletion of the database itself, which is an Azure Resource Manager (ARM) operation, not a SQL Server-level operation. Option C is wrong because creating an Azure Policy to deny SQL Database creation prevents new databases from being provisioned, but it does not protect an existing database from being deleted. Option D is wrong because setting a deny rule in the SQL Database firewall controls network access to the database (blocking IP addresses), but it has no effect on the ability to delete the database resource via ARM.

45
MCQhard

Refer to the exhibit. You are troubleshooting an Azure SQL Database auditing configuration. The exhibit shows the blob auditing policy. The storage account access key is null, and the subscription ID is all zeros. What is the most likely issue?

A.Auditing will fall back to Log Analytics workspace.
B.Auditing will work because managed identity is used.
C.Auditing will fail because the storage account access key is null.
D.Auditing will write to the storage account using the system-assigned managed identity.
AnswerC

Blob auditing requires a storage account key or a valid subscription ID with appropriate permissions; null key indicates misconfiguration.

Why this answer

The exhibit shows that the storage account access key is null, which means Azure SQL Database cannot authenticate to the storage account using the access key. Without a valid access key or a configured managed identity, blob auditing will fail because the database cannot write audit logs to the specified storage container. Option C is correct because a null access key directly prevents auditing from functioning when no alternative authentication method is configured.

Exam trap

The trap here is that candidates assume managed identity is automatically used when the access key is null, but in reality, managed identity must be explicitly configured and granted permissions, and the exhibit shows no such configuration.

How to eliminate wrong answers

Option A is wrong because auditing does not automatically fall back to Log Analytics workspace; the audit destination is explicitly set to storage, and if storage fails, auditing fails entirely unless a different destination is configured in the policy. Option B is wrong because managed identity is not automatically used; it must be explicitly enabled and assigned to the SQL Database, and the exhibit shows no indication of a managed identity being configured. Option D is wrong because writing to the storage account using a system-assigned managed identity requires that the managed identity be enabled and that the storage account grants appropriate RBAC permissions (e.g., Storage Blob Data Contributor) to that identity, which is not shown in the exhibit.

46
MCQhard

Your company is planning to migrate on-premises SQL Server databases to Azure SQL Managed Instance. The security team requires that all database connections be encrypted and that the server's identity be verified using a certificate from a trusted public certificate authority (CA). What should you configure?

A.Set the 'Force Encryption' property to True for the managed instance.
B.Install a custom CA-signed certificate on the managed instance.
C.Enable Transparent Data Encryption (TDE) with a server certificate.
D.Configure Always Encrypted with column master key in Key Vault.
AnswerA

Correct: This ensures encryption for all connections, and the server certificate is from a trusted CA.

Why this answer

Setting 'Force Encryption' to True on the managed instance enforces TLS encryption for all client connections and ensures the server presents a certificate from a trusted public CA to verify its identity. This meets both requirements: encryption of data in transit and server identity verification via a trusted certificate chain.

Exam trap

The trap here is that candidates confuse encryption in transit (Force Encryption/TLS) with encryption at rest (TDE) or column-level encryption (Always Encrypted), and mistakenly think a custom CA certificate is needed when Azure SQL Managed Instance already uses a trusted public CA certificate by default.

How to eliminate wrong answers

Option B is wrong because Azure SQL Managed Instance automatically provisions a certificate from a trusted public CA (Microsoft's CA) for TLS connections; installing a custom CA-signed certificate is not supported and would not replace the built-in certificate. Option C is wrong because Transparent Data Encryption (TDE) encrypts data at rest, not in transit, and does not address connection encryption or server identity verification. Option D is wrong because Always Encrypted protects sensitive data at the column level with client-side encryption and a column master key in Key Vault, but it does not enforce encryption for all database connections or verify the server's identity via a public CA certificate.

47
MCQeasy

You have an Azure SQL Database that stores sensitive customer data. You need to ensure that the data is encrypted at rest using a customer-managed key stored in Azure Key Vault. What should you configure?

A.Configure dynamic data masking (DDM).
B.Implement row-level security (RLS) to restrict access.
C.Enable Transparent Data Encryption (TDE) with a customer-managed key from Azure Key Vault.
D.Enable Always Encrypted for the sensitive columns.
AnswerC

TDE encrypts the entire database at rest.

Why this answer

Transparent Data Encryption (TDE) with a customer-managed key stored in Azure Key Vault encrypts the database at rest, using a key that you control and rotate independently. This meets the requirement for encryption at rest with a customer-managed key, as TDE performs real-time I/O encryption and decryption of the data and log files without requiring application changes.

Exam trap

The trap here is that candidates often confuse Always Encrypted (which encrypts specific columns at the client side) with TDE (which encrypts the entire database at rest), and they may choose Always Encrypted because it also uses Azure Key Vault, but it does not meet the 'encryption at rest for the entire database' requirement.

How to eliminate wrong answers

Option A is wrong because Dynamic Data Masking (DDM) obfuscates data in query results to unauthorized users but does not encrypt data at rest; it is a presentation-layer control. Option B is wrong because Row-Level Security (RLS) restricts row access based on user context or predicates, but it does not provide encryption at rest. Option D is wrong because Always Encrypted encrypts sensitive columns at the client-side, protecting data in transit and at rest, but it requires application changes and does not encrypt the entire database at rest; the question specifies encryption at rest for the entire database, not just specific columns.

48
MCQeasy

Your company uses Azure SQL Database and wants to automatically detect and alert on potential SQL injection attacks. Which Azure service should you enable?

A.Azure SQL Auditing
B.SQL Vulnerability Assessment
C.Microsoft Defender for Cloud (formerly Azure Security Center) with Advanced Threat Protection for Azure SQL Database
D.Azure Policy
AnswerC

ATP detects SQL injection and other threats.

Why this answer

Microsoft Defender for Cloud with Advanced Threat Protection for Azure SQL Database is the correct choice because it specifically detects anomalous activities indicating SQL injection attempts, such as unusual SQL queries or patterns, and triggers security alerts. Azure SQL Auditing only logs database events for compliance and forensic analysis, not real-time threat detection. SQL Vulnerability Assessment identifies configuration weaknesses but does not monitor for active attacks.

Azure Policy enforces compliance rules but lacks intrusion detection capabilities.

Exam trap

The trap here is that candidates confuse Azure SQL Auditing (logging) with threat detection, assuming that because auditing records events, it can also alert on attacks, but it lacks the real-time analysis and machine learning required for SQL injection detection.

How to eliminate wrong answers

Option A is wrong because Azure SQL Auditing captures and stores database event logs for auditing and compliance, but it does not analyze logs in real-time to detect or alert on SQL injection attacks. Option B is wrong because SQL Vulnerability Assessment scans for misconfigurations and missing patches, not for active malicious activity like SQL injection. Option D is wrong because Azure Policy enforces resource compliance rules (e.g., requiring TDE or firewall rules) but does not provide threat detection or alerting for database attacks.

49
Drag & Dropmedium

Drag and drop the steps to configure a failover group for an Azure SQL Database in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Failover groups require a secondary server, then creating the group, adding databases, configuring policy, and testing.

50
MCQmedium

You are deploying Azure SQL Database for a multi-tenant application. Each tenant's data must be isolated. You need to ensure that tenants cannot access each other's data even if there is a SQL injection vulnerability. Which security feature should you implement?

A.Use Always Encrypted to encrypt sensitive columns.
B.Configure Azure SQL Database auditing to monitor cross-tenant access.
C.Enable Transparent Data Encryption (TDE) on the database.
D.Implement row-level security (RLS) with a security policy that filters rows by tenant ID.
AnswerD

RLS provides row-level isolation.

Why this answer

Row-level security (RLS) is the correct choice because it enforces data isolation at the database engine level by filtering rows based on a tenant ID predicate. Even if a SQL injection vulnerability allows an attacker to execute arbitrary queries, RLS ensures that only rows belonging to the attacker's tenant are returned, preventing cross-tenant data access. This is a defense-in-depth measure that works regardless of application-layer flaws.

Exam trap

The trap here is that candidates often confuse data-at-rest encryption (TDE or Always Encrypted) with access control, mistakenly believing encryption alone can prevent unauthorized row access during a SQL injection attack.

How to eliminate wrong answers

Option A is wrong because Always Encrypted protects data at rest and in transit by encrypting specific columns, but it does not control which rows a query can return; an attacker with a SQL injection could still retrieve all encrypted rows (though they would be ciphertext) or bypass the encryption if the injection occurs before decryption. Option B is wrong because auditing only logs database activity for compliance and monitoring; it does not prevent unauthorized access or block cross-tenant data retrieval in real time. Option C is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest but provides no row-level filtering or access control; an attacker exploiting SQL injection could still read all decrypted data once the database is in use.

51
MCQeasy

You need to audit all failed login attempts to an Azure SQL Database. Which feature should you enable?

A.Azure SQL Advanced Threat Protection
B.Azure SQL Database Vulnerability Assessment
C.Azure SQL Auditing
D.Dynamic Data Masking
AnswerC

Auditing can log failed login attempts to a storage account, Log Analytics, or Event Hubs.

Why this answer

Azure SQL Auditing is the correct feature because it tracks database events, including failed login attempts, and writes them to an audit log in an Azure Storage account, Log Analytics workspace, or Event Hubs. This allows you to review and analyze authentication failures for security and compliance purposes. The audit logs capture the exact timestamp, source IP address, and the specific error message for each failed login, such as 'Login failed for user'.

Exam trap

The trap here is that candidates often confuse Azure SQL Auditing with Advanced Threat Protection, assuming that threat detection automatically logs all failed logins, but in reality, ATP only alerts on suspicious patterns and does not provide a comprehensive audit trail of every failed login attempt.

How to eliminate wrong answers

Option A is wrong because Azure SQL Advanced Threat Protection is a security intelligence service that detects anomalous activities like SQL injection or brute-force attacks, but it does not provide a configurable audit trail of all failed login attempts; it only alerts on suspicious patterns. Option B is wrong because Azure SQL Database Vulnerability Assessment is a scanning and reporting service that identifies potential database vulnerabilities and misconfigurations, but it does not log or audit individual login events. Option D is wrong because Dynamic Data Masking is a data protection feature that obfuscates sensitive data in query results for unauthorized users, and it has no capability to log or audit authentication failures.

52
MCQmedium

Your company uses Azure SQL Managed Instance and requires that all connections from client applications use Microsoft Entra authentication with multi-factor authentication (MFA). You configure Azure SQL Managed Instance to support Microsoft Entra authentication and create a contained database user for the application. However, when the application attempts to connect, it receives error '18456, state 10' indicating that the login is not recognized. What is the most likely cause?

A.The contained database user is not mapped to a server-level login.
B.The client IP address is not allowed by the server-level firewall rule.
C.The application is using a SQL login instead of a Microsoft Entra token or integrated authentication.
D.The server principal (server admin) is not a Microsoft Entra account.
AnswerC

The application must use Microsoft Entra authentication method; error 18456 state 10 indicates a SQL login attempt.

Why this answer

Error 18456, state 10 specifically indicates that the login was not recognized by SQL Server. Since the application is configured to use a contained database user with Microsoft Entra authentication, the most likely cause is that the application is attempting to connect using a SQL login (username/password) rather than presenting a Microsoft Entra access token or using integrated authentication. Contained database users require authentication through the Microsoft Entra ID token flow, not SQL Server authentication.

Exam trap

The trap here is that candidates often assume a contained database user must be mapped to a server-level login (Option A), but in Azure SQL Managed Instance, contained users are independent and authenticate directly via Microsoft Entra tokens, making the mapping misconception the primary distractor.

How to eliminate wrong answers

Option A is wrong because contained database users in Azure SQL Managed Instance are designed to exist without a server-level login mapping; they authenticate directly at the database level. Option B is wrong because the error '18456, state 10' is an authentication failure, not a connectivity or firewall issue; a firewall block would produce a different error (e.g., 18456, state 1 or a timeout). Option D is wrong because the server principal (server admin) being a Microsoft Entra account is not required for contained database users to authenticate; the server admin can be a SQL login, and contained users still work independently.

53
MCQmedium

Your company is using Azure SQL Database with Microsoft Entra ID authentication. A developer needs to connect to the database using a service principal. What should you provide to the developer?

A.The connection string with 'Authentication=Active Directory Service Principal' and the service principal's object ID.
B.The service principal's client ID and client secret, and the connection string with 'Authentication=Active Directory Service Principal'.
C.The service principal's username and password.
D.The service principal's managed identity endpoint.
AnswerB

This is the standard way to connect using a service principal.

Why this answer

Option B is correct because to connect to Azure SQL Database using a service principal with Microsoft Entra ID authentication, the developer needs the service principal's client ID and client secret (or certificate) for authentication, and the connection string must include 'Authentication=Active Directory Service Principal' to specify the authentication method. This combination allows the application to obtain an access token from Microsoft Entra ID via the OAuth 2.0 client credentials grant flow, which is then used to authenticate to the database.

Exam trap

The trap here is that candidates often confuse the service principal's object ID (directory object identifier) with the client ID (application identifier), or mistakenly think a service principal uses a username/password like a regular user, when in fact it relies on OAuth 2.0 client credentials with a client ID and secret.

How to eliminate wrong answers

Option A is wrong because the connection string requires 'Authentication=Active Directory Service Principal', but the service principal's object ID is not used in the connection string; instead, the client ID (application ID) is used as the User ID. Option C is wrong because service principals do not have traditional username/password credentials; they authenticate using a client ID and client secret (or certificate) via OAuth 2.0, not a username and password. Option D is wrong because the managed identity endpoint is used for Azure resources with a managed identity (e.g., VM, App Service), not for a service principal; a service principal is a separate application identity that requires explicit client credentials.

54
Multi-Selectmedium

Which TWO of the following are best practices for securing Azure SQL Database?

Select 2 answers
A.Enable Auditing to block malicious queries.
B.Enable TDE to prevent SQL injection attacks.
C.Use SQL authentication with complex passwords.
D.Enable firewall rules to restrict access to specific IP addresses.
E.Use Azure Active Directory authentication instead of SQL authentication.
AnswersD, E

Restricting IPs reduces attack surface.

Why this answer

Option D is correct because Azure SQL Database firewall rules allow you to restrict access to specific IP address ranges, which is a fundamental network security best practice. By limiting inbound traffic to only trusted IPs, you reduce the attack surface and prevent unauthorized connections from unknown sources. This is a first line of defense in a defense-in-depth strategy for securing Azure SQL Database.

Exam trap

The trap here is that candidates often confuse Auditing (logging) with blocking, or TDE (encryption at rest) with SQL injection prevention, leading them to select options that sound security-related but do not perform the stated function.

55
Multi-Selecthard

You are designing a secure architecture for Azure SQL Managed Instance. You need to ensure that all connections to the instance are encrypted and that the instance can only be accessed from a specific virtual network. Which TWO configurations should you implement?

Select 2 answers
A.Configure a service endpoint on the subnet of the managed instance.
B.Deploy the managed instance outside a virtual network.
C.Configure the managed instance with the 'Force encryption' property set to Enabled.
D.Attach a private endpoint to the managed instance.
E.Deploy the managed instance inside the desired virtual network.
AnswersC, E

This enforces encrypted connections.

Why this answer

Option C is correct because setting the 'Force encryption' property to Enabled on Azure SQL Managed Instance ensures that all client connections are encrypted using TLS, enforcing encryption in transit. This is a critical security control to protect data from interception or tampering during transmission.

Exam trap

The trap here is that candidates often confuse service endpoints or private endpoints with the VNet injection requirement for SQL Managed Instance, mistakenly thinking they can use those features to restrict network access, when in fact the instance must be deployed inside the VNet and 'Force encryption' must be enabled for encryption enforcement.

56
Multi-Selectmedium

Which THREE of the following are required to configure Microsoft Entra authentication for an Azure SQL Managed Instance?

Select 3 answers
A.Enable the managed instance system-assigned managed identity.
B.Set a Microsoft Entra admin for the managed instance.
C.Ensure the managed instance is deployed in a different virtual network from the clients.
D.Grant the managed instance identity the 'Directory Readers' role in Microsoft Entra ID.
E.Configure the managed instance to allow public network access.
AnswersA, B, D

The managed identity is used to authenticate to Entra ID.

Why this answer

Enabling the system-assigned managed identity for Azure SQL Managed Instance is required because Microsoft Entra authentication relies on this identity to authenticate the instance itself against Microsoft Entra ID. Without a managed identity, the instance cannot securely obtain tokens or perform directory lookups needed for authentication and authorization.

Exam trap

The trap here is that candidates often confuse the 'Directory Readers' role assignment (which is required) with optional network settings like VNet isolation or public access, leading them to incorrectly select C or E as necessary steps.

57
MCQmedium

You are implementing row-level security (RLS) in Azure SQL Database to restrict access to sales data based on the user's Azure AD identity. Which function should you use in the security policy?

A.USER_NAME()
B.SESSION_USER()
C.SUSER_SNAME()
D.CURRENT_USER()
AnswerA

Correct: Returns the database user name, which can be an Azure AD user.

Why this answer

In Azure SQL Database, row-level security (RLS) predicates must evaluate to a Boolean value based on the current user's identity. USER_NAME() returns the database principal name derived from the Azure AD token, which is the correct function to use when filtering rows by the user's Azure AD identity. The other functions either return the login name, the session user, or the current context user, which may not reflect the actual Azure AD user in an RLS predicate.

Exam trap

The trap here is that candidates often confuse USER_NAME() with SUSER_SNAME() or CURRENT_USER(), mistakenly thinking that the server-level login name or the current context user is the correct identity for row-level filtering, when in fact RLS in Azure SQL Database requires the database-level user name returned by USER_NAME().

How to eliminate wrong answers

Option B (SESSION_USER()) is wrong because it returns the name of the current user in the current session, which is equivalent to USER_NAME() in many contexts but is not the recommended function for RLS predicates in Azure SQL Database; it can be ambiguous when impersonation is used. Option C (SUSER_SNAME()) is wrong because it returns the SQL Server login name (e.g., the Azure AD service principal or SQL authentication login), not the database user name, and RLS predicates operate at the database user level, not the server login level. Option D (CURRENT_USER()) is wrong because it returns the name of the current user in the current security context, which may be the same as USER_NAME() but is typically used in T-SQL for DEFAULT constraints or permissions, not for RLS predicates; it does not reliably reflect the Azure AD user identity in all scenarios.

58
MCQmedium

You are troubleshooting a connectivity issue: an application running on an Azure virtual machine (VM) cannot connect to an Azure SQL Database. The VM is in the same region as the SQL Database. The VM can ping other resources, but the SQL connection fails. The SQL Database has a firewall rule allowing the VM's private IP address. What is the most likely cause?

A.The SQL Database has the public endpoint disabled
B.The firewall rule uses the VM's private IP address, but Azure SQL Database sees the VM's public IP address
C.The SQL Database firewall is configured at the database level, not the server level
D.The VM does not have an outbound security rule allowing traffic to Azure SQL Database
AnswerB

Azure SQL Database receives the public IP of the VM, so the rule with private IP does not match.

Why this answer

When an Azure VM connects to Azure SQL Database, the source IP address seen by the SQL firewall is the VM's public outbound IP address due to Source Network Address Translation (SNAT) performed by Azure. Even if the VM is in the same region, traffic to Azure SQL Database egresses through the VM's public IP, not its private IP. Therefore, a firewall rule allowing the private IP will not match, causing the connection to fail.

Exam trap

The trap here is that candidates assume Azure SQL Database sees the VM's private IP because they are in the same region, overlooking Azure's mandatory SNAT for public endpoint connections.

How to eliminate wrong answers

Option A is wrong because disabling the public endpoint would prevent all external connections, but the VM could still connect via a private endpoint or service endpoint if configured; the question states the VM cannot connect, but the issue is specifically about the firewall rule. Option C is wrong because firewall rules at the database level inherit server-level rules, and a database-level rule allowing the private IP would still fail for the same SNAT reason; the level does not change the source IP seen. Option D is wrong because outbound security rules in Azure NSGs control traffic flow but do not alter the source IP seen by the SQL firewall; the VM can ping other resources, indicating outbound connectivity is functional.

59
Multi-Selecthard

You are a database administrator for a manufacturing company that uses Azure SQL Database. The company has a requirement to encrypt sensitive data in transit between the application and the database. Additionally, the company wants to ensure that database administrators (DBAs) cannot view the sensitive data. Which TWO features should you implement?

Select 2 answers
A.Implement row-level security (RLS) to filter rows
B.Enable transparent data encryption (TDE) on the database
C.Configure the server to enforce TLS 1.2 by setting the 'Minimal TLS Version' property
D.Implement dynamic data masking on sensitive columns
E.Use Always Encrypted with a column master key stored in Azure Key Vault
AnswersC, E

This ensures all connections use TLS 1.2, encrypting data in transit.

Why this answer

Options A and E are correct. Option A enforces TLS 1.2 for data in transit. Option E uses Always Encrypted with a column master key stored in Azure Key Vault, which prevents DBAs from accessing the encryption keys and thus the sensitive data.

Option B is wrong because TDE encrypts data at rest but does not protect data in transit or from DBAs. Option C is wrong because dynamic data masking can be bypassed by DBAs with elevated permissions. Option D is wrong because row-level security does not encrypt data.

60
MCQmedium

You are the database administrator for a company that uses Azure SQL Database. You need to implement a security solution that automatically detects and alerts on suspicious activities, such as SQL injection attempts. Which feature should you enable?

A.Azure SQL Auditing
B.SQL Vulnerability Assessment
C.Microsoft Defender for SQL
D.Transparent Data Encryption (TDE)
AnswerC

Defender for SQL provides advanced threat protection and alerts on suspicious activities like SQL injection.

Why this answer

Microsoft Defender for SQL (formerly Azure Security Center's Advanced Threat Protection) is the correct feature because it continuously monitors database traffic for anomalous activities, including SQL injection, brute-force attacks, and privilege escalation. When suspicious behavior is detected, it generates a security alert that can be viewed in the Azure portal or integrated with Azure Sentinel for automated response. This is the only option among the choices that provides proactive threat detection and alerting for suspicious activities.

Exam trap

The trap here is that candidates often confuse Azure SQL Auditing (which logs events) with Microsoft Defender for SQL (which actively detects threats), leading them to choose Auditing because it sounds like it would 'detect' suspicious activity, but it only records data for manual review, not automatic alerting.

How to eliminate wrong answers

Option A is wrong because Azure SQL Auditing tracks and logs database events (e.g., successful and failed logins, schema changes) for compliance and forensic analysis, but it does not automatically detect or alert on suspicious activities like SQL injection — it only records the raw data for later review. Option B is wrong because SQL Vulnerability Assessment scans for misconfigurations, missing patches, and security best-practice violations (e.g., weak firewall rules or excessive permissions), but it is a static assessment tool that does not monitor real-time traffic or detect active attacks. Option D is wrong because Transparent Data Encryption (TDE) performs real-time encryption and decryption of data at rest (the database files and backups) using a symmetric key, but it has no capability to detect or alert on suspicious database activities.

61
MCQhard

You are the database administrator for a SaaS company that uses Azure SQL Database. The company has a new requirement to audit all SELECT operations on a specific table containing sensitive customer data. You enable auditing on the server and configure a storage account for audit logs. However, after 24 hours, you notice that no SELECT operations are captured in the audit logs. You verify that the table is being accessed frequently. What is the most likely cause?

A.The storage account key was rotated and the audit configuration is using an expired key
B.The audit policy is not configured to capture SELECT operations; only UPDATE, INSERT, and DELETE are captured
C.The client application is using a connection string that bypasses the server firewall
D.The storage account is in a different region than the SQL Database server
AnswerB

By default, auditing captures data manipulation, not SELECT. You need to enable schema object access auditing.

Why this answer

Option B is correct because the default server-level audit policy in Azure SQL Database captures only data manipulation language (DML) operations like UPDATE, INSERT, and DELETE, not SELECT queries. To audit SELECT operations, you must explicitly configure a database-level audit action group such as DATABASE_OBJECT_ACCESS_GROUP or SCHEMA_OBJECT_ACCESS_GROUP, or use a custom audit action like SELECT on the specific table. Without this configuration, SELECT operations are not recorded in the audit logs, even if server auditing is enabled and the storage account is properly configured.

Exam trap

The trap here is that candidates assume enabling server-level auditing automatically captures all database operations, including SELECT queries, when in reality SELECT operations require explicit database-level audit configuration.

How to eliminate wrong answers

Option A is wrong because if the storage account key were expired, the audit logs would fail to write entirely, not just miss SELECT operations; the logs would show errors or be empty for all operations, not just SELECT. Option C is wrong because the client application bypassing the server firewall would prevent any connection to the database, making it impossible for SELECT operations to occur; the question states the table is being accessed frequently, so the firewall is not the issue. Option D is wrong because the storage account being in a different region does not affect the capture of audit events; Azure SQL Database can write audit logs to a storage account in any region, and this would not selectively filter out SELECT operations.

62
Multi-Selecteasy

Which TWO of the following are valid methods to connect to Azure SQL Database securely?

Select 2 answers
A.Connect using Azure AD authentication with multi-factor authentication.
B.Connect using a shared access key from Azure Storage.
C.Connect using a private endpoint within a virtual network.
D.Connect directly using the server's public IP address without encryption.
E.Connect using SQL authentication with a simple password.
AnswersA, C

Azure AD with MFA provides strong authentication.

Why this answer

Option A is correct because Azure AD authentication with multi-factor authentication (MFA) provides strong identity-based security, eliminating password vulnerabilities and supporting conditional access policies. This method integrates with Azure SQL Database's built-in support for Azure AD tokens, ensuring that only authenticated users with MFA can connect, which meets the exam's focus on secure environment implementation.

Exam trap

The trap here is that candidates may confuse shared access keys (a Storage concept) with SQL Database connection methods, or assume that a simple password is acceptable for security, when the exam emphasizes Azure AD and network isolation as the secure standards.

63
MCQeasy

You are a database administrator for a company that stores sensitive customer data in Azure SQL Database. The security team requires that all access to the database be authenticated using Microsoft Entra ID and that no SQL authentication logins exist. You need to verify that SQL authentication is disabled. What should you do?

A.Set the 'Deny public network access' property to 'Yes'
B.Configure a server-level firewall rule to block all IP addresses
C.In the Azure portal, navigate to the SQL server's 'Microsoft Entra ID' blade and enable 'Azure AD-only authentication'
D.Query sys.sql_logins to check for any SQL authenticated logins
AnswerC

Enabling this setting disables SQL authentication and enforces Microsoft Entra authentication for all connections.

Why this answer

Option B is correct because the 'Azure AD-only authentication' setting in the Azure portal disables SQL authentication and requires Microsoft Entra authentication for the logical server. Option A is wrong because it only lists existing SQL logins, not enforcement. Option C is wrong because server-level firewall rules control network access, not authentication.

Option D is wrong because 'Deny public network access' controls network connectivity, not authentication type.

64
MCQmedium

Your company plans to use Azure SQL Managed Instance for a mission-critical application. You need to ensure that all connections to the database are encrypted and that the server's identity is verified. Which configuration should you enforce?

A.Set 'Force Encryption' = OFF and 'Trust Server Certificate' = OFF
B.Set 'Force Encryption' = ON and 'Trust Server Certificate' = OFF
C.Set 'Force Encryption' = ON and 'Trust Server Certificate' = ON
D.Set 'Force Encryption' = OFF and 'Trust Server Certificate' = ON
AnswerB

This ensures encryption and certificate validation.

Why this answer

Option B is correct because setting 'Force Encryption' = ON ensures that all connections to Azure SQL Managed Instance use TLS encryption, while setting 'Trust Server Certificate' = OFF forces the client to validate the server's certificate against a trusted certificate authority (CA). This combination guarantees both data-in-transit encryption and server identity verification, meeting the requirement for a mission-critical application.

Exam trap

The trap here is that candidates often confuse 'Trust Server Certificate' = ON as a convenience setting that simplifies connections, not realizing it disables certificate validation and undermines security for mission-critical workloads.

How to eliminate wrong answers

Option A is wrong because setting 'Force Encryption' = OFF allows unencrypted connections, violating the encryption requirement. Option C is wrong because setting 'Trust Server Certificate' = ON instructs the client to trust the server certificate without validation, bypassing identity verification and potentially allowing man-in-the-middle attacks. Option D is wrong because setting 'Force Encryption' = OFF permits unencrypted connections, and 'Trust Server Certificate' = ON disables certificate validation, failing both encryption and identity verification requirements.

65
MCQeasy

You are a junior DBA at a startup that uses Azure SQL Database for its SaaS application. The application uses a single database and the development team frequently makes schema changes. You need to implement security measures to: 1. Ensure that all connections from the application use TLS encryption. 2. Prevent unauthorized access from the internet. 3. Allow your office IP range (203.0.113.0/24) to connect for management. 4. Enable auditing of all schema changes. 5. Encrypt the database at rest using Azure-managed keys. You have already enabled Transparent Data Encryption (TDE) with service-managed keys. What should you do next to meet the remaining requirements?

A.Set the minimal TLS version to 1.2. Enable auditing with SCHEMA_OBJECT_CHANGE_GROUP.
B.Add a firewall rule for the office IP range. Enable auditing with SCHEMA_OBJECT_CHANGE_GROUP.
C.Set the minimal TLS version to 1.2. Add a firewall rule for the office IP range and remove the default 'Allow Azure services' rule. Enable auditing with SCHEMA_OBJECT_CHANGE_GROUP.
D.Add a firewall rule for the office IP range. Remove the default 'Allow Azure services' rule.
AnswerC

All requirements met.

Why this answer

Option C is correct because it addresses all remaining requirements: (1) Set minimal TLS version to 1.2; (2) Add firewall rule for office IP only; (3) Enable auditing with SCHEMA_OBJECT_CHANGE_GROUP; (4) TDE already enabled. Option A is incorrect because it does not include firewall restrictions. Option B is incorrect because it does not enforce TLS.

Option D is incorrect because it does not include auditing.

66
MCQmedium

Refer to the exhibit. You are reviewing the audit settings for an Azure SQL Database. What will this configuration do?

A.Auditing is disabled because no storage endpoint is provided.
B.Audit logs are written to Azure Monitor (Log Analytics).
C.Only failed authentication attempts are audited.
D.Audit logs are written to an Azure Storage account.
AnswerB

isAzureMonitorTargetEnabled: true sends logs to Log Analytics.

Why this answer

The exhibit shows that the audit destination is set to 'Log Analytics' (Azure Monitor), which means audit logs will be sent to a Log Analytics workspace. This configuration does not require a storage endpoint because Log Analytics is the designated target. Option B correctly identifies that audit logs are written to Azure Monitor (Log Analytics).

Exam trap

The trap here is that candidates assume auditing requires a storage endpoint and thus choose Option A, overlooking that Log Analytics and Event Hubs are valid destinations that do not need a storage endpoint.

How to eliminate wrong answers

Option A is wrong because auditing is not disabled when no storage endpoint is provided; the destination can be Log Analytics or Event Hubs instead of Azure Storage. Option C is wrong because the configuration audits all database events (such as successful logins, failed logins, and DML operations) unless specific audit action groups are filtered; it does not limit auditing to only failed authentication attempts. Option D is wrong because the exhibit explicitly shows 'Log Analytics' as the destination, not an Azure Storage account.

67
Multi-Selectmedium

Your company uses Azure SQL Database and wants to implement row-level security (RLS) to restrict access to customer data based on the user's Microsoft Entra ID group membership. Which TWO actions are required?

Select 2 answers
A.Create a column master key for the secured columns.
B.Grant the user the db_securityadmin server role.
C.Create a security policy that uses a predicate function.
D.Apply a dynamic data masking rule to hide sensitive columns.
E.Create a predicate function that filters rows based on the user's group membership.
AnswersC, E

A security policy enforces the predicate.

Why this answer

Row-level security (RLS) in Azure SQL Database restricts data access at the row level by using a security policy that invokes a predicate function. The predicate function defines the logic for filtering rows, such as checking the caller's Microsoft Entra ID group membership via IS_MEMBER(). Therefore, creating both the predicate function (Option E) and the security policy that uses it (Option C) are required steps.

Exam trap

The trap here is that candidates confuse row-level security with dynamic data masking or Always Encrypted, assuming that hiding or encrypting columns is equivalent to restricting row access, but RLS specifically filters rows based on user attributes, not column-level protection.

68
MCQhard

You are deploying an Azure SQL Database that will contain highly sensitive personal data. The security policy requires that the data be encrypted at rest, in transit, and in use. Additionally, the encryption keys must be stored in a hardware security module (HSM) and be customer-managed. Which combination of features should you implement?

A.TDE with a service-managed key, enforce TLS 1.2, and Always Encrypted with a column master key in Key Vault.
B.TDE with a customer-managed key in Key Vault, enforce TLS 1.2, and use Dynamic Data Masking.
C.TDE with a customer-managed key in Key Vault, enforce TLS 1.2, and Always Encrypted with a column master key stored in Windows Certificate Store.
D.TDE with a customer-managed key in Azure Key Vault (HSM-backed), enforce TLS 1.2, and Always Encrypted with a column master key in Azure Key Vault (HSM-backed).
AnswerD

This combination meets all requirements: at rest, in transit, in use, and HSM-backed customer-managed keys.

Why this answer

Option D is correct because it satisfies all requirements: encryption at rest via TDE with a customer-managed key stored in an HSM-backed Key Vault, encryption in transit by enforcing TLS 1.2, and encryption in use via Always Encrypted with the column master key also stored in an HSM-backed Key Vault. This ensures that all three states of data are encrypted and that keys are both customer-managed and hardware-protected.

Exam trap

The trap here is that candidates may confuse Dynamic Data Masking with encryption in use, or overlook that storing keys in Key Vault does not automatically imply HSM protection unless the vault is specifically HSM-backed.

How to eliminate wrong answers

Option A is wrong because TDE with a service-managed key does not meet the customer-managed key requirement, and storing the column master key in Key Vault alone does not guarantee HSM protection unless the vault is HSM-backed. Option B is wrong because Dynamic Data Masking does not encrypt data in use; it only obfuscates data at query time, failing the encryption-in-use requirement. Option C is wrong because storing the column master key in the Windows Certificate Store does not use an HSM, violating the requirement that keys be stored in a hardware security module.

69
MCQhard

You are reviewing an Azure SQL Database audit policy configuration. The policy is set to audit successful and failed database authentication events. You notice that audit logs are being written to both Azure Blob Storage and Azure Monitor. However, you are concerned about security of the storage account access key in the policy. What is the recommended approach to securely reference the storage account?

A.Remove the storageAccountAccessKey property and rely on the storage endpoint.
B.Use a different storage account with a key that expires daily.
C.Disable the Azure Monitor destination and only use Blob Storage.
D.Configure the server's system-assigned managed identity and grant it access to the storage account.
AnswerD

Managed identity eliminates the need for access keys.

Why this answer

Option D is correct because using a system-assigned managed identity for the Azure SQL Database logical server eliminates the need to store a storage account access key in the audit policy configuration. Managed identities provide a secure, Azure AD-backed identity that can be granted specific permissions (e.g., Storage Blob Data Contributor) on the storage account, ensuring that access is controlled via RBAC rather than a static key. This approach aligns with security best practices by removing the risk of key exposure or rotation failures.

Exam trap

The trap here is that candidates may think removing the access key property (Option A) is sufficient, not realizing that Azure SQL Database audit requires explicit authentication to the storage account and will fail without a valid access key or managed identity configuration.

How to eliminate wrong answers

Option A is wrong because removing the storageAccountAccessKey property without configuring an alternative authentication method (like managed identity) will cause audit log writes to fail; the storage endpoint alone does not provide authentication. Option B is wrong because using a key that expires daily introduces operational complexity and still requires storing a secret in the policy, which does not eliminate the fundamental security concern of key exposure. Option C is wrong because disabling the Azure Monitor destination does not address the security of the storage account access key; it only removes one destination while leaving the key-based storage access unchanged.

70
MCQhard

You are a database administrator for a government agency that uses Azure SQL Database to store classified data. The database contains highly sensitive columns (e.g., Social Security Numbers) that must be masked for most users, but fully visible to a small group of compliance officers. The compliance officers authenticate using Microsoft Entra ID. You need to implement a solution that automatically masks the sensitive columns for all users except the compliance officers, without requiring application code changes. The solution must also ensure that the compliance officers are identified by their Microsoft Entra ID user principal name (UPN). What should you do?

A.Grant SELECT permission on the sensitive columns only to the compliance officers and deny SELECT to all other users
B.Use Always Encrypted to encrypt the sensitive columns and configure the column master key to allow access only to compliance officers
C.Implement row-level security (RLS) to filter rows based on user's UPN
D.Configure dynamic data masking (DDM) on the sensitive columns and define a masking policy that excludes the compliance officers based on their UPN
AnswerD

DDM masks data at the column level for low-privileged users. You can exclude specific users by adding them to the excluded users list for each masking rule.

Why this answer

Option C is correct. Dynamic data masking (DDM) masks sensitive columns based on the user's identity. You can define a masking policy that excludes users with a specific UPN pattern (e.g., '@compliance.gov').

Option A is wrong because row-level security filters rows, not columns. Option B is wrong because always encrypted encrypts data and requires application changes. Option D is wrong because column-level security (GRANT permissions) requires application changes to handle permission errors and does not mask data.

71
MCQmedium

Your organization needs to comply with a regulation that requires data to be encrypted at rest using a customer-managed key stored in Azure Key Vault. You have an Azure SQL Database. What should you configure?

A.Use Azure Policy to enforce encryption at rest.
B.Enable Always Encrypted and store the column master key in Azure Key Vault.
C.Configure Azure Storage Service Encryption for the database files.
D.Enable Transparent Data Encryption (TDE) and use a customer-managed key in Azure Key Vault as the TDE protector.
AnswerD

TDE with customer-managed key in Key Vault provides encryption at rest with customer control.

Why this answer

Transparent Data Encryption (TDE) with a customer-managed key in Azure Key Vault meets the requirement for data at rest encryption using a customer-controlled key. TDE encrypts the database files (data and log files) at rest, and by using a customer-managed key as the TDE protector, you retain control over key rotation and revocation, satisfying regulatory compliance.

Exam trap

The trap here is confusing Always Encrypted (which encrypts specific columns at the application level) with TDE (which encrypts the entire database at rest), leading candidates to choose Option B when the requirement is for full database encryption at rest with a customer-managed key.

How to eliminate wrong answers

Option A is wrong because Azure Policy can enforce compliance rules but does not itself encrypt data; it can only audit or enforce that TDE is enabled, not provide the encryption mechanism. Option B is wrong because Always Encrypted protects sensitive data in transit and at rest within the application layer, but it encrypts specific columns rather than the entire database at rest, and it is not the standard solution for full database encryption required by the regulation. Option C is wrong because Azure Storage Service Encryption applies to Azure Blob Storage and Azure Files, not to Azure SQL Database files, which are managed internally by the SQL Database service and cannot be directly encrypted via Storage Service Encryption.

72
Multi-Selecthard

Which TWO of the following are best practices for managing firewall rules for Azure SQL Database?

Select 2 answers
A.Use IP-based firewall rules for all client connections, including Azure services.
B.Create firewall rules with broad IP ranges (e.g., 0.0.0.0/0) to simplify management.
C.Use Azure Private Link to connect from Azure VNets instead of opening firewall rules to IP ranges.
D.Audit all firewall rule changes using Azure Activity Logs.
E.Enable the 'Allow Azure Services' firewall rule to allow connections from Azure services.
AnswersC, E

Private Link is more secure than opening firewall to IP ranges.

Why this answer

Option C is correct because Azure Private Link allows you to connect to Azure SQL Database from an Azure VNet using a private endpoint, which maps the database to a private IP address within the VNet. This eliminates the need to open firewall rules to public IP ranges, reducing the attack surface and ensuring traffic stays within the Microsoft backbone network. It is a security best practice recommended by Microsoft for isolating PaaS services.

Exam trap

The trap here is that candidates often confuse auditing (Option D) with a management best practice, or they mistakenly think that enabling 'Allow Azure Services' (Option E) is always insecure, when in fact it is a recommended setting for Azure-native services that cannot use Private Link.

73
MCQmedium

Your company has an Azure SQL Database that stores financial data. You need to implement auditing to track all data modifications (INSERT, UPDATE, DELETE) and schema changes (DDL). Which audit action group should you configure?

A.SCHEMA_OBJECT_CHANGE_GROUP and DATABASE_OBJECT_CHANGE_GROUP
B.DATABASE_OBJECT_PERMISSION_CHANGE_GROUP and SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP
C.DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP and SCHEMA_OBJECT_OWNERSHIP_CHANGE_GROUP
D.SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP and FAILED_DATABASE_AUTHENTICATION_GROUP
AnswerA

These groups capture DDL and DML changes respectively.

Why this answer

Option C is correct because DATABASE_OBJECT_CHANGE_GROUP captures DML changes on all database objects, and SCHEMA_OBJECT_CHANGE_GROUP captures DDL changes. Option A is incorrect because it only contains DDL actions. Option B is incorrect because it only contains security-related actions.

Option D is incorrect because it only contains DML actions on specific objects.

74
MCQmedium

Your company has an Azure SQL Database that stores sensitive customer data. You need to ensure that data is encrypted at rest and in transit. The database is currently using Transparent Data Encryption (TDE) with service-managed keys. Compliance requirements now mandate that you use customer-managed keys stored in Azure Key Vault. Additionally, all connections must use encrypted connections. What should you do?

A.Create a new Azure SQL Database with TDE enabled using a customer-managed key from Key Vault. Migrate data using SQL Server Management Studio (SSMS) with 'Encrypt connection' enabled.
B.Configure the Azure SQL Server to use a customer-managed key from Azure Key Vault for TDE and set 'Encrypted connection' to 'Required' on the server.
C.Enable Transparent Data Encryption (TDE) with service-managed keys and set 'Minimum TLS version' to 1.2.
D.Implement Always Encrypted with keys stored in Azure Key Vault and set 'Encrypted connection' to 'Required' on the server.
AnswerB

This directly meets both requirements.

Why this answer

Option B is correct because it directly addresses both requirements: using a customer-managed key from Azure Key Vault for TDE (which replaces the service-managed key) and enforcing encrypted connections by setting 'Encrypted connection' to 'Required' on the Azure SQL Server. This configuration ensures data at rest is encrypted with a key you control, and all client connections must use TLS encryption, meeting compliance mandates without requiring a new database or data migration.

Exam trap

The trap here is that candidates often confuse Always Encrypted with TDE, thinking column-level encryption satisfies the 'at rest' requirement for the entire database, or they assume that setting 'Minimum TLS version' alone ensures all connections are encrypted, when in fact 'Encrypted connection' must be explicitly set to 'Required' to reject unencrypted connections.

How to eliminate wrong answers

Option A is wrong because creating a new database and migrating data is unnecessary; you can change the TDE key type on the existing database by configuring the server to use a customer-managed key from Key Vault, and 'Encrypt connection' in SSMS only affects that specific migration session, not all future connections. Option C is wrong because it keeps service-managed keys for TDE, which does not satisfy the compliance requirement for customer-managed keys, and setting 'Minimum TLS version' to 1.2 only enforces a minimum protocol version but does not require encrypted connections for all clients. Option D is wrong because Always Encrypted protects data in use and in transit at the column level, but it does not encrypt the entire database at rest (TDE is needed for that), and it does not address the requirement to use customer-managed keys for TDE.

75
MCQeasy

You need to encrypt sensitive columns in an Azure SQL Database table so that data is encrypted at rest and in transit between the application and database. Which feature should you use?

A.Row-Level Security
B.Transparent Data Encryption (TDE)
C.Dynamic Data Masking
D.Always Encrypted
AnswerD

Always Encrypted encrypts column data at rest and in transit, with client-side encryption keys.

Why this answer

Always Encrypted is the correct choice because it encrypts sensitive data both at rest in the database and in transit between the application and the database. It ensures that encryption keys are never revealed to the database engine, so data remains encrypted throughout the entire data path, including during query execution. This meets the requirement for encryption at rest and in transit.

Exam trap

The trap here is that candidates often confuse Transparent Data Encryption (TDE) as covering both at-rest and in-transit encryption, but TDE only encrypts data at rest on disk, not during network transmission or while in memory.

How to eliminate wrong answers

Option A is wrong because Row-Level Security (RLS) controls access to rows based on user identity or context, but it does not encrypt data at rest or in transit. Option B is wrong because Transparent Data Encryption (TDE) encrypts the database files at rest but does not protect data in transit between the application and the database; it also does not prevent the database engine from seeing plaintext data during query processing. Option C is wrong because Dynamic Data Masking obfuscates data in query results for unauthorized users but does not encrypt the underlying data at rest or in transit, and the database engine still processes plaintext data.

Page 1 of 3 · 213 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Implement a secure environment questions.