Question 952 of 953
Implement a secure environmenthardMultiple SelectObjective-mapped

Quick Answer

The answer is granting the server managed identity 'get', 'wrapKey', and 'unwrapKey' permissions, as these three operations are essential for Azure SQL Database TDE to access and rotate the key protector stored in Azure Key Vault. The 'get' permission allows the SQL server to retrieve the key metadata, while 'wrapKey' and 'unwrapKey' enable the server to encrypt and decrypt the database encryption key during TDE operations, ensuring the key never leaves the vault in plaintext. On the DP-300 exam, this concept tests your understanding of how managed identities bridge Azure services securely, and a common trap is confusing these permissions with broader 'encrypt' or 'decrypt' rights, which are not used for TDE key wrapping. To remember, think of the TDE process as a three-step handshake: the server must first get the key, then wrap it for storage, and unwrap it for use—never more, never less.

DP-300 Implement a secure environment Practice Question

This DP-300 practice question tests your understanding of implement a secure environment. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which THREE of the following are best practices for managing keys in Azure Key Vault for use with Azure SQL Database TDE?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Enable soft-delete and purge protection on the Key Vault.

Enabling soft-delete and purge protection on the Key Vault is a best practice because soft-delete retains deleted keys for a configurable retention period (default 90 days), allowing recovery if a key is accidentally deleted. Purge protection prevents permanent deletion of keys even after the soft-delete retention period expires, which is critical for TDE because if the key is permanently lost, the encrypted database becomes inaccessible. Together, these features ensure that the TDE protector key is never irrevocably lost, maintaining database recoverability and compliance.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable soft-delete and purge protection on the Key Vault.

    Why this is correct

    Prevents accidental key loss.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Rotate the keys periodically.

    Why this is correct

    Regular rotation reduces risk.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Grant the server managed identity 'get', 'wrapKey', and 'unwrapKey' permissions.

    Why this is correct

    These permissions are necessary for TDE.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Store the Key Vault in the same resource group as the SQL server.

    Why it's wrong here

    Best practice is to use a separate resource group.

  • Disable Key Vault auditing to reduce costs.

    Why it's wrong here

    Auditing is important for security monitoring.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often think placing the Key Vault in the same resource group simplifies management, but Microsoft explicitly recommends a separate resource group to avoid accidental deletion of the vault when the SQL server is deprovisioned.

Detailed technical explanation

How to think about this question

Under the hood, TDE uses a two-tier key hierarchy: the Database Encryption Key (DEK) is protected by the TDE protector, which is an asymmetric key stored in Key Vault. The SQL server uses its managed identity to authenticate to Key Vault via Azure AD OAuth 2.0, and the 'get', 'wrapKey', and 'unwrapKey' permissions are required to retrieve the protector and perform cryptographic operations. A real-world scenario where this matters is during a disaster recovery failover: if the Key Vault is in a different region, the managed identity must have cross-region access, and soft-delete ensures the key survives regional outages.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related DP-300 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DP-300 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DP-300 question test?

Implement a secure environment — This question tests Implement a secure environment — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Enable soft-delete and purge protection on the Key Vault. — Enabling soft-delete and purge protection on the Key Vault is a best practice because soft-delete retains deleted keys for a configurable retention period (default 90 days), allowing recovery if a key is accidentally deleted. Purge protection prevents permanent deletion of keys even after the soft-delete retention period expires, which is critical for TDE because if the key is permanently lost, the encrypted database becomes inaccessible. Together, these features ensure that the TDE protector key is never irrevocably lost, maintaining database recoverability and compliance.

What should I do if I get this DP-300 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DP-300 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DP-300 exam.