Question 835 of 953
Implement a secure environmentmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the credential is missing the SECRET parameter. When you troubleshoot managed identity credential for Azure SQL Database to Azure Storage, the SECRET is required because it must contain the managed identity’s client ID or object ID to map the credential to the specific Azure AD identity. Without this parameter, Azure SQL Database cannot authenticate to the storage account, even if the managed identity itself is correctly assigned. On the DP-300 exam, this scenario tests your understanding of how database-scoped credentials interact with Azure AD authentication for cross-service connections—a common trap is assuming the managed identity alone is sufficient, but the credential object explicitly needs the SECRET to link the identity. A useful memory tip: think of the SECRET as the “key” that tells Azure SQL which managed identity to use, so if you see a credential without it, the connection will fail.

DP-300 Implement a secure environment Practice Question

This DP-300 practice question tests your understanding of implement a secure environment. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Refer to the exhibit.

```
ALTER DATABASE SCOPED CREDENTIAL MyCred
WITH IDENTITY = 'Managed Identity';
```

You are troubleshooting a connection issue from Azure SQL Database to Azure Storage using a managed identity. The above credential was created. What is missing from this configuration?

Question 1mediummultiple choice
Full question →

Exhibit

Refer to the exhibit.

```
ALTER DATABASE SCOPED CREDENTIAL MyCred
WITH IDENTITY = 'Managed Identity';
```

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The credential is missing the SECRET parameter.

The credential is missing the SECRET parameter because when using a managed identity to access Azure Storage from Azure SQL Database, the credential must specify the identity's client ID or object ID as the SECRET. Without this, the credential cannot authenticate to the storage account, causing the connection to fail. The SECRET parameter is required to map the managed identity to the credential for Azure AD authentication.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The credential is missing the SECRET parameter.

    Why this is correct

    Correct: For managed identity, SECRET must be specified, even if empty string.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The credential should be a server-level credential.

    Why it's wrong here

    Incorrect: Database scoped credential is appropriate for database access.

  • The credential lacks a valid identity.

    Why it's wrong here

    Incorrect: IDENTITY is specified as 'Managed Identity'.

  • The credential needs to include the storage account name.

    Why it's wrong here

    Incorrect: Storage account name is specified in the external data source, not the credential.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume the SECRET parameter is optional or only needed for passwords, but in managed identity scenarios, it is mandatory to specify the identity's client ID as the SECRET to enable token-based authentication.

Detailed technical explanation

How to think about this question

Under the hood, Azure SQL Database uses the CREATE DATABASE SCOPED CREDENTIAL statement with IDENTITY = 'Managed Identity' and SECRET = '<client_id>' to authenticate to Azure Storage via OAuth 2.0. The managed identity must be assigned to the logical server, and the credential's SECRET must match the identity's client ID (or object ID) for Azure AD token acquisition. A real-world scenario is when using PolyBase or OPENROWSET to query external data; missing the SECRET causes a 401 unauthorized error because the token request lacks the required identity binding.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related DP-300 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DP-300 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DP-300 question test?

Implement a secure environment — This question tests Implement a secure environment — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The credential is missing the SECRET parameter. — The credential is missing the SECRET parameter because when using a managed identity to access Azure Storage from Azure SQL Database, the credential must specify the identity's client ID or object ID as the SECRET. Without this, the credential cannot authenticate to the storage account, causing the connection to fail. The SECRET parameter is required to map the managed identity to the credential for Azure AD authentication.

What should I do if I get this DP-300 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DP-300 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DP-300 exam.