Question 131 of 953
Implement a secure environmentmediumMultiple ChoiceObjective-mapped

Quick Answer

The answer is to immediately revoke the CONNECT permission from the compromised login using `REVOKE CONNECT FROM sales_user;` before creating a new login and updating the application connection string. This is correct because revoking CONNECT instantly terminates all existing active sessions and blocks any new connections using the old credentials, without deleting the login object itself—a critical step when you need to revoke connect permission for a SQL login in Azure SQL Database while preserving server-level objects for auditing or future use. On the Microsoft Azure Database Administrator Associate DP-300 exam, this scenario tests your understanding of granular permission management versus dropping logins, a common trap where candidates mistakenly delete the login (which can break dependencies) or only reset the password (which doesn’t kill cached sessions). The key insight is that password changes do not terminate active connections, but permission revocation does. Memory tip: think “REVOKE, not DROP, to stop the shop”—revoking CONNECT cuts off access instantly without removing the login, minimizing downtime while you deploy a secure replacement.

DP-300 Implement a secure environment Practice Question

This DP-300 practice question tests your understanding of implement a secure environment. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You manage an Azure SQL Database named SalesDB that is used by a sales application. The application connects using a SQL login named 'sales_user' with a password. Recently, the security team discovered that 'sales_user' has been compromised. They have reset the password in Azure SQL Database. However, the application continues to connect successfully using the old credentials. You suspect the application might be caching the password. The security team wants to immediately revoke access for the compromised login and ensure that only a new login with a complex password is used. You also want to minimize downtime. What should you do first?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "first"

    Why it matters: Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

  • Clue: "minimum / minimize"

    Why it matters: Asks for the least resource use — fewest addresses, smallest subnet, lowest overhead. Eliminate over-provisioned options even if they would technically work.

  • Clue: "immediately / without restart"

    Why it matters: Time or reboot constraint — the correct answer must take effect right away without requiring a reboot or reload.

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Revoke the CONNECT permission from 'sales_user' using REVOKE CONNECT FROM sales_user; then create a new login and update the application connection string.

Option A is correct because immediately revoking the CONNECT permission from the compromised login 'sales_user' terminates any existing active sessions and prevents new connections using the old credentials, without deleting the login object. This allows you to create a new login with a complex password and update the application connection string with minimal downtime, as the database and other server-level objects remain intact.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Revoke the CONNECT permission from 'sales_user' using REVOKE CONNECT FROM sales_user; then create a new login and update the application connection string.

    Why this is correct

    Revoking CONNECT immediately blocks the login without deleting it, allowing time to update.

    Clue confirmation

    The clue words "first", "minimum / minimize", "immediately / without restart" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Change the password again and ensure the application is restarted to clear the cache.

    Why it's wrong here

    The application might still use cached credentials; restarting may not clear cache.

  • Enable auditing to monitor future logins and leave the login as is.

    Why it's wrong here

    This does not revoke access to the compromised login.

  • Drop the 'sales_user' login using DROP LOGIN sales_user; then create a new login and update the application.

    Why it's wrong here

    Dropping the login is immediate but may be more disruptive if the login is needed for other purposes.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume dropping the login (Option D) is the most secure and immediate action, but they overlook that revoking CONNECT permission achieves the same security goal with less risk of breaking dependent objects and allows for a smoother transition to a new login.

Detailed technical explanation

How to think about this question

Under the hood, the REVOKE CONNECT command targets the server-level permission and immediately invalidates the login's ability to establish new connections, while existing connections are terminated if the command is issued with the 'CASCADE' option (though in Azure SQL Database, REVOKE CONNECT alone terminates existing sessions). This approach is preferred over DROP LOGIN because it preserves the login's metadata and any database-level permissions that may be reused later, reducing the risk of orphaned users. In real-world scenarios, connection pooling in applications (e.g., using ADO.NET or JDBC) can cache credentials for minutes or hours, so revoking CONNECT is the fastest way to enforce access revocation without waiting for pool expiration.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related DP-300 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DP-300 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DP-300 question test?

Implement a secure environment — This question tests Implement a secure environment — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Revoke the CONNECT permission from 'sales_user' using REVOKE CONNECT FROM sales_user; then create a new login and update the application connection string. — Option A is correct because immediately revoking the CONNECT permission from the compromised login 'sales_user' terminates any existing active sessions and prevents new connections using the old credentials, without deleting the login object. This allows you to create a new login with a complex password and update the application connection string with minimal downtime, as the database and other server-level objects remain intact.

What should I do if I get this DP-300 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "first", "minimum / minimize", "immediately / without restart". Order matters here. You are being tested on which action comes before the others — not which action is generally useful.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More DP-300 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DP-300 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DP-300 exam.