Courseiva
DP-900
Full test
mediummultiple choiceObjective-mapped

A company is migrating an on-premises SQL Server database to Azure. They want to ensure that database administrators (DBAs) can perform administrative tasks but cannot view sensitive customer data in query results. Which Azure SQL feature should they implement?

Question 1mediummultiple choice
Full question →

A company is migrating an on-premises SQL Server database to Azure. They want to ensure that database administrators (DBAs) can perform administrative tasks but cannot view sensitive customer data in query results. Which Azure SQL feature should they implement?

Full question →

Answer choices

Why each option matters

Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.

A

Distractor review

Dynamic Data Masking

Dynamic Data Masking hides sensitive data in query results for non-privileged users, but DBAs (with the 'UNMASK' permission) can still see the original data.

B

Best answer

Always Encrypted

Always Encrypted encrypts data on the client side, so the database never sees plaintext. DBAs cannot access the encryption keys and therefore cannot view the sensitive data.

C

Distractor review

Transparent Data Encryption

Transparent Data Encryption (TDE) encrypts the database at rest (on disk) but does not protect data from being viewed by users with query permissions, including DBAs.

D

Distractor review

Row-Level Security

Row-Level Security restricts row access based on user context, but a DBA with database owner privileges can bypass the security policy and see all rows.

Common exam trap

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Technical deep dive

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Related practice questions

Related DP-900 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

DP-900 fundamentals practice questions

Practise DP-900 questions linked to DP-900 fundamentals.

DP-900 scenario practice questions

Practise DP-900 questions linked to DP-900 scenario.

DP-900 troubleshooting practice questions

Practise DP-900 questions linked to DP-900 troubleshooting.

More questions from this exam

Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.

Question 1

A data engineer needs to process streaming data from IoT devices and store the results in Azure Data Lake Storage for long-term analytics. The data must be processed in near real-time to detect anomalies and trigger alerts. Which Azure service should the engineer use for stream processing?

Question 2

A data engineer needs to query data stored in CSV files in Azure Data Lake Storage Gen2 using T-SQL in Azure Synapse Analytics, without loading the data into the database. Which feature should they use?

Question 3

A data engineer needs to process raw clickstream data from multiple websites that is stored in Azure Blob Storage as JSON files. The processing must run automatically every hour, transform the data into a structured format for reporting, and handle schema changes in the source data without manual intervention. Which Azure service should be used?

Question 4

A data engineer is designing a data lake architecture in Azure. They plan to first ingest raw data from various sources into a landing zone in Azure Data Lake Storage Gen2. Then they will clean, validate, and deduplicate that data in a second zone. Finally, they will create aggregated, business-ready datasets in a third zone for analysts. This layered approach is known as which architecture?

Question 5

A data engineer needs to transform large datasets stored in Azure Data Lake Storage Gen2 using Python and Apache Spark. They want a serverless compute option that automatically scales and requires no cluster management. Which Azure service should they use?

Question 6

A company collects customer feedback forms. Each form contains always-present fields like CustomerID and SubmissionDate, but also a free-text Comments field and optional fields like Rating or ProductCategory that vary between forms. How should this data be classified?

FAQ

Questions learners often ask

What does this DP-900 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Always Encrypted — Always Encrypted enables encryption of sensitive data at the column level and ensures that only authorized applications (with access to the encryption keys) can see plaintext data. DBAs without the keys cannot decrypt the data, even though they can manage the database. Dynamic Data Masking only obscures data from certain users, but DBAs with elevated permissions can still view the unmasked values.

What should I do if I get this DP-900 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.

Discussion

Loading comments…

Sign in to join the discussion.