Microsoft Microsoft Certifications DP-300 Questions & Answers

• Question 121:

  You are designing a security model for an Azure Synapse Analytics dedicated SQL pool that will support multiple companies.

  You need to ensure that users from each company can view only the data of their respective company.

  Which two objects should you include in the solution? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. a column encryption key

  B. asymmetric keys

  C. a function

  D. a custom role-based access control (RBAC) role

  E. a security policy

  Correct Answer: DE

  Azure RBAC is used to manage who can create, update, or delete the Synapse workspace and its SQL pools, Apache Spark pools, and Integration runtimes.

  Define and implement network security configurations for resources related to your dedicated SQL pool with Azure Policy.

  Reference: https://docs.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/synapse-analytics-security-baseline

• Question 122:

  You have an Azure subscription that contains an Azure Data Factory version 2 (V2) data factory named df1. DF1 contains a linked service.

  You have an Azure Key vault named vault1 that contains an encryption kay named key1.

  You need to encrypt df1 by using key1.

  What should you do first?

  A. Disable purge protection on vault1.

  B. Remove the linked service from df1.

  C. Create a self-hosted integration runtime.

  D. Disable soft delete on vault1.

  Correct Answer: B

  A customer-managed key can only be configured on an empty data Factory. The data factory can't contain any resources such as linked services, pipelines and data flows. It is recommended to enable customer- managed key right after

  factory creation.

  Note: Azure Data Factory encrypts data at rest, including entity definitions and any data cached while runs are in progress. By default, data is encrypted with a randomly generated Microsoft-managed key that is uniquely assigned to your data

  factory.

  Incorrect Answers:

  A, D: Should enable Soft Delete and Do Not Purge on Azure Key Vault. Using customer-managed keys with Data Factory requires two properties to be set on the Key Vault, Soft Delete and Do Not Purge. These properties can be enabled

  using either PowerShell or Azure CLI on a new or existing key vault.

  Reference:

  https://docs.microsoft.com/en-us/azure/data-factory/enable-customer-managed-key

• Question 123:

  You have an Azure virtual machine named VM1 on a virtual network named VNet1. Outbound traffic from VM1 to the internet is blocked.

  You have an Azure SQL database named SqlDb1 on a logical server named SqlSrv1.

  You need to implement connectivity between VM1 and SqlDb1 to meet the following requirements:

  1.

  Ensure that VM1 cannot connect to any Azure SQL Server other than SqlSrv1.

  2.

  Restrict network connectivity to SqlSrv1. What should you create on VNet1?

  A. a VPN gateway

  B. a service endpoint

  C. a private link

  D. an ExpressRoute gateway

  Correct Answer: C

  Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.

  Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary.

  Reference:

  https://docs.microsoft.com/en-us/azure/private-link/private-link-overview

• Question 124:

  You are developing an application that uses Azure Data Lake Storage Gen 2.

  You need to recommend a solution to grant permissions to a specific application for a limited time period.

  What should you include in the recommendation?

  A. role assignments

  B. account keys

  C. shared access signatures (SAS)

  D. Azure Active Directory (Azure AD) identities

  Correct Answer: C

  A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example:

  What resources the client may access.

  What permissions they have to those resources.

  How long the SAS is valid.

  Note: Data Lake Storage Gen2 supports the following authorization mechanisms:

  1.

  Shared Key authorization

  2.

  Shared access signature (SAS) authorization

  3.

  Role-based access control (Azure RBAC)

  Access control lists (ACL) Data Lake Storage Gen2 supports the following authorization mechanisms:

  1.

  Shared Key authorization

  2.

  Shared access signature (SAS) authorization

  3.

  Role-based access control (Azure RBAC)

  4.

  Access control lists (ACL)

  Reference:

  https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

• Question 125:

  You have an Azure virtual machine named VM1 on a virtual network named VNet1. Outbound traffic from VM1 to the internet is blocked.

  You have an Azure SQL database named SqlDb1 on a logical server named SqlSrv1.

  You need to implement connectivity between VM1 and SqlDb1 to meet the following requirements:

  1.

  Ensure that all traffic to the public endpoint of SqlSrv1 is blocked.

  2.

  Minimize the possibility of VM1 exfiltrating data stored in SqlDb1. What should you create on VNet1?

  A. a VPN gateway

  B. a service endpoint

  C. a private link

  D. an ExpressRoute gateway

  Correct Answer: C

  Azure Private Link enables you to access Azure PaaS Services (for example, Azure Storage and SQL Database) and Azure hosted customer-owned/partner services over a private endpoint in your virtual network.

  Traffic between your virtual network and the service travels the Microsoft backbone network. Exposing your service to the public internet is no longer necessary.

  Reference:

  https://docs.microsoft.com/en-us/azure/private-link/private-link-overview

• Question 126:

  You have 40 Azure SQL databases, each for a different customer. All the databases reside on the same Azure SQL Database server.

  You need to ensure that each customer can only connect to and access their respective database.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Implement row-level security (RLS).

  B. Create users in each database.

  C. Configure the database firewall.

  D. Configure the server firewall.

  E. Create logins in the master database.

  F. Implement Always Encrypted.

  Correct Answer: BC

  To ensure that each customer can only connect to and access their respective database in Azure SQL, you should perform the following two actions:

  B. Create users in each database: Creating separate users for each customer in their respective databases allows you to control access at the database level. Each user will have its own set of permissions and can only connect to and access their assigned database.

  C. Configure the database firewall: The database firewall provides an additional layer of security by controlling the incoming connections to the Azure SQL Database server. By configuring the database firewall, you can define IP address ranges or individual IP addresses that are allowed to connect to each database. This ensures that only authorized connections from specific sources can access the databases.

  Therefore, the correct actions to perform are B. Create users in each database and C. Configure the database firewall.

• Question 127:

  You have a new Azure SQL database. The database contains a column that stores confidential information.

  You need to track each time values from the column are returned in a query. The tracking information must be stored for 365 days from the date the query was executed.

  Which three actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Turn on auditing and write audit logs to an Azure Storage account.

  B. Add extended properties to the column.

  C. Turn on Advanced Data Security for the Azure SQL server.

  D. Apply sensitivity labels named Highly Confidential to the column.

  E. Turn on Azure Advanced Threat Protection (ATP).

  Correct Answer: ACD

  C: Advanced Data Security (ADS) is a unified package for advanced SQL security capabilities. ADS is available for Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics. It includes functionality for discovering and classifying sensitive data

  D: You can apply sensitivity-classification labels persistently to columns by using new metadata attributes that have been added to the SQL Server database engine. This metadata can then be used for advanced, sensitivity-based auditing and protection scenarios.

  A: An important aspect of the information-protection paradigm is the ability to monitor access to sensitive data. Azure SQL Auditing has been enhanced to include a new field in the audit log called data_sensitivity_information. This field logs the sensitivity classifications (labels) of the data that was returned by a query. Here's an example:

  

  Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/data-discovery-and-classification-overview

• Question 128:

  You have an Azure Synapse Analytics dedicated SQL pool.

  You run PDW_SHOWSPACEUSED('dbo.FactInternetSales'); and get the results shown in the following table.

  

  Which statement accurately describes the dbo.FactInternetSales table?

  A. The table contains less than 10,000 rows.

  B. All distributions contain data.

  C. The table uses round-robin distribution

  D. The table is skewed.

  Correct Answer: D

  The rows per distribution can vary up to 10% without a noticeable impact on performance. Here the distribution varies more than 10%. It is skewed.

  Note: SHOWSPACEUSED displays the number of rows, disk space reserved, and disk space used for a specific table, or for all tables in a Azure Synapse Analytics or Parallel Data Warehouse database. This is a very quick and simple way to

  see the number of table rows that are stored in each of the 60 distributions of your database. Remember that for the most balanced performance, the rows in your distributed table should be spread evenly across all the distributions.

  ROUND_ROBIN distributed tables should not be skewed. Data is distributed evenly across the nodes by design.

  Reference:

  https://docs.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/sql-data-warehouse-tables- distribute

  https://github.com/rgl/azure-content/blob/master/articles/sql-data-warehouse/sql-data-warehouse-manage- distributed-data-skew.md

• Question 129:

  You manage an enterprise data warehouse in Azure Synapse Analytics.

  Users report slow performance when they run commonly used queries. Users do not report performance changes for infrequently used queries.

  You need to monitor resource utilization to determine the source of the performance issues.

  Which metric should you monitor?

  A. Local tempdb percentage

  B. DWU percentage

  C. Data Warehouse Units (DWU) used

  D. Cache hit percentage

  Correct Answer: D

  Could be low cache hit ratio, because infrequent queries were already slower, so they don't notice any difference, but regular queries do now.

  Could also be tempdb as suggested, but then infrequent queries would also be affected depending on the query.

  Out of the options and unknowns, I would choose cache hit ratio.

• Question 130:

  You have an Azure Synapse Analytics dedicated SQL pool named Pool1 and a database named DB1.

  DB1 contains a fact table named Table.

  You need to identify the extent of the data skew in Table1.

  What should you do in Synapse Studio?

  A. Connect to Pool1 and query sys.dm_pdw_nodes_db_partition_stats.

  B. Connect to the built-in pool and run DBCC CHECKALLOC.

  C. Connect to Pool1 and run DBCC CHECKALLOC.

  D. Connect to the built-in pool and query sys.dm_pdw_nodes_db_partition_stats.

  Correct Answer: D

  Use sys.dm_pdw_nodes_db_partition_stats to analyze any skewness in the data.

  Reference: https://docs.microsoft.com/en-us/azure/synapse-analytics/sql-data-warehouse/cheat-sheet