AZ-305 · Question #329
AZ-305 Question #329: Real Exam Question with Answer & Explanation
This question tests knowledge of Azure SQL data protection features: Dynamic Data Masking (DDM) for restricting data visibility to certain users, and Always Encrypted for preventing privileged users (including cloud admins) from seeing sensitive data.
Question
Hotspot Question You have an Azure subscription. The subscription contains an Azure SQL managed instance that stores employee details, including social security numbers and phone numbers. You need to configure the managed instance to meet the following requirements: - The helpdesk team must see only the last four digits of an employee's phone number. - Cloud administrators must be prevented from seeing the employee's social security numbers. What should you enable for each column in the managed instance? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:
Options
- __typehotspot
- variantdropdown
Explanation
This question tests knowledge of Azure SQL data protection features: Dynamic Data Masking (DDM) for restricting data visibility to certain users, and Always Encrypted for preventing privileged users (including cloud admins) from seeing sensitive data.
Approach. For the phone number column, Dynamic Data Masking (DDM) should be enabled. DDM masks data at the query result level, so helpdesk users see only the last four digits (using a custom or partial mask pattern like 'xxxx-xxxx-xxxx-1234'), while privileged roles can still see the full value. For the social security number (SSN) column, Always Encrypted should be enabled. Always Encrypted encrypts data at the client side, meaning even cloud administrators, DBAs, or Azure platform admins cannot see the plaintext values - only applications with the encryption keys can decrypt the data. DDM would NOT work for SSNs in this scenario because DBAs and cloud admins can bypass DDM by default, so Always Encrypted is the only feature that prevents privileged users from seeing the data.
Concept tested. Understanding the difference between Dynamic Data Masking (DDM) - which masks data for non-privileged users but can be bypassed by admins - and Always Encrypted - which encrypts data end-to-end so that even database administrators and cloud administrators cannot access plaintext sensitive data.
Reference. https://learn.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview and https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine
Community Discussion
No community discussion yet for this question.