DP-203 · Question #62
DP-203 Question #62: Real Exam Question with Answer & Explanation
To grant an Azure AD group access to a Synapse dedicated SQL pool using least privilege, you must first create a contained database user mapped to the Azure AD group using FROM EXTERNAL PROVIDER (this links the external identity to the database). Next, create a database role (Rol
Question
Drag and Drop Question You have an Azure Active Directory (Azure AD) tenant that contains a security group named Group1. You have an Azure Synapse Analytics dedicated SQL pool named dw1 that contains a schema named schema1. You need to grant Group1 read-only permissions to all the tables and views in schema1. The solution must use the principle of least privilege. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select. Answer:
Explanation
To grant an Azure AD group access to a Synapse dedicated SQL pool using least privilege, you must first create a contained database user mapped to the Azure AD group using FROM EXTERNAL PROVIDER (this links the external identity to the database). Next, create a database role (Role1) and grant it SELECT permissions scoped specifically to schema1 (not the entire database, which would violate least privilege). Finally, assign Role1 to the Group1 database user so the permissions flow through the role. This three-step pattern - create user, create scoped role, assign role - is the standard least-privilege approach for Azure Synapse SQL pools.
Topics
Community Discussion
No community discussion yet for this question.