DP-300 Question #247: Real Exam Question with Answer & Explanation

Question

Hotspot Question You have an Azure subscription that is linked to an Azure Active Directory (Azure AD) tenant named contoso.com The subscription contains an Azure SQL database named SQL1 and an Azure web app named app1. App1 has the managed identity feature enabled. You need to create a new database user for app1. How should you complete the Transact-SQL statement? To answer select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

This question tests your knowledge of creating an Azure AD-based database user in Azure SQL for a managed identity (app1). The correct T-SQL statement must use the FROM EXTERNAL PROVIDER clause to create an external (Azure AD) user.

Approach. The correct T-SQL statement is: CREATE USER [app1] FROM EXTERNAL PROVIDER. The keyword 'FROM EXTERNAL PROVIDER' tells Azure SQL Database that the user account is sourced from Azure Active Directory (not a SQL login), which is required for managed identities and Azure AD users. The user name must match the name of the app service/managed identity (app1). You do NOT use 'WITH PASSWORD' because managed identities authenticate via Azure AD tokens, not passwords. This enables app1 to authenticate to SQL1 using its system-assigned or user-assigned managed identity without storing credentials.

Concept tested. Creating Azure AD external users in Azure SQL Database using T-SQL, specifically using 'CREATE USER [<managed-identity-name>] FROM EXTERNAL PROVIDER' to allow an Azure App Service with a managed identity to authenticate to Azure SQL without credentials.

Reference. https://learn.microsoft.com/en-us/azure/app-service/tutorial-connect-msi-azure-database?tabs=sqldatabase#grant-permissions-to-managed-identity

No community discussion yet for this question.