๐Ÿ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-305 Domain 2
Domain 2 โ€” Module 3 of 6 50%
10 of 30 overall

AZ-305 Study Guide

Domain 1: Design Identity, Governance, and Monitoring Solutions

  • Monitoring & Logging Design
  • Choosing Authentication Methods
  • Designing Identity Management
  • Authorizing Access to Resources
  • Secrets, Keys & Certificates
  • Governance at Scale
  • Compliance & Identity Governance

Domain 2: Design Data Storage Solutions

  • Relational Data: Choosing Your SQL Platform
  • Database Performance & Scalability
  • Database Security & Compliance
  • Cosmos DB & Semi-Structured Data
  • Blob, Data Lake & Azure Files
  • Data Integration & Analytics

Domain 3: Design Business Continuity Solutions

  • Recovery Objectives: RPO, RTO & SLA Free
  • Backup & Recovery for Compute Free
  • Backup for Databases & Unstructured Data Free
  • High Availability for Compute Free
  • High Availability for Data Free

Domain 4: Design Infrastructure Solutions

  • Compute Design: VMs & When to Use Them
  • Container Solutions: AKS, ACI & Container Apps
  • Serverless & Batch Processing
  • Messaging Architecture
  • Event-Driven Architecture
  • API Integration & Caching
  • App Configuration & Automated Deployment
  • Migration Strategy & Assessment
  • Executing Migrations
  • Network Connectivity: Internet & Hybrid
  • Network Security & Performance
  • Load Balancing & Routing

AZ-305 Study Guide

Domain 1: Design Identity, Governance, and Monitoring Solutions

  • Monitoring & Logging Design
  • Choosing Authentication Methods
  • Designing Identity Management
  • Authorizing Access to Resources
  • Secrets, Keys & Certificates
  • Governance at Scale
  • Compliance & Identity Governance

Domain 2: Design Data Storage Solutions

  • Relational Data: Choosing Your SQL Platform
  • Database Performance & Scalability
  • Database Security & Compliance
  • Cosmos DB & Semi-Structured Data
  • Blob, Data Lake & Azure Files
  • Data Integration & Analytics

Domain 3: Design Business Continuity Solutions

  • Recovery Objectives: RPO, RTO & SLA Free
  • Backup & Recovery for Compute Free
  • Backup for Databases & Unstructured Data Free
  • High Availability for Compute Free
  • High Availability for Data Free

Domain 4: Design Infrastructure Solutions

  • Compute Design: VMs & When to Use Them
  • Container Solutions: AKS, ACI & Container Apps
  • Serverless & Batch Processing
  • Messaging Architecture
  • Event-Driven Architecture
  • API Integration & Caching
  • App Configuration & Automated Deployment
  • Migration Strategy & Assessment
  • Executing Migrations
  • Network Connectivity: Internet & Hybrid
  • Network Security & Performance
  • Load Balancing & Routing
Domain 2: Design Data Storage Solutions Premium โฑ ~15 min read

Database Security & Compliance

TDE, Always Encrypted, dynamic data masking, auditing, and threat detection โ€” design a database security posture that satisfies auditors and protects data at rest and in transit.

Why database security design matters

โ˜• Simple explanation

Database security has three layers: encrypt it, mask it, audit it.

Encrypt: TDE encrypts data on disk. Always Encrypted encrypts specific columns so even DBAs canโ€™t read them. TLS encrypts data in transit.

Mask: Dynamic data masking hides sensitive data from non-privileged users without changing the actual stored data.

Audit: SQL auditing logs who did what. Advanced Threat Protection detects suspicious activity automatically.

Database security architecture for AZ-305 covers data protection mechanisms โ€” distinct from backup/DR (Domain 3) and access control (Domain 1 RBAC):

  • Encryption at rest: Transparent Data Encryption (TDE) โ€” service-managed vs customer-managed keys
  • Encryption in use: Always Encrypted โ€” client-side encryption for sensitive columns
  • Data masking: Dynamic data masking for non-privileged access
  • Auditing: SQL auditing to storage, Log Analytics, or Event Hubs
  • Threat detection: Microsoft Defender for SQL โ€” anomaly detection and vulnerability assessment

Encryption layers

Database Encryption Options
FeatureTDE (Transparent Data Encryption)Always EncryptedTLS in Transit
What it protectsData at rest (files, backups, logs)Specific columns (SSN, credit card, PII)Data moving between app and database
Encryption happensAt the database engine level (transparent to apps)At the client/application (data encrypted before reaching DB)At the connection level (TLS 1.2+)
DBA can read data?Yes โ€” TDE is transparent to queriesNo โ€” DBA sees encrypted values, only app with key can decryptYes โ€” once data reaches the DB, it's decrypted
Key managementService-managed (default) or customer-managed (Key Vault)Column master key in Key Vault or cert storeAutomatic (Azure-managed certificates)
Performance impactMinimal (~3-5%)Moderate โ€” limits query operations on encrypted columnsMinimal
Default in Azure SQL?Yes โ€” enabled by defaultNo โ€” must be configured per columnYes โ€” enforced by default

๐Ÿฆ Elenaโ€™s encryption design:

  • TDE with customer-managed keys (Managed HSM) โ€” satisfies PCI DSS requirement for customer-controlled encryption
  • Always Encrypted on credit card numbers and Social Security Numbers โ€” even Elenaโ€™s DBAs cannot read PII
  • TLS 1.2 enforced on all connections (disable older versions)
๐Ÿ’ก Exam tip: TDE vs Always Encrypted โ€” know the difference

The exam tests whether you understand the protection boundary:

  • TDE: Protects against physical theft of disk/backup files. Does NOT protect data from DBAs or anyone with database access.
  • Always Encrypted: Protects data from the database engine itself. Only the application (with the column master key) can decrypt. Choose this when โ€œeven database administrators should not see sensitive data.โ€

If the scenario says โ€œprotect from unauthorised physical accessโ€ โ†’ TDE. If it says โ€œprotect from privileged insidersโ€ โ†’ Always Encrypted.

Dynamic data masking

Masks sensitive data in query results without changing the stored data:

Mask TypeWhat It ShowsExample (SSN: 123-45-6789)
DefaultXXXX for strings, 0 for numbersXXXX
EmailFirst letter + XXX@XXXX.comaXXX@XXXX.com
Custom stringConfigurable prefix/suffix/paddingXXX-XX-6789
Random numberRandom value in specified range847

Design note: Masking is NOT encryption. Users with UNMASK permission see original values. Itโ€™s a convenience layer for limiting exposure, not a security boundary. For real protection, use Always Encrypted.

Auditing and threat detection

SQL Auditing destinations

DestinationUse CaseRetention
Storage accountLong-term compliance archiveConfigurable lifecycle
Log AnalyticsQuery with KQL, create alertsWorkspace retention settings
Event HubsStream to external SIEM (Splunk, Datadog) or custom pipelineConsumer-controlled

Microsoft Defender for SQL

FeatureWhat It Detects
SQL injection detectionAbnormal query patterns indicating injection attempts
Anomalous accessAccess from unusual locations, unfamiliar principals
Brute forceMultiple failed login attempts
Vulnerability assessmentMisconfigurations, excessive permissions, missing encryption

๐Ÿ›๏ธ Davidโ€™s audit design: CloudPath Advisory configures government databases with:

  • Audit logs to Log Analytics (90-day interactive query for investigations, Microsoft Sentinel for SIEM correlation)
  • Audit logs to Storage (7-year archive for regulatory retention)
  • Defender for SQL enabled on all databases โ€” alerts sent to the security teamโ€™s Teams channel

Knowledge check

Question

What's the key difference between TDE and Always Encrypted?

Click or press Enter to reveal answer

Answer

TDE encrypts data at rest (disk/backups) but is transparent to queries โ€” DBAs can still read data. Always Encrypted encrypts specific columns at the client/app level โ€” even DBAs see only encrypted values. Choose TDE for physical protection, Always Encrypted for insider protection.

Click to flip back
Question

Is dynamic data masking a security boundary?

Click or press Enter to reveal answer

Answer

No. Masking hides data in query results for non-privileged users, but users with UNMASK permission see original values. It's a convenience layer, not a security control. For true data protection, use Always Encrypted (client-side encryption) or restrict access via RBAC.

Click to flip back
Question

Why should you prefer Microsoft Entra authentication over SQL authentication for Azure SQL?

Click or press Enter to reveal answer

Answer

Entra auth provides centralised identity management, MFA support, Conditional Access policies, and eliminates password management in connection strings. SQL auth uses local usernames/passwords that can be shared, leaked, or forgotten. Best practice: disable SQL auth entirely and use Entra-only authentication mode.

Click to flip back
Knowledge Check

๐Ÿฆ Elena's compliance team requires that database administrators cannot read credit card numbers stored in Azure SQL Database, but the payment application must still process them. Which feature should Elena recommend?
Knowledge Check

๐Ÿ›๏ธ David's government client stores classified data in Azure SQL Database. They need an audit trail that captures all SELECT queries on sensitive tables and cannot be tampered with by database administrators. Which combination should David recommend?

๐ŸŽฌ Video coming soon

Next up: Relational databases are secured โ€” now letโ€™s design for non-relational data โ€” Cosmos DB & Semi-Structured Data.

โ† Previous

Database Performance & Scalability

Next โ†’

Cosmos DB & Semi-Structured Data

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.