🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided DP-300 Domain 2
Domain 2 — Module 5 of 6 83%
10 of 28 overall

DP-300 Study Guide

Domain 1: Plan and Implement Data Platform Resources

  • Choose Your Azure SQL Platform Free
  • Deploy and Configure Azure SQL Free
  • Scale, Performance, and Compression Free
  • Migration Planning: Online vs Offline Free
  • Execute and Troubleshoot Migrations Free

Domain 2: Implement a Secure Environment

  • Entra Authentication for Azure SQL
  • Security Principals, Permissions, and T-SQL
  • Encryption: TDE, Always Encrypted, and VBS Enclaves
  • Network Security: Firewalls, Private Links, and Endpoints
  • Data Classification and Auditing
  • Data Masking, Ledger, and Row-Level Security

Domain 3: Monitor, Configure, and Optimize Database Resources

  • Performance Baselines and Monitoring Tools
  • Database Watcher and Extended Events
  • Query Store: Configure and Monitor
  • Blocking, DMVs, and Execution Plans
  • Index and Query Optimization
  • Database Maintenance: Indexes, Statistics, and Integrity
  • Automatic Tuning and Performance Settings

Domain 4: Configure and Manage Automation of Tasks

  • Automation Landscape: What Runs Where
  • SQL Server Agent Jobs
  • Deploy with ARM, Bicep, PowerShell, and CLI
  • Elastic Jobs and Azure Automation

Domain 5: Plan and Configure an HA/DR Environment

  • HA/DR Strategy: RPO, RTO, and Architecture
  • Backup and Restore: Strategy and Native Tools
  • Point-in-Time Restore, LTR, and Cloud Backup
  • Geo-Replication and Failover Groups
  • Always On: Availability Groups and FCIs
  • Log Shipping and HA/DR Operations

DP-300 Study Guide

Domain 1: Plan and Implement Data Platform Resources

  • Choose Your Azure SQL Platform Free
  • Deploy and Configure Azure SQL Free
  • Scale, Performance, and Compression Free
  • Migration Planning: Online vs Offline Free
  • Execute and Troubleshoot Migrations Free

Domain 2: Implement a Secure Environment

  • Entra Authentication for Azure SQL
  • Security Principals, Permissions, and T-SQL
  • Encryption: TDE, Always Encrypted, and VBS Enclaves
  • Network Security: Firewalls, Private Links, and Endpoints
  • Data Classification and Auditing
  • Data Masking, Ledger, and Row-Level Security

Domain 3: Monitor, Configure, and Optimize Database Resources

  • Performance Baselines and Monitoring Tools
  • Database Watcher and Extended Events
  • Query Store: Configure and Monitor
  • Blocking, DMVs, and Execution Plans
  • Index and Query Optimization
  • Database Maintenance: Indexes, Statistics, and Integrity
  • Automatic Tuning and Performance Settings

Domain 4: Configure and Manage Automation of Tasks

  • Automation Landscape: What Runs Where
  • SQL Server Agent Jobs
  • Deploy with ARM, Bicep, PowerShell, and CLI
  • Elastic Jobs and Azure Automation

Domain 5: Plan and Configure an HA/DR Environment

  • HA/DR Strategy: RPO, RTO, and Architecture
  • Backup and Restore: Strategy and Native Tools
  • Point-in-Time Restore, LTR, and Cloud Backup
  • Geo-Replication and Failover Groups
  • Always On: Availability Groups and FCIs
  • Log Shipping and HA/DR Operations
Domain 2: Implement a Secure Environment Premium ⏱ ~12 min read

Data Classification and Auditing

Apply data classification strategies, configure server and database audits, and implement change data tracking for compliance in Azure SQL.

Compliance controls

☕ Simple explanation

Think of compliance like running a hospital ward.

Data classification is labelling every medicine cabinet — “Controlled Substance,” “General Use,” “Patient Data.” You need to know what’s sensitive before you can protect it.

Auditing is the security camera — it records who accessed what, when, and from where. If something goes wrong, you review the footage.

Change data tracking is the medication log — it records every change to the prescription, not just the current state. You can trace exactly what changed and when.

Compliance requires three capabilities: knowing where sensitive data lives (classification), recording who accessed it (auditing), and tracking how it changed (change tracking).

Data classification

Azure SQL Database and MI include built-in data discovery and classification:

How it works

  1. Automatic discovery — Azure scans column names and content to suggest classifications
  2. Manual labelling — you confirm or add classifications
  3. Labels and types — each column gets an information type (e.g., “Financial”) and sensitivity label (e.g., “Confidential”)

Built-in sensitivity labels

LabelUse For
PublicNon-sensitive data
GeneralInternal business data
ConfidentialSensitive business data
Highly ConfidentialRegulated data (PII, PHI, financial)

Amara’s workflow at Harbour Health:

  1. Navigate to the database in Azure Portal → Data Discovery & Classification
  2. Review Azure’s recommendations (it detected SSN, email, and date of birth columns)
  3. Accept recommendations and manually add any missed columns
  4. Export the classification report for compliance auditors
-- Add classification via T-SQL
ADD SENSITIVITY CLASSIFICATION TO dbo.Patients.SSN
WITH (LABEL = 'Highly Confidential', LABEL_ID = '...',
      INFORMATION_TYPE = 'National ID', INFORMATION_TYPE_ID = '...');

-- View classifications
SELECT * FROM sys.sensitivity_classifications;
ℹ️ Classification and Microsoft Purview

For organisations using Microsoft Purview, sensitivity labels defined in Purview can be applied to Azure SQL columns. This creates a unified classification system across databases, files, and other data stores.

The exam focuses on Azure SQL’s built-in classification feature. Purview integration is a bonus topic.

SQL auditing

Auditing records database events to an audit log for security analysis and compliance.

Azure SQL Database auditing

SettingOptions
Where to store logsAzure Blob Storage, Log Analytics workspace, or Event Hub
Server-level auditApplies to all databases on the server
Database-level auditApplies to a specific database only
What’s loggedSuccessful/failed logins, data access, schema changes, permission changes

Configuration via Azure Portal:

  1. Navigate to SQL server → Auditing
  2. Enable auditing
  3. Choose destination: Storage, Log Analytics, or Event Hub
  4. Select audit actions (BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, etc.)
-- Create a server audit (SQL Server on VMs / MI)
CREATE SERVER AUDIT NorthStarAudit
TO FILE (FILEPATH = 'C:\AuditLogs\', MAXSIZE = 100 MB);

ALTER SERVER AUDIT NorthStarAudit WITH (STATE = ON);

-- Create a database audit specification
CREATE DATABASE AUDIT SPECIFICATION PatientDataAudit
FOR SERVER AUDIT NorthStarAudit
ADD (SELECT ON dbo.Patients BY PUBLIC)
WITH (STATE = ON);

Querying audit logs

In Log Analytics (KQL):

AzureDiagnostics
| where Category == "SQLSecurityAuditEvents"
| where action_name_s == "SELECT"
| where object_name_s == "Patients"
| project TimeGenerated, server_principal_name_s, client_ip_s, statement_s
Server Audit vs Database Audit
AspectServer-level AuditDatabase-level Audit
ScopeAll databases on the serverSpecific database
Where configuredOn the logical serverOn the individual database
ActionsServer events + all DB eventsDatabase-specific events
Both enabled?Both run independentlyBoth run independently
Best forBaseline compliance across all DBsExtra auditing on sensitive databases
💡 Exam tip: audit log destinations
  • Blob Storage — cheapest, best for long-term retention and compliance archives
  • Log Analytics — best for querying and analysis (KQL), alerting, dashboards
  • Event Hub — best for real-time streaming to SIEM systems (Sentinel, Splunk)

You can send audit logs to multiple destinations simultaneously. The exam may ask which destination to use for “real-time security alerting” (Event Hub + SIEM) vs “quarterly compliance review” (Blob Storage).

Change data tracking (CDC and CT)

Two mechanisms for tracking data changes:

Change Tracking (CT)

  • Lightweight — tracks WHICH rows changed, not WHAT changed
  • Returns current version of changed rows
  • Good for sync scenarios (mobile apps, distributed caches)
-- Enable change tracking on database
ALTER DATABASE NorthStarERP SET CHANGE_TRACKING = ON
(CHANGE_RETENTION = 7 DAYS, AUTO_CLEANUP = ON);

-- Enable on a table
ALTER TABLE dbo.Orders ENABLE CHANGE_TRACKING;

-- Query changes since version 5
SELECT * FROM CHANGETABLE(CHANGES dbo.Orders, 5) AS CT;

Change Data Capture (CDC)

  • Records the FULL before/after values of changed rows
  • Creates shadow tables with change history
  • Good for auditing, data warehousing, and regulatory compliance
-- Enable CDC on the database (MI and SQL on VMs)
EXEC sys.sp_cdc_enable_db;

-- Enable on a table
EXEC sys.sp_cdc_enable_table
  @source_schema = 'dbo',
  @source_name = 'Patients',
  @role_name = 'cdc_reader';

-- Query changes
SELECT * FROM cdc.fn_cdc_get_all_changes_dbo_Patients(@from_lsn, @to_lsn, 'all');
Change Tracking vs Change Data Capture
FeatureChange Tracking (CT)Change Data Capture (CDC)
What it recordsWhich rows changed (IDs + version)Full before/after values
Storage overheadLowHigher (shadow tables)
Requires SQL AgentNoYes (cleanup jobs)
Azure SQL DB supportYesYes
MI supportYesYes
Best forSync, cache invalidationAuditing, data warehousing, compliance
Question

What is the difference between Change Tracking and Change Data Capture?

Click or press Enter to reveal answer

Answer

Change Tracking records WHICH rows changed (lightweight, for sync). CDC records the FULL before/after values of changes (heavier, for auditing and compliance).

Click to flip back
Question

Where can Azure SQL audit logs be stored?

Click or press Enter to reveal answer

Answer

Three destinations: Azure Blob Storage (long-term archive), Log Analytics workspace (KQL queries and alerts), Event Hub (real-time streaming to SIEM). You can use multiple simultaneously.

Click to flip back
Question

What does Azure SQL data classification do?

Click or press Enter to reveal answer

Answer

Discovers and labels sensitive columns in your database with information types and sensitivity labels. Helps identify where PII, financial data, and health records live for compliance.

Click to flip back
Knowledge Check

Amara needs to track every time patient records are read by any user, with details available for quarterly compliance audits. Where should she send audit logs?
Knowledge Check

Kenji needs to replicate order changes to a data warehouse, including the before and after values of each update. Which feature should he enable?

🎬 Video coming soon

Next up: Data Masking, Ledger, and Row-Level Security — control who sees what data with masking, verify data integrity with ledger, and enforce row-level access.

← Previous

Network Security: Firewalls, Private Links, and Endpoints

Next →

Data Masking, Ledger, and Row-Level Security

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.