πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided DP-300 Domain 2
Domain 2 β€” Module 1 of 6 17%
6 of 28 overall

DP-300 Study Guide

Domain 1: Plan and Implement Data Platform Resources

  • Choose Your Azure SQL Platform Free
  • Deploy and Configure Azure SQL Free
  • Scale, Performance, and Compression Free
  • Migration Planning: Online vs Offline Free
  • Execute and Troubleshoot Migrations Free

Domain 2: Implement a Secure Environment

  • Entra Authentication for Azure SQL
  • Security Principals, Permissions, and T-SQL
  • Encryption: TDE, Always Encrypted, and VBS Enclaves
  • Network Security: Firewalls, Private Links, and Endpoints
  • Data Classification and Auditing
  • Data Masking, Ledger, and Row-Level Security

Domain 3: Monitor, Configure, and Optimize Database Resources

  • Performance Baselines and Monitoring Tools
  • Database Watcher and Extended Events
  • Query Store: Configure and Monitor
  • Blocking, DMVs, and Execution Plans
  • Index and Query Optimization
  • Database Maintenance: Indexes, Statistics, and Integrity
  • Automatic Tuning and Performance Settings

Domain 4: Configure and Manage Automation of Tasks

  • Automation Landscape: What Runs Where
  • SQL Server Agent Jobs
  • Deploy with ARM, Bicep, PowerShell, and CLI
  • Elastic Jobs and Azure Automation

Domain 5: Plan and Configure an HA/DR Environment

  • HA/DR Strategy: RPO, RTO, and Architecture
  • Backup and Restore: Strategy and Native Tools
  • Point-in-Time Restore, LTR, and Cloud Backup
  • Geo-Replication and Failover Groups
  • Always On: Availability Groups and FCIs
  • Log Shipping and HA/DR Operations

DP-300 Study Guide

Domain 1: Plan and Implement Data Platform Resources

  • Choose Your Azure SQL Platform Free
  • Deploy and Configure Azure SQL Free
  • Scale, Performance, and Compression Free
  • Migration Planning: Online vs Offline Free
  • Execute and Troubleshoot Migrations Free

Domain 2: Implement a Secure Environment

  • Entra Authentication for Azure SQL
  • Security Principals, Permissions, and T-SQL
  • Encryption: TDE, Always Encrypted, and VBS Enclaves
  • Network Security: Firewalls, Private Links, and Endpoints
  • Data Classification and Auditing
  • Data Masking, Ledger, and Row-Level Security

Domain 3: Monitor, Configure, and Optimize Database Resources

  • Performance Baselines and Monitoring Tools
  • Database Watcher and Extended Events
  • Query Store: Configure and Monitor
  • Blocking, DMVs, and Execution Plans
  • Index and Query Optimization
  • Database Maintenance: Indexes, Statistics, and Integrity
  • Automatic Tuning and Performance Settings

Domain 4: Configure and Manage Automation of Tasks

  • Automation Landscape: What Runs Where
  • SQL Server Agent Jobs
  • Deploy with ARM, Bicep, PowerShell, and CLI
  • Elastic Jobs and Azure Automation

Domain 5: Plan and Configure an HA/DR Environment

  • HA/DR Strategy: RPO, RTO, and Architecture
  • Backup and Restore: Strategy and Native Tools
  • Point-in-Time Restore, LTR, and Cloud Backup
  • Geo-Replication and Failover Groups
  • Always On: Availability Groups and FCIs
  • Log Shipping and HA/DR Operations
Domain 2: Implement a Secure Environment Premium ⏱ ~14 min read

Entra Authentication for Azure SQL

Configure Microsoft Entra ID authentication for Azure SQL Database, Managed Instance, and SQL Server. Create database users from Entra identities and manage hybrid authentication.

Authentication in Azure SQL

β˜• Simple explanation

Think of authentication like showing your ID at a building entrance.

SQL authentication is like a visitor badge β€” you hand over a username and password stored inside the database. Simple, but the database is responsible for checking credentials.

Microsoft Entra authentication is like your corporate badge β€” the identity system (Entra ID) vouches for you. The database trusts Entra, and Entra handles MFA, Conditional Access, and password policies. One identity, every database.

Microsoft recommends Entra authentication as the primary method for Azure SQL. The exam tests it heavily.

Azure SQL supports two authentication models:

  • SQL authentication β€” username/password stored in the database. Works everywhere, but passwords are managed per-database with no centralised policy enforcement.
  • Microsoft Entra ID authentication β€” centralised identity management. Supports users, groups, service principals, and managed identities. Enables MFA, Conditional Access, passwordless authentication, and single sign-on (SSO).

Azure SQL Database and Managed Instance support Entra-only authentication mode, which disables SQL authentication entirely β€” the most secure configuration.

Entra authentication across platforms

Entra Authentication Support
FeatureSQL DatabaseManaged InstanceSQL on VMs
Entra authenticationYes (native)Yes (native)Yes (with setup)
Entra-only modeYesYesNo
Entra adminOne user or group per serverOne user or group per instanceN/A (configured via T-SQL)
Entra users in DBCREATE USER ... FROM EXTERNAL PROVIDERCREATE USER ... FROM EXTERNAL PROVIDERCREATE LOGIN ... FROM EXTERNAL PROVIDER
Managed identity authYesYesYes (SQL 2022+)
Service principal authYesYesYes (SQL 2022+)
MFA supportYes (via Entra)Yes (via Entra)Yes (via Entra)
Windows authenticationNoYes (Kerberos via Entra)Yes (native)

Setting up Entra authentication

Azure SQL Database

Amara configures Entra auth for Harbour Health’s Azure SQL Database:

Step 1: Set the Entra admin

  • In the Azure portal, navigate to the SQL server (logical server)
  • Under Settings, select Microsoft Entra admin
  • Choose a user or group as the admin
  • Only ONE Entra admin per logical server (use a group for multiple admins)

Step 2: Create contained database users

-- Connect as the Entra admin
CREATE USER [amara@harbourhealth.com] FROM EXTERNAL PROVIDER;
CREATE USER [dba-team@harbourhealth.com] FROM EXTERNAL PROVIDER;
CREATE USER [app-managed-identity] FROM EXTERNAL PROVIDER;

-- Grant permissions
ALTER ROLE db_datareader ADD MEMBER [amara@harbourhealth.com];
ALTER ROLE db_owner ADD MEMBER [dba-team@harbourhealth.com];

Step 3 (optional): Enable Entra-only authentication

  • Disables SQL authentication entirely β€” only Entra identities can connect
  • Most secure option, but ensure all applications use Entra auth first

Azure SQL Managed Instance

Kenji’s MI setup is similar, with one key difference:

  • MI supports instance-level logins (like on-prem SQL Server)
  • You can create Entra logins at the instance level, then map to database users
-- Instance-level login (MI only)
CREATE LOGIN [kenji@northstar.com] FROM EXTERNAL PROVIDER;

-- Then in each database
CREATE USER [kenji@northstar.com] FROM LOGIN [kenji@northstar.com];

SQL Server on Azure VMs

For SQL Server 2022+ on Azure VMs, Entra authentication requires:

  1. Azure Arc registration or Azure extension for SQL Server
  2. Configure the SQL Server instance to trust Entra ID
  3. Create logins from Entra identities
-- SQL Server 2022+ with Entra configured
CREATE LOGIN [kenji@northstar.com] FROM EXTERNAL PROVIDER;
ℹ️ Windows Authentication via Entra (MI)

Azure SQL Managed Instance supports Windows Authentication through Microsoft Entra ID using Kerberos:

  • On-prem clients authenticate via Kerberos against Active Directory
  • AD syncs with Entra ID (via Entra Connect)
  • MI trusts the Kerberos ticket through Entra

This enables legacy applications to connect to MI without changing authentication code β€” they still use Windows auth, but the identity flows through Entra.

Authentication types for applications

Auth TypeHow It WorksBest For
Entra interactiveUser signs in with browser prompt, supports MFAAdmin tools (SSMS, Azure Data Studio)
Entra integratedUses cached Windows/Entra credentials (SSO)Desktop applications on domain-joined machines
Entra service principalApp ID + secret or certificateApplication-to-database (app registrations)
Entra managed identityAzure-managed identity, no secrets to manageAzure services (App Service, Functions, VMs)
SQL authenticationUsername + password in connection stringLegacy apps, third-party tools without Entra support

Priya’s approach at ScaleWave: All microservices use managed identities β€” no connection string passwords. The operations team uses Entra interactive with MFA. SQL authentication is disabled (Entra-only mode).

πŸ’‘ Exam tip: managed identity is always the preferred answer

When the exam asks β€œwhich authentication method should an Azure-hosted application use?”, the answer is almost always managed identity:

  • No secrets to manage or rotate
  • No credentials in code or config
  • Automatically managed by Azure
  • Works with system-assigned and user-assigned identities

Service principals are the second-best option (for non-Azure hosted apps). SQL auth is the last resort.

Question

What is Entra-only authentication mode?

Click or press Enter to reveal answer

Answer

A setting on Azure SQL Database and Managed Instance that disables SQL authentication entirely. Only Microsoft Entra identities can connect. The most secure option.

Click to flip back
Question

How do you create a database user from an Entra identity in Azure SQL Database?

Click or press Enter to reveal answer

Answer

CREATE USER [user@domain.com] FROM EXTERNAL PROVIDER; β€” this creates a contained database user mapped to the Entra identity. Must be connected as the Entra admin.

Click to flip back
Question

Why is managed identity preferred over SQL authentication for Azure-hosted apps?

Click or press Enter to reveal answer

Answer

No secrets to manage or rotate, no credentials in code or config files, automatically managed by Azure, supports both system-assigned and user-assigned identities.

Click to flip back
Question

How many Entra admins can a logical SQL server have?

Click or press Enter to reveal answer

Answer

One β€” but it can be a group. Set an Entra group as the admin, then manage group membership to grant admin access to multiple users.

Click to flip back
Knowledge Check

Amara wants to ensure that no one can connect to Harbour Health's Azure SQL Database using a username and password. Only Entra identities should be allowed. What should she configure?
Knowledge Check

Priya's microservice running on Azure App Service needs to connect to Azure SQL Database without storing any credentials. What authentication method should she use?

🎬 Video coming soon

Next up: Security Principals, Permissions, and T-SQL β€” configure database and object-level permissions using both GUI tools and T-SQL.

← Previous

Execute and Troubleshoot Migrations

Next β†’

Security Principals, Permissions, and T-SQL

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.