🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided DP-300 Domain 2
Domain 2 — Module 2 of 6 33%
7 of 28 overall

DP-300 Study Guide

Domain 1: Plan and Implement Data Platform Resources

  • Choose Your Azure SQL Platform Free
  • Deploy and Configure Azure SQL Free
  • Scale, Performance, and Compression Free
  • Migration Planning: Online vs Offline Free
  • Execute and Troubleshoot Migrations Free

Domain 2: Implement a Secure Environment

  • Entra Authentication for Azure SQL
  • Security Principals, Permissions, and T-SQL
  • Encryption: TDE, Always Encrypted, and VBS Enclaves
  • Network Security: Firewalls, Private Links, and Endpoints
  • Data Classification and Auditing
  • Data Masking, Ledger, and Row-Level Security

Domain 3: Monitor, Configure, and Optimize Database Resources

  • Performance Baselines and Monitoring Tools
  • Database Watcher and Extended Events
  • Query Store: Configure and Monitor
  • Blocking, DMVs, and Execution Plans
  • Index and Query Optimization
  • Database Maintenance: Indexes, Statistics, and Integrity
  • Automatic Tuning and Performance Settings

Domain 4: Configure and Manage Automation of Tasks

  • Automation Landscape: What Runs Where
  • SQL Server Agent Jobs
  • Deploy with ARM, Bicep, PowerShell, and CLI
  • Elastic Jobs and Azure Automation

Domain 5: Plan and Configure an HA/DR Environment

  • HA/DR Strategy: RPO, RTO, and Architecture
  • Backup and Restore: Strategy and Native Tools
  • Point-in-Time Restore, LTR, and Cloud Backup
  • Geo-Replication and Failover Groups
  • Always On: Availability Groups and FCIs
  • Log Shipping and HA/DR Operations

DP-300 Study Guide

Domain 1: Plan and Implement Data Platform Resources

  • Choose Your Azure SQL Platform Free
  • Deploy and Configure Azure SQL Free
  • Scale, Performance, and Compression Free
  • Migration Planning: Online vs Offline Free
  • Execute and Troubleshoot Migrations Free

Domain 2: Implement a Secure Environment

  • Entra Authentication for Azure SQL
  • Security Principals, Permissions, and T-SQL
  • Encryption: TDE, Always Encrypted, and VBS Enclaves
  • Network Security: Firewalls, Private Links, and Endpoints
  • Data Classification and Auditing
  • Data Masking, Ledger, and Row-Level Security

Domain 3: Monitor, Configure, and Optimize Database Resources

  • Performance Baselines and Monitoring Tools
  • Database Watcher and Extended Events
  • Query Store: Configure and Monitor
  • Blocking, DMVs, and Execution Plans
  • Index and Query Optimization
  • Database Maintenance: Indexes, Statistics, and Integrity
  • Automatic Tuning and Performance Settings

Domain 4: Configure and Manage Automation of Tasks

  • Automation Landscape: What Runs Where
  • SQL Server Agent Jobs
  • Deploy with ARM, Bicep, PowerShell, and CLI
  • Elastic Jobs and Azure Automation

Domain 5: Plan and Configure an HA/DR Environment

  • HA/DR Strategy: RPO, RTO, and Architecture
  • Backup and Restore: Strategy and Native Tools
  • Point-in-Time Restore, LTR, and Cloud Backup
  • Geo-Replication and Failover Groups
  • Always On: Availability Groups and FCIs
  • Log Shipping and HA/DR Operations
Domain 2: Implement a Secure Environment Premium ⏱ ~13 min read

Security Principals, Permissions, and T-SQL

Configure security principals, database and object-level permissions using GUI tools and T-SQL. Apply least privilege and troubleshoot authentication issues.

Security principals and permissions

☕ Simple explanation

Think of permissions like a hotel key card system.

A login gets you through the front door (server level). A user is your room key (database level). Roles are like floor access — all guests on the executive floor get the same access without programming each card individually.

Least privilege means your key only opens the rooms you actually need. The reception desk doesn’t give everyone a master key.

SQL Server security is built on security principals (identities that can request resources) and securables (resources that can be protected). Permissions connect the two — they define what a principal can do to a securable.

The hierarchy: Logins (server level) → Users (database level) → Permissions (object level). Roles group permissions for easier management.

Security principal hierarchy

LevelPrincipalCreated WithScope
ServerLoginCREATE LOGINServer-wide (MI, SQL VMs)
ServerServer roleCREATE SERVER ROLEGroups of logins
DatabaseUserCREATE USERSingle database
DatabaseDatabase roleCREATE ROLEGroups of users
DatabaseApplication roleCREATE APPLICATION ROLEApplication-specific access

Key difference — SQL Database vs MI:

  • Azure SQL Database: No server-level logins. Uses contained database users only. Each database manages its own users independently.
  • Azure SQL MI: Supports both server-level logins AND database users (like on-prem SQL Server).
  • SQL on VMs: Full server and database security model.

Built-in database roles

RolePermissionsUse Case
db_ownerFull control over the databaseDatabase administrators
db_datareaderSELECT on all tables and viewsReporting users, read-only access
db_datawriterINSERT, UPDATE, DELETE on all tablesApplications that modify data
db_ddladminCREATE, ALTER, DROP any objectSchema management
db_securityadminManage role membership and permissionsDelegated security management
db_denydatareaderCannot SELECT any dataOverride: block reading even if other roles allow it
db_denydatawriterCannot modify any dataOverride: block writing even if other roles allow it
💡 DENY always wins

In SQL Server, DENY overrides GRANT. If a user is in both db_datareader (grants SELECT) and db_denydatareader (denies SELECT), the DENY wins — they cannot read data.

The exam tests this: “A user is a member of Role A (GRANT SELECT) and Role B (DENY SELECT). Can they read data?” → No. DENY always takes precedence.

Managing permissions with GUI tools

The exam explicitly tests GUI-based permission management — not just T-SQL.

Azure Portal

  • Navigate to the SQL database → Query editor (preview) to run permission T-SQL
  • Use Microsoft Entra admin settings to set the Entra admin
  • Azure RBAC roles (Contributor, Reader) control Azure management plane — NOT database access

SQL Server Management Studio (SSMS)

  • Right-click a database → Properties → Permissions tab
  • Right-click a user → Properties → Securables page
  • Visual grant/deny/revoke interface for each object
  • User Mapping tab on login properties to see database access

Azure Data Studio

  • Object Explorer → expand database → Security → Users
  • Right-click for properties and permission management
  • Less GUI options than SSMS, but growing
💡 Exam tip: Azure RBAC vs database permissions

Azure RBAC (Contributor, Reader, SQL DB Contributor) controls who can manage the Azure resource (create/delete databases, change settings). It does NOT grant access to data inside the database.

Database permissions (GRANT, DENY, db_datareader, etc.) control who can read/write data and manage objects inside the database.

A user with Azure Contributor role on a SQL Database can delete the entire database but cannot SELECT from any table unless they also have database-level permissions.

Managing permissions with T-SQL

Creating users and granting permissions

-- Create a contained database user (SQL Database)
CREATE USER [analyst@harbourhealth.com] FROM EXTERNAL PROVIDER;

-- Add to a built-in role
ALTER ROLE db_datareader ADD MEMBER [analyst@harbourhealth.com];

-- Grant specific object permission
GRANT SELECT ON SCHEMA::Sales TO [analyst@harbourhealth.com];

-- Create a custom role
CREATE ROLE ReportingRole;
GRANT SELECT ON SCHEMA::Sales TO ReportingRole;
GRANT SELECT ON SCHEMA::Inventory TO ReportingRole;
ALTER ROLE ReportingRole ADD MEMBER [analyst@harbourhealth.com];

Permission statements

StatementEffect
GRANTGives a permission (can be overridden by DENY)
DENYExplicitly blocks a permission (overrides GRANT)
REVOKERemoves a previously granted or denied permission (returns to default state)

Checking existing permissions

-- What permissions does a user have?
SELECT * FROM sys.fn_my_permissions(NULL, 'DATABASE');

-- What role memberships exist?
SELECT dp.name AS principal, dr.name AS role_name
FROM sys.database_role_members rm
JOIN sys.database_principals dp ON rm.member_principal_id = dp.principal_id
JOIN sys.database_principals dr ON rm.role_principal_id = dr.principal_id;

Applying least privilege

Amara enforces least privilege at Harbour Health:

Principle: Every user and application gets the minimum permissions needed to do their job — nothing more.

ScenarioBad PracticeLeast Privilege
Reporting user needs to read Sales dataAdd to db_ownerGRANT SELECT ON SCHEMA::Sales
Application needs to insert ordersAdd to db_datawriter (all tables)GRANT INSERT ON dbo.Orders
DBA needs to manage indexesAdd to sysadmin (server-wide)Add to db_ddladmin (database-scoped)
Backup operatorAdd to db_ownerAdd to db_backupoperator

Amara’s rules:

  1. Never use sa or sysadmin for applications
  2. Custom roles over built-in roles (more specific)
  3. Schema-level grants over database-level grants
  4. Review permissions quarterly
  5. Use DENY sparingly — only when you need to override inherited grants

Troubleshooting auth issues

Tomas encounters these common problems:

SymptomLikely CauseFix
”Login failed for user”Wrong credentials or login doesn’t existVerify login exists; check password; verify Entra auth is configured
”Cannot open database requested”User has login but no database user mappingCREATE USER in the target database
”SELECT permission denied”User lacks read permissionGRANT SELECT or add to db_datareader
”User not found” (after migration)Orphaned user — no matching loginALTER USER … WITH LOGIN
”Entra auth failed”Entra admin not set, or token expiredSet Entra admin; check token cache; verify Entra tenant
-- Check if a user exists in the database
SELECT name, type_desc, authentication_type_desc
FROM sys.database_principals
WHERE name LIKE '%tomas%';

-- Check server logins (MI/VMs only)
SELECT name, type_desc, is_disabled
FROM sys.server_principals
WHERE name LIKE '%tomas%';
Question

What happens when a user has both GRANT SELECT and DENY SELECT through different roles?

Click or press Enter to reveal answer

Answer

DENY always wins. The user cannot SELECT data. DENY overrides GRANT regardless of how the permissions were assigned.

Click to flip back
Question

What is the difference between Azure RBAC and database permissions?

Click or press Enter to reveal answer

Answer

Azure RBAC controls management plane access (create/delete/configure Azure resources). Database permissions control data plane access (SELECT, INSERT, UPDATE inside the database). They are separate systems.

Click to flip back
Question

What T-SQL statement removes a previously applied GRANT or DENY?

Click or press Enter to reveal answer

Answer

REVOKE. It returns the permission to its default (inherited) state. REVOKE SELECT ON dbo.Orders FROM [user];

Click to flip back
Knowledge Check

Tomas creates a custom role and grants it SELECT on the Sales schema. He adds a user to this role AND to db_denydatareader. Can the user read Sales data?
Knowledge Check

Amara's Azure account has the SQL DB Contributor role on the Harbour Health database server. Can she run SELECT queries on patient data?

🎬 Video coming soon

Next up: Encryption: TDE, Always Encrypted, and VBS Enclaves — protect data at rest with multiple layers of encryption.

← Previous

Entra Authentication for Azure SQL

Next →

Encryption: TDE, Always Encrypted, and VBS Enclaves

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.