🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided DP-800 Domain 2
Domain 2 — Module 1 of 11 9%
11 of 28 overall

DP-800 Study Guide

Domain 1: Design and Develop Database Solutions

  • Table Design: Columns, Types, and Indexes Free
  • Constraints: Protecting Your Data Free
  • Specialised Tables and Graph Queries Free
  • JSON in SQL: Store, Query, and Index
  • Programmability: Views, Functions, Procedures, and Triggers
  • Advanced T-SQL: CTEs, Windows, and Correlated Queries
  • Pattern Power: Regular Expressions in T-SQL
  • Fuzzy String Matching: Finding Similar Text
  • AI-Assisted SQL with GitHub Copilot Free
  • MCP: Connecting AI to Your Database

Domain 2: Secure, Optimize, and Deploy Database Solutions

  • Encryption: Always Encrypted and Column-Level
  • Dynamic Data Masking and Row-Level Security
  • Permissions, Auditing, and Passwordless Access
  • Transaction Isolation and Concurrency
  • Query Performance: Plans, DMVs, and Query Store
  • SQL Database Projects: Build and Validate
  • CI/CD Pipelines for SQL Databases
  • Data API Builder: REST and GraphQL from SQL
  • Securing AI and API Endpoints
  • Change Detection: CES, CDC, and Change Tracking
  • Azure Integration and Monitoring

Domain 3: Implement AI Capabilities in Database Solutions

  • External AI Models: Choose, Create, Manage
  • Embeddings: Design, Chunk, and Generate
  • Choose Your Search Strategy
  • Vector Data: Types, Indexes, and Storage
  • Vector Search: Distance, ANN, and ENN
  • Hybrid Search and Reciprocal Rank Fusion
  • RAG with SQL: Prompt, Process, Respond

DP-800 Study Guide

Domain 1: Design and Develop Database Solutions

  • Table Design: Columns, Types, and Indexes Free
  • Constraints: Protecting Your Data Free
  • Specialised Tables and Graph Queries Free
  • JSON in SQL: Store, Query, and Index
  • Programmability: Views, Functions, Procedures, and Triggers
  • Advanced T-SQL: CTEs, Windows, and Correlated Queries
  • Pattern Power: Regular Expressions in T-SQL
  • Fuzzy String Matching: Finding Similar Text
  • AI-Assisted SQL with GitHub Copilot Free
  • MCP: Connecting AI to Your Database

Domain 2: Secure, Optimize, and Deploy Database Solutions

  • Encryption: Always Encrypted and Column-Level
  • Dynamic Data Masking and Row-Level Security
  • Permissions, Auditing, and Passwordless Access
  • Transaction Isolation and Concurrency
  • Query Performance: Plans, DMVs, and Query Store
  • SQL Database Projects: Build and Validate
  • CI/CD Pipelines for SQL Databases
  • Data API Builder: REST and GraphQL from SQL
  • Securing AI and API Endpoints
  • Change Detection: CES, CDC, and Change Tracking
  • Azure Integration and Monitoring

Domain 3: Implement AI Capabilities in Database Solutions

  • External AI Models: Choose, Create, Manage
  • Embeddings: Design, Chunk, and Generate
  • Choose Your Search Strategy
  • Vector Data: Types, Indexes, and Storage
  • Vector Search: Distance, ANN, and ENN
  • Hybrid Search and Reciprocal Rank Fusion
  • RAG with SQL: Prompt, Process, Respond
Domain 2: Secure, Optimize, and Deploy Database Solutions Premium ⏱ ~13 min read

Encryption: Always Encrypted and Column-Level

Protect sensitive data with Always Encrypted (client-side encryption where the database never sees plaintext) and column-level encryption for data at rest.

Keeping secrets secret

☕ Simple explanation

Imagine sending a letter in a locked box.

With column-level encryption, the post office (SQL Server) locks the box before storing it. The post office has the key, so it can unlock and read the letter if needed. With Always Encrypted, YOU lock the box before handing it to the post office. The post office stores the locked box but never has the key — even the database admin cannot read your letter.

Both protect data, but Always Encrypted is stronger because the database engine never sees the plaintext.

SQL Server provides multiple encryption layers. TDE encrypts the entire database at rest. Column-level encryption uses keys managed by SQL Server to encrypt specific columns. Always Encrypted performs encryption/decryption in the client driver — the database engine never accesses plaintext data or encryption keys.

The DP-800 exam tests your ability to choose the right encryption approach based on threat model, performance, and query capabilities.

Always Encrypted: the database cannot read your data

Always Encrypted is a client-side encryption feature. Encryption keys never leave the client application — SQL Server stores and processes only ciphertext.

Encryption types

Two encryption types in Always Encrypted
TypeBehaviourCan Query With =?Best For
DeterministicSame plaintext always produces same ciphertextYes (equality only)Columns used in WHERE, JOIN, GROUP BY
RandomizedSame plaintext produces different ciphertext each timeNoMaximum security, columns not searched
 
CREATE COLUMN MASTER KEY CMK_VaultBank
WITH (KEY_STORE_PROVIDER_NAME = 'AZURE_KEY_VAULT',
      KEY_PATH = 'https://vaultbank-keys.vault.azure.net/keys/CMK/...');

CREATE COLUMN ENCRYPTION KEY CEK_SSN
WITH VALUES (COLUMN_MASTER_KEY = CMK_VaultBank,
             ALGORITHM = 'RSA_OAEP', ENCRYPTED_VALUE = 0x01...);

CREATE TABLE Customers (
    CustomerId INT NOT NULL PRIMARY KEY,
    SSN CHAR(11) COLLATE Latin1_General_BIN2
        ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = CEK_SSN,
                       ENCRYPTION_TYPE = DETERMINISTIC,
                       ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256') NOT NULL,
    CreditCard NVARCHAR(19)
        ENCRYPTED WITH (COLUMN_ENCRYPTION_KEY = CEK_SSN,
                       ENCRYPTION_TYPE = RANDOMIZED,
                       ALGORITHM = 'AEAD_AES_256_CBC_HMAC_SHA_256')
);
💡 Exam tip: Always Encrypted with secure enclaves

Standard Always Encrypted only supports equality comparisons on deterministic columns. Secure enclaves extend this by performing operations inside trusted memory. With enclaves you can use LIKE, range comparisons, ORDER BY, and pattern matching on encrypted columns.

If the exam requires range queries on encrypted data, the answer is secure enclaves.

Column-level encryption vs Always Encrypted vs TDE

Three encryption approaches — each protects against different threats
FeatureAlways EncryptedColumn-Level EncryptionTDE
Encryption locationClient driverSQL Server engineStorage layer
DBA can read data?NoYes (has keys)Yes (decrypted in memory)
Query supportEquality only (or enclave)Full after OPEN KEYFull — transparent
Performance impactClient-side crypto overheadModerate per operationMinimal — hardware accelerated
Protects againstCompromised server, malicious DBAUnauthorized file accessStolen backups, disk theft
Best forHighest sensitivity (SSN, card numbers)Moderate sensitivity with query needsBaseline at-rest protection
Question

What is the key difference between Always Encrypted and column-level encryption?

Click or press Enter to reveal answer

Answer

Always Encrypted performs encryption/decryption in the CLIENT driver — SQL Server never sees plaintext or holds keys. Column-level encryption is performed by the SQL Server ENGINE — the DBA has access to keys and can decrypt data.

Click to flip back
Question

When should you use Always Encrypted with secure enclaves?

Click or press Enter to reveal answer

Answer

When you need to query encrypted columns with operations beyond equality — LIKE, range comparisons, ORDER BY, or pattern matching. Standard Always Encrypted only supports equality on deterministic columns.

Click to flip back
Question

What is the difference between deterministic and randomized encryption?

Click or press Enter to reveal answer

Answer

Deterministic: same plaintext always produces same ciphertext — allows equality comparisons. Randomized: same plaintext produces different ciphertext each time — no querying, but more secure.

Click to flip back
Knowledge Check

Priya at Vault Bank needs to encrypt SSNs so even DBAs cannot read them, but the app must search by exact SSN. Which approach?

🎬 Video coming soon

Next up: Dynamic Data Masking and Row-Level Security — control what users see without changing the underlying data.

← Previous

MCP: Connecting AI to Your Database

Next →

Dynamic Data Masking and Row-Level Security

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.