πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided DP-800 Domain 2
Domain 2 β€” Module 2 of 11 18%
12 of 28 overall

DP-800 Study Guide

Domain 1: Design and Develop Database Solutions

  • Table Design: Columns, Types, and Indexes Free
  • Constraints: Protecting Your Data Free
  • Specialised Tables and Graph Queries Free
  • JSON in SQL: Store, Query, and Index
  • Programmability: Views, Functions, Procedures, and Triggers
  • Advanced T-SQL: CTEs, Windows, and Correlated Queries
  • Pattern Power: Regular Expressions in T-SQL
  • Fuzzy String Matching: Finding Similar Text
  • AI-Assisted SQL with GitHub Copilot Free
  • MCP: Connecting AI to Your Database

Domain 2: Secure, Optimize, and Deploy Database Solutions

  • Encryption: Always Encrypted and Column-Level
  • Dynamic Data Masking and Row-Level Security
  • Permissions, Auditing, and Passwordless Access
  • Transaction Isolation and Concurrency
  • Query Performance: Plans, DMVs, and Query Store
  • SQL Database Projects: Build and Validate
  • CI/CD Pipelines for SQL Databases
  • Data API Builder: REST and GraphQL from SQL
  • Securing AI and API Endpoints
  • Change Detection: CES, CDC, and Change Tracking
  • Azure Integration and Monitoring

Domain 3: Implement AI Capabilities in Database Solutions

  • External AI Models: Choose, Create, Manage
  • Embeddings: Design, Chunk, and Generate
  • Choose Your Search Strategy
  • Vector Data: Types, Indexes, and Storage
  • Vector Search: Distance, ANN, and ENN
  • Hybrid Search and Reciprocal Rank Fusion
  • RAG with SQL: Prompt, Process, Respond

DP-800 Study Guide

Domain 1: Design and Develop Database Solutions

  • Table Design: Columns, Types, and Indexes Free
  • Constraints: Protecting Your Data Free
  • Specialised Tables and Graph Queries Free
  • JSON in SQL: Store, Query, and Index
  • Programmability: Views, Functions, Procedures, and Triggers
  • Advanced T-SQL: CTEs, Windows, and Correlated Queries
  • Pattern Power: Regular Expressions in T-SQL
  • Fuzzy String Matching: Finding Similar Text
  • AI-Assisted SQL with GitHub Copilot Free
  • MCP: Connecting AI to Your Database

Domain 2: Secure, Optimize, and Deploy Database Solutions

  • Encryption: Always Encrypted and Column-Level
  • Dynamic Data Masking and Row-Level Security
  • Permissions, Auditing, and Passwordless Access
  • Transaction Isolation and Concurrency
  • Query Performance: Plans, DMVs, and Query Store
  • SQL Database Projects: Build and Validate
  • CI/CD Pipelines for SQL Databases
  • Data API Builder: REST and GraphQL from SQL
  • Securing AI and API Endpoints
  • Change Detection: CES, CDC, and Change Tracking
  • Azure Integration and Monitoring

Domain 3: Implement AI Capabilities in Database Solutions

  • External AI Models: Choose, Create, Manage
  • Embeddings: Design, Chunk, and Generate
  • Choose Your Search Strategy
  • Vector Data: Types, Indexes, and Storage
  • Vector Search: Distance, ANN, and ENN
  • Hybrid Search and Reciprocal Rank Fusion
  • RAG with SQL: Prompt, Process, Respond
Domain 2: Secure, Optimize, and Deploy Database Solutions Premium ⏱ ~12 min read

Dynamic Data Masking and Row-Level Security

Control what users see without changing the underlying data β€” mask sensitive columns for unauthorised users and filter rows based on who is querying.

Hiding data in plain sight

β˜• Simple explanation

Dynamic Data Masking is like putting a sticker over part of a credit card number on a receipt β€” the full number is still there underneath, but most people only see XXXX-XXXX-XXXX-1234. Row-Level Security is like a hotel where guests can only see their own room β€” the hotel has 500 rooms, but your key only opens yours.

DDM is a presentation-layer feature that masks column values in query results for non-privileged users. The underlying data is unchanged β€” users with UNMASK permission see the real values. RLS uses inline table-valued functions as security predicates to filter rows transparently β€” queries automatically return only rows the user is authorised to see.

Dynamic Data Masking (DDM)

DDM masks column values in query results. The actual data is not changed β€” only how it appears to users without the UNMASK permission.

Masking functions

FunctionExample InputMasked OutputUse For
default()”John Smith""XXXX”General text
email()”john@bank.com""jXXX@XXXX.com”Email addresses
partial(2, 'XXX', 2)”0274551234""02XXX34”Phone numbers, account numbers
random(1, 100)8500047Numeric columns (randomised)
CREATE TABLE Employees (
    EmployeeId INT NOT NULL PRIMARY KEY,
    FullName NVARCHAR(200) MASKED WITH (FUNCTION = 'default()') NOT NULL,
    Email NVARCHAR(320) MASKED WITH (FUNCTION = 'email()') NOT NULL,
    Phone NVARCHAR(20) MASKED WITH (FUNCTION = 'partial(2, "XXX-XXX-", 2)'),
    Salary DECIMAL(10,2) MASKED WITH (FUNCTION = 'random(1000, 9999)')
);

-- Grant unmask to specific users
GRANT UNMASK TO [HR_Manager];
πŸ’‘ Exam tip: DDM is not a security boundary

DDM is a convenience feature, not a security feature. A determined user can infer masked values through clever queries (e.g., binary search with WHERE clauses). For true data protection, use Always Encrypted or column-level encryption.

The exam may present DDM as β€œsufficient for GDPR compliance” β€” that is FALSE. DDM is suitable for reducing casual exposure (like a support agent seeing partial credit card numbers) but not for meeting regulatory encryption requirements.

Row-Level Security (RLS)

RLS transparently filters rows based on who is executing the query. It uses a security predicate function that returns 1 (visible) or 0 (hidden) for each row.

-- Step 1: Create a predicate function
CREATE FUNCTION dbo.fn_SecurityPredicate(@Region NVARCHAR(50))
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS Result
WHERE @Region = USER_NAME()
   OR USER_NAME() = 'dbo'
   OR IS_MEMBER('GlobalManagers') = 1;

-- Step 2: Create a security policy
CREATE SECURITY POLICY RegionFilter
ADD FILTER PREDICATE dbo.fn_SecurityPredicate(Region) ON dbo.Sales
WITH (STATE = ON);

Now when a user queries the Sales table, they only see rows matching their region β€” automatically, transparently, on every query.

Filter vs Block predicates

Predicate TypeWhat It DoesApplies To
FILTERSilently hides rows (WHERE clause injection)SELECT, UPDATE, DELETE
BLOCKPrevents operations on unauthorised rows (raises error)INSERT (AFTER INSERT), UPDATE (AFTER/BEFORE)
DDM vs RLS β€” different tools for different problems
FeatureDynamic Data MaskingRow-Level Security
What it hidesColumn values (partial or full)Entire rows
Data changed?No β€” presentation onlyNo β€” transparent filtering
Bypass riskHigh β€” clever queries can infer valuesLow β€” enforced at engine level
PerformanceMinimal β€” applied on outputModerate β€” predicate runs per row
Use caseReduce casual exposure (support agents, reports)Multi-tenant data isolation, regional access control
πŸ’‘ Scenario: Ingrid's multi-region access at Nordic Shield

Nordic Shield Insurance operates across Scandinavia. Each regional office should only see claims from their own country. Ingrid implements RLS with a predicate that checks the user’s country against the claim’s country. Global managers bypass the filter. Now a Norwegian claims officer querying the Claims table automatically sees only Norwegian claims β€” no code changes needed in any application.

Question

Is Dynamic Data Masking a security feature?

Click or press Enter to reveal answer

Answer

No β€” DDM is a convenience feature that reduces casual data exposure. It masks column values in query results but the underlying data is unchanged. Clever queries can infer masked values. For true security, use encryption. DDM alone is NOT sufficient for regulatory compliance.

Click to flip back
Question

What is the difference between FILTER and BLOCK predicates in RLS?

Click or press Enter to reveal answer

Answer

FILTER predicates silently exclude rows from query results (like an invisible WHERE clause). BLOCK predicates prevent INSERT/UPDATE operations on unauthorised rows and raise an error. Use FILTER for read isolation, BLOCK for write protection.

Click to flip back
Question

What does an RLS security predicate function return?

Click or press Enter to reveal answer

Answer

It is an inline TVF with SCHEMABINDING that returns 1 (row is visible/allowed) or 0 (row is hidden/blocked). It takes the row's column values as parameters and checks them against the current user context (USER_NAME(), IS_MEMBER(), SESSION_CONTEXT).

Click to flip back
Knowledge Check

Ingrid at Nordic Shield needs to ensure that claims officers can only see claims from their own region. The filtering must be automatic and cannot be bypassed by direct SQL queries. Which approach?

🎬 Video coming soon

Next up: Permissions, Auditing, and Passwordless Access β€” control who can do what, track everything, and eliminate passwords.

← Previous

Encryption: Always Encrypted and Column-Level

Next β†’

Permissions, Auditing, and Passwordless Access

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.