Skip to main content

DP-300 exam cram kit

Use this page as a compact DP-300 review book for the final week. The goal is not to reread everything. The goal is to recall the right Azure SQL feature, tool, or configuration when the exam gives you a symptom.

๐Ÿง  How to use this page

Read one section, close the page, then answer the recall prompt from memory. Reopen the page only to correct your miss. Keep a one-line DP-300 Misses list and review only that list before sleep.

DP-300 domains in one viewโ€‹

Five domains, five reflexes. Memorize the reflex; the rest of the page is recognition.

Five exam domains and their reflexes
D1
Plan and implement
Reflex: choose platform and tier first. SQL DB vs MI vs VM, DTU vs vCore, deployment shape, migration path.
D2
Secure
Reflex: protect identity, data, and network. AuthN / AuthZ, TDE, Always Encrypted, TLS, firewall, private endpoint, auditing.
D3
Monitor and optimize
Reflex: diagnose the symptom before changing anything. Query Store, DMVs, waits, plans, indexes, statistics, Azure Monitor.
D4
Automate
Reflex: schedule and deploy safely. SQL Agent vs Elastic Jobs vs runbooks vs Logic Apps, ARM / Bicep, pipelines.
D5
HA and DR
Reflex: map RPO and RTO to the right feature. Backups, PITR, LTR, geo-restore, failover groups, Always On AG.
RX
Exam reflex
When stuck: pick the most managed feature, least privilege, first diagnostic tool, lowest operational burden.

4-day sprintโ€‹

One day per domain pair. For the per-platform implementation steps, pair this with the DP-300 implementation playbook.

DayFocusAnchor pages
Day 1D1 โ€” platform choicesimplementation-playbook ยง1.1โ€“1.3, coverage map
Day 2D2 โ€” securityimplementation-playbook ยง2.1โ€“2.3
Day 3D3 โ€” performanceimplementation-playbook ยง3.1โ€“3.3
Day 4D4 + D5 โ€” automation and HA/DRimplementation-playbook ยง4.1โ€“4.3 and ยง5.1โ€“5.3

Recall loopโ€‹

Use this loop for every page in DP-300 Coverage Map.

One-page review loop
1
Scan
Read headings, diagrams, tables, and exam traps only.
2
Close
Close the page before rereading. Force recall while it feels uncomfortable.
3
Explain
Say the problem, first tool, likely root cause, and fix out loud.
4
Correct
Reopen the page and write only the miss as one line.
Symptom:
Best first tool:
Likely root cause:
Fix:
Azure or SQL feature:

What to choose under pressureโ€‹

ScenarioFirst answer to considerWhy the exam likes itAvoid this mistake
Need the most PaaS-managed SQL optionAzure SQL DatabaseLowest admin surface; built-in backup, patching, HAPicking SQL VM only because it feels familiar
Need near SQL Server instance compatibilityAzure SQL Managed InstanceInstance-scoped features with PaaS managementPicking SQL DB when cross-database or instance features are required
Need OS-level control or unsupported SQL featureSQL Server on Azure VMYou control OS, storage layout, SQL version, and agentsForgetting you also own patching, backups, and HA design
Query was fast yesterday, slow todayQuery StoreBest source for plan regression and runtime historyStarting with index rebuilds before proving the cause
Need private network access to Azure SQLPrivate endpointRemoves public data path to the logical serverTreating firewall rules as private networking
Need cross-region managed failoverFailover groupProvides listener endpoint and group-level failoverConfusing active geo-replication with full failover orchestration
Need scheduled T-SQL across many Azure SQL databasesElastic JobsDesigned for Azure SQL Database job execution at scaleChoosing SQL Agent for Azure SQL Database
Need SQL Server Agent jobsSQL Managed Instance or SQL VMSQL Agent is available in those platformsExpecting SQL Agent in Azure SQL Database

Pick the most managed answer if it satisfies the requirement. Pick SQL VM only if the question requires OS control, unsupported features, or full SQL Server instance ownership.

Exam trapsโ€‹

TrapCorrect mental model
Firewall rule equals private accessFirewall allows public endpoint access. Private endpoint changes the network path.
TDE protects data in useTDE protects data at rest. Always Encrypted protects sensitive columns from the database engine in supported scenarios.
Query Store is only for reportsQuery Store is the primary plan-regression tool and supports plan forcing.
Automatic tuning replaces DBA judgmentIt can recommend or apply tuning actions, but you still validate workload impact.
PITR and LTR solve the same problemPITR is operational recovery. LTR is retention for compliance and long-term restore needs.
Geo-replication and failover groups are identicalGeo-replication creates readable secondaries. Failover groups add listener endpoints and grouped failover.
SQL Agent works everywhereSQL Agent is for SQL Server, SQL VM, and Managed Instance. Azure SQL Database uses Elastic Jobs or external automation.
DTU and vCore are just namesDTU bundles compute, memory, and IO. vCore gives clearer CPU/memory and license-control choices.

Oracle DBA anchorsโ€‹

๐Ÿ”€ Oracle โ†’ Azure

Oracle parallel: DP-300 is mostly your Oracle DBA mental model translated to Azure SQL. Data Guard maps to failover groups or Always On AGs, AWR and ASH map to Query Store plus DMVs, Wallet-managed TDE maps to TDE with service-managed or customer-managed keys, VPD maps to Row-Level Security, and DBMS_SCHEDULER maps to SQL Agent, Elastic Jobs, or Azure Automation depending on platform.

Oracle memory hookDP-300 answer
RAC for scale/HABusiness Critical tier, read scale, elastic pools, or SQL VM AG depending on requirement
Data GuardFailover groups, active geo-replication, or Always On AG
RMAN restorePITR, LTR, geo-restore, backup to URL for SQL VM
AWR/ASHQuery Store, DMVs, wait stats, Azure Monitor
Wallet/TDETDE, Key Vault, customer-managed keys
VPDRow-Level Security
DBMS_SCHEDULERSQL Agent, Elastic Jobs, Automation runbooks

Final 2-hour reviewโ€‹

Time boxDo thisDo not do this
30 minReview the five-domain mind map and say each domain from memoryOpen every page again
30 minReview only your DP-300 Misses listRewrite notes
30 minDrill the symptom-to-tool tableWatch a new long video
20 minRecheck HA/DR and security trapsChase rare edge cases
10 minRead the official skills measured page headingsStart a new lab

Referencesโ€‹

Flashcardsโ€‹

A query was fast yesterday and slow today. What is your first DP-300 tool and why?
Click to reveal answer
Use Query Store first. It preserves query runtime history and plan history, so you can compare plans and identify plan regression before changing indexes or configuration.
1 / 8

Retake focus - verified answersโ€‹

This section is the second-attempt focus drill. It exists because the first-attempt score report flagged three areas as weak, and a debrief of the remembered questions revealed gaps the general topic pages do not call out by name. Every claim below is verified against current Microsoft Learn documentation, with the source URL pinned at the end of each scenario.

๐Ÿง  How to use this section

Work through it in two passes.

  • Pass 1 (recall): read one numbered scenario, close the page, and write the answer plus the reason from memory.
  • Pass 2 (citation): reopen, compare to the Microsoft Learn snippet, and only flag a real miss if your reason was wrong - not just the wording.

A miss on the reason is what costs marks on multi-select questions. Memorize why, not just the option letter.

The three priority areasโ€‹

The nine scenarios below are the highest-leverage drills for those branches. If a scenario links out to a deeper page in the same wiki, follow the link only after the recall attempt.

Scenario 1 โ€” Database Mail across SQL VM, SQL MI, and Azure SQL DBโ€‹

Pattern: "Where can you send notifications using Database Mail and the SQL Server Agent?"

Database Mail support matrix
๐Ÿ–ฅ๏ธ
SQL Server on Azure VM
Full Database Mail. Configure msdb profile, SQL Agent jobs send email natively. SMTP outbound from the VM subnet.
๐Ÿ›๏ธ
Azure SQL Managed Instance
Supported. SQL Agent requires the special profile name AzureManagedInstance_dbmail_profile. Use an SMTP relay (SendGrid, etc.) on port 587 with TLS, allow outbound in the MI subnet NSG.
๐Ÿ—„๏ธ
Azure SQL Database
Not supported. There is no SQL Agent and no Database Mail. Replace with Logic Apps, Power Automate, or Azure Automation runbooks for email.
โšก MI Database Mail profile name is exact

On Managed Instance, the profile name is mandatory and literal: AzureManagedInstance_dbmail_profile. Any other name and SQL Agent silently refuses to send. This single string is the most popular MI Database Mail exam point.

Source: Database Mail (Azure SQL Managed Instance).

Scenario 2 โ€” Adding a database to an existing Always On availability groupโ€‹

Pattern: "An AG already exists across two replicas. You add a new database on the primary. What sequence brings it into the AG on the secondary?"

Manual (backup-based) path โ€” the classic exam answer
1
Full backup on primary
BACKUP DATABASE [db] TO DISK = ...
Database must be in FULL recovery model.
2
Log backup on primary
BACKUP LOG [db] TO DISK = ...
Required so the secondary can keep restoring forward.
3
RESTORE โ€ฆ WITH NORECOVERY on the secondary
RESTORE DATABASE [db] FROM DISK = ... WITH NORECOVERY;
RESTORE LOG [db] FROM DISK = ... WITH NORECOVERY;
Leaves the secondary in the RESTORING state.
4
Add the DB to the AG on the primary
ALTER AVAILABILITY GROUP [ag] ADD DATABASE [db];
5
Join on the secondary
ALTER DATABASE [db] SET HADR AVAILABILITY GROUP = [ag];
Database moves to ONLINE and starts synchronizing.
โœ… Modern alternative: automatic seeding

On SQL Server 2016+ you can skip the manual backup/restore by enabling automatic seeding:

-- On the primary, grant the AG permission to create databases on secondaries:
ALTER AVAILABILITY GROUP [ag] GRANT CREATE ANY DATABASE;

-- Add the database with SEEDING_MODE = AUTOMATIC on the replica.
ALTER AVAILABILITY GROUP [ag] MODIFY REPLICA ON 'NODE2'
  WITH (SEEDING_MODE = AUTOMATIC);

ALTER AVAILABILITY GROUP [ag] ADD DATABASE [db];

The exam mostly asks about the manual path, because RESTORE WITH NORECOVERY is the only answer where one option is unambiguously correct.

โšก WITH RECOVERY is wrong

RESTORE โ€ฆ WITH RECOVERY brings the database online standalone โ€” which disqualifies it from being joined to an AG. The required option is always WITH NORECOVERY. Same for the log restore.

Sources:

Scenario 3 โ€” Detect both physical and logical corruptionโ€‹

Pattern: "You suspect both physical and logical corruption in a user database. Which DBCC command do you run?"

Command / optionPhysical checksLogical checksNotes
DBCC CHECKDB (no flags)โœ…โœ…Default: runs CHECKALLOC, CHECKTABLE, CHECKCATALOG, indexed-view consistency, FILESTREAM link checks, Service Broker checks.
DBCC CHECKDB ... WITH PHYSICAL_ONLYโœ…โŒSkips all logical checks and FILESTREAM. Lighter weight for production.
DBCC CHECKDB ... WITH DATA_PURITYaddsโœ…Column-value range checks. Enabled by default on databases created on SQL 2005+.
DBCC CHECKALLOCโœ…โŒAllocation only. Subset of CHECKDB.
DBCC CHECKTABLEโœ…โœ…Single table only.
DBCC CHECKCATALOGโŒโœ…System-catalog consistency only.
๐ŸŽฏ The one-line decision

Both physical and logical โ†’ plain DBCC CHECKDB. If you see PHYSICAL_ONLY in any answer option, reject it for "both" questions โ€” that flag explicitly disables logical checks. The Microsoft Learn doc opens with: "Checks the logical and physical integrity of all the objects in the specified database".

Source: DBCC CHECKDB (Transact-SQL).

Scenario 4 โ€” Availability group VM placement for low-latency sync commitโ€‹

Pattern: "Two SQL Server VMs in the same region must run an AG in synchronous-commit mode with minimum network latency between replicas. How do you place them?"

Two valid placement topologies
๐Ÿท๏ธ
Same Availability Set + same Proximity Placement Group
AS gives fault-domain / update-domain isolation. PPG colocates the AS members in the same physical datacenter for low latency. This is the canonical sync-commit answer.
๐Ÿ™๏ธ
Availability Zones (alternative)
Each replica in a different AZ in the same region. Survives a full datacenter outage. Latency is higher than PPG, so sync-commit cost is higher. AZ and AS are mutually exclusive on a single VM.
โšก An Azure VM cannot be in both AS and AZ

Microsoft Learn says it explicitly: "When creating Azure VMs, you must choose between configuring Availability Sets vs Availability Zones. An Azure VM can't participate in both." Any answer combining both for the same VM is wrong.

โœ… Why PPG beats AZ for sync-commit

Synchronous-commit replicas wait for the secondary to harden the log before acknowledging the transaction on the primary. Microsoft Learn notes: "VMs located in different Availability Zones have greater network latency between them, which can increase the time it takes to synchronize data between the primary and secondary replicas." For latency-sensitive sync commit pick PPG + AS; for tolerating a datacenter loss pick AZ and accept the latency.

Sources:

Scenario 5 โ€” Power BI Service connecting to Azure SQL Databaseโ€‹

Pattern: "Power BI Service in the cloud must read from an Azure SQL Database that is locked down with a private endpoint and public network access disabled. What's the most secure connection method?"

VNet data gateway path โ€” the secure answer
1
Have a Premium or Fabric capacity
VNet data gateway requires Power BI Premium per capacity or a Fabric capacity. It is not available on Pro alone.
2
Deploy private endpoint on Azure SQL
Server โ†’ Networking โ†’ Private access. Disable Public network access if not needed.
3
Create a VNet data gateway
Power BI Admin portal โ†’ Manage gateways โ†’ New VNet data gateway, bound to the VNet/subnet that reaches the private endpoint.
4
Bind the dataset to the gateway
Dataset โ†’ Settings โ†’ Gateway and cloud connections, pick the VNet gateway as the data source.
โšก Trap distractors on this question
  • VNet service endpoint on the SQL subnet โ€” Power BI Service is not in your VNet, so a service endpoint does not help; service endpoints are subnet-side.
  • Network Security Group rule โ€” NSGs apply to VNet NICs, not to the SQL logical server's public listener.
  • Add the Power BI public IP range to the SQL firewall โ€” works for Pro but is not the most secure option and re-exposes the public listener.
โœ… On-prem alternative

If you do not have Premium / Fabric capacity, an On-premises data gateway on a VM inside the same VNet can reach the private endpoint and acts as a Power BI proxy. Same security posture, more infrastructure to run.

Source: VNet data gateway overview.

Scenario 6 โ€” Change the password protecting a certificate's private keyโ€‹

Pattern: "A certificate's private key is currently encrypted with one password. Rotate it to a new password without recreating the certificate."

ALTER CERTIFICATE TDECert
  WITH PRIVATE KEY (
    DECRYPTION BY PASSWORD = '<old-password>',
    ENCRYPTION BY PASSWORD = '<new-password>'
  );
๐ŸŽฏ ALTER, not CREATE

The verb is ALTER CERTIFICATE. CREATE CERTIFICATE would produce a new certificate object with a new key pair and break anything currently encrypted with the old certificate (TDE DEKs, signed modules, Service Broker dialogs).

โšก Don't add FILE or BINARY

Microsoft Learn states: "To change the password used for encrypting the private key, don't specify either the FILE or BINARY clauses." Adding FILE = '...' switches the command into "import a private key from disk" mode and the password rotation will fail or produce confusing results.

Source: ALTER CERTIFICATE (Transact-SQL) (see Example B).

Scenario 7 โ€” Mask a phone number, hide first digits, keep last fourโ€‹

Pattern: "Column stores phone numbers like 2223-3412-4121. Hide the leading digits, keep the trailing 4121 visible, with the dashes preserved. What's the feature and the exact mask?"

ALTER TABLE dbo.Customers
  ALTER COLUMN Phone ADD MASKED WITH (
    FUNCTION = 'partial(0,"XXXX-XXXX-",4)'
  );
-- Result for 2223-3412-4121:  XXXX-XXXX-4121

Anatomy of partial(prefix, padding, suffix)

ArgumentMeaningThis example
prefixInteger โ€” number of original characters left visible at the start0 (hide everything at the start)
paddingLiteral string injected in the middle"XXXX-XXXX-" (literal mask incl. dashes)
suffixInteger โ€” number of original characters left visible at the end4 (keep the last four characters)
๐ŸŽฏ Why DDM, not Always Encrypted

Always Encrypted is column-level encryption that the engine never decrypts. There is no "show only the last 4 characters" mode โ€” the DB engine cannot generate a partial reveal because it never sees the plaintext.

DDM is a display-time mask computed by the engine for users without UNMASK permission. The original value still lives in the table; db_owner and members of UNMASK see it in the clear.

โšก Common partial() mistakes
  • Writing partial(6,"...",4) when you mean hide the first 6: the first argument is the count kept, not the count hidden. To hide 6 starting chars, the prefix must be 0 (or 6 to keep 6 and mask the rest).
  • Forgetting that the middle argument is a literal. partial(0,XXXX,4) without quotes is a syntax error.
  • Using DDM for compliance ("we're PCI compliant because the credit card is masked") โ€” DDM is not a compliance control. It's an obfuscation layer; the data is still plain in the file.

Source: Dynamic data masking.

Scenario 8 โ€” Microsoft Entra ID authentication on SQL Server on an Azure VMโ€‹

Pattern: "Enable Microsoft Entra (Azure AD) authentication for SQL Server running on an Azure VM. What is required?"

Enable Entra auth on a SQL VM
1
Run SQL Server 2022
Entra auth on SQL Server VM is supported on SQL Server 2022 only.
2
Register with the SQL IaaS Agent extension
Manage from the SQL virtual machine resource (not the VM resource).
Full management mode exposes the Security Configuration blade.
3
Attach a managed identity to the VM
System-assigned or user-assigned MI, in the same Entra tenant as the VM.
4
Grant the MI Directory Readers role
Or the three Graph app permissions: User.Read.All, GroupMember.Read.All, Application.Read.All.
5
Enable Entra auth on the SQL virtual machine resource
Portal: SQL virtual machine โ†’ Security Configuration โ†’ Microsoft Entra authentication โ†’ Enable.
Pick the managed identity to use for authentication.
6
Create logins in SQL
CREATE LOGIN [user@tenant.onmicrosoft.com] FROM EXTERNAL PROVIDER;
Then connect with an Entra method from SSMS or the driver.
โšก Failover Cluster Instances are NOT supported

Microsoft Learn: "Using Microsoft Entra authentication with failover cluster instances isn't supported." If the scenario is "AG on Azure VM" it's supported โ€” but if it's "FCI on Azure VM" the answer is not Entra auth.

โšก Two more once-enabled traps
  • Configuration lives on the SQL virtual machine resource, not the VM resource โ€” these are two different resources in the same resource group.
  • Once Entra authentication is enabled on a SQL VM, there is no way to disable it. Plan before flipping the switch.

Source: Enable Microsoft Entra authentication for SQL Server on Azure VMs.

Scenario 9 โ€” Isolate 40 customer databases on a shared logical serverโ€‹

Pattern: "A SaaS app puts 40 customer databases on the same Azure SQL logical server. Each customer must be able to access only their own database. Pick two actions."

OptionActionPick?Why
AServer-level firewall rule per customer IPโŒA server-level rule still authenticates against the logical server's master and authorizes against every DB the login is mapped to. Wrong granularity for per-tenant isolation.
BCreate a database user in each customer's databaseโœ…The user is contained to that database. Without a user in OtherCustomerDB, the principal cannot read it even if it can reach the server.
CConfigure database-level firewall rulesโœ…Microsoft Learn explicitly pairs contained users with database-level firewall rules as the SaaS isolation pattern. The rule narrows the network reach to the specific DB the customer needs.
DApply Row-Level Security to the customer tableโŒRLS filters rows in a single table, not access across databases. Wrong scope.
ECreate a SQL login for each customer in masterโž–Works as an alternative pattern (traditional login + mapped user), but it forces every connection to authenticate against master and breaks geo-replication cleanly. Microsoft documents this pattern for users who must reach multiple databases โ€” the opposite of this scenario.
FAlways Encrypted on the tenant-id columnโŒEncrypts a column value at the client; does nothing about which DB a credentialed user can reach.
GEnable TDE on each databaseโŒTDE protects data files at rest. It does not gate any user from connecting.

What Microsoft Learn says โ€” verbatimโ€‹

"When you're using SQL Database, combine contained database users with database-level firewall rules. Database-level firewall rules, combined with contained database users, can eliminate the need to access the master database of the server during the connection."

โ€” Make your database portable by using contained database users

๐ŸŽฏ One-line memory hook

SaaS, many tenants, one DB each โ†’ contained users + database-level firewall rules (B + C). The login-in-master + user-in-DB pattern (E) is documented as the choice when a single user must reach multiple databases โ€” the inverse of the question.

โšก When the exam still grades B + E as correct

Some practice tests and dumps mark B + E correct because both technically isolate access. If your real exam graded B + E, the question wording almost certainly leaned on login-based authentication explicitly. Without that wording, trust the Microsoft Learn pattern โ€” B + C โ€” and pick contained users + DB firewall.

Wait-stats decoder โ€” bonus drill for D3โ€‹

sys.dm_exec_requests reports a wait_resource such as 2:3:905856. Decode it as database_id : file_id : page_id.

database_idDatabaseCommon waitsReal fix
1masterextremely rareusually not the root cause
2tempdbPAGELATCH_UP, PAGELATCH_SH on PFS / GAM / SGAM pagesAdd multiple equally-sized tempdb data files (1 per core up to 8; equal fixed autogrowth, not percent). On 2016+, TF1117/1118 are default for tempdb.
3modelalmost never on a live systemsafe to ignore
4msdbAgent / Mail under loadmove Mail relay off the hot instance
โ‰ฅ5user DBsPAGEIOLATCH_* (storage), LCK_M_* (locking), WRITELOG (log writes)match the wait to the resource type, not the DB id
โšก `PAGELATCH_UP` on database id 2 is tempdb contention

If the exam shows PAGELATCH_UP and a wait_resource starting with 2:, the answer is never "change autogrowth on master" and never "add an index". The right fix is the tempdb files answer โ€” multiple equally-sized data files with equal fixed autogrowth. Percentage autogrowth on tempdb makes contention worse by breaking the round-robin allocation.

Source: Recommendations to reduce allocation contention in tempdb.

Scenario 10 โ€” Migration strategy: minimal downtime for a large databaseโ€‹

Pattern: "You must migrate a large on-premises SQL Server database to Azure with minimal downtime. Which migration approach do you choose?"

Pick the right migration path by target + downtime
๐Ÿ›๏ธ
On-prem โ†’ SQL Managed Instance (min downtime)
Azure Database Migration Service in ONLINE mode (Premium tier required). Or Managed Instance link (Azure Arc + distributed AG) for near-zero downtime.
๐Ÿ–ฅ๏ธ
On-prem โ†’ SQL Server on Azure VM (min downtime)
Azure Database Migration Service in ONLINE mode. Continuous backup/restore until you press cutover.
๐Ÿ—„๏ธ
On-prem โ†’ Azure SQL Database
DMS supports OFFLINE migration only โ€” application downtime starts when migration starts. Online via DMS is NOT available for Azure SQL Database.
๐ŸŽฏ One-line decision

"Minimal downtime" + MI or SQL VM โ†’ Azure DMS Online (Premium tier). "Minimal downtime" + Azure SQL Database โ†’ DMS cannot do it; look at transactional replication or BACPAC + cutover. Backup/restore = full downtime; never the right pick when the question says "minimal".

โšก DMS Online needs the Premium tier

Microsoft Learn explicitly states: "Using Azure Database Migration Service to perform an online migration requires creating an instance based on the Premium pricing tier." If the answer mentions Standard tier + online, it's wrong.

Sources:

Scenario 11 โ€” Reduce Azure Monitor metric alert noiseโ€‹

Pattern: "An Azure Monitor metric alert on an Azure SQL DB or VM fires too often, but you don't want to set a fixed threshold. How do you tune it down?"

Tune a dynamic-threshold alert
1
Set the threshold to Dynamic
Dynamic thresholds learn the metric pattern (weekday / weekend, business hours, etc.).
Requires at least 3 days and 30 samples before it becomes active.
2
Set sensitivity to Low
High = tight bounds, more alerts.
Medium = default.
Low = loose bounds, alerts only on large deviations.
3
Increase Lookback period (optional)
A wider window makes the rule less reactive to transient spikes.
4
Increase Number of violations (Advanced)
Fire only after N violations within a window โ€” filters out single-sample noise.
๐ŸŽฏ Memory rule

Noisy alert + dynamic โ†’ Low sensitivity. Missing alert + dynamic โ†’ High sensitivity (or change the metric). High doesn't mean "more important", it means "tighter bounds".

Source: Dynamic thresholds overview โ€” known issues with sensitivity.

Scenario 12 โ€” Resource Governor on Managed Instance (or SQL Server)โ€‹

Pattern: "An app must be able to use up to 100% of CPU when no one else needs it, but always be guaranteed at least 50% under contention. Configure Resource Governor."

-- 1) Resource pool: floor 50%, ceiling 100% (soft).
CREATE RESOURCE POOL app_pool
WITH (
    MIN_CPU_PERCENT = 50,
    MAX_CPU_PERCENT = 100
);

-- 2) Workload group bound to the pool.
CREATE WORKLOAD GROUP app_group
USING app_pool;

-- 3) Classifier function (runs at login).
CREATE FUNCTION dbo.fn_classifier()
RETURNS sysname WITH SCHEMABINDING
AS
BEGIN
    DECLARE @grp sysname = N'default';
    IF SUSER_SNAME() = N'app_login'
        SET @grp = N'app_group';
    RETURN @grp;
END;
GO

-- 4) Wire the classifier and apply.
ALTER RESOURCE GOVERNOR
    WITH (CLASSIFIER_FUNCTION = dbo.fn_classifier);

ALTER RESOURCE GOVERNOR RECONFIGURE;
๐ŸŽฏ MIN vs MAX vs CAP โ€” the three settings that always trip people up
  • MIN_CPU_PERCENT = reservation. Other pools cannot consume this slice under contention. Set this to your "always guaranteed" floor.
  • MAX_CPU_PERCENT = soft ceiling. Only enforced when there is contention. With no other workload running, the pool can use up to 100% even if MAX is lower.
  • CAP_CPU_PERCENT = hard ceiling. Never exceeded, even when CPU is idle. Use this for chargeback / "thou shalt not exceed" scenarios.
โšก Two MI gotchas
  • Configure on master of the primary replica. Resource Governor changes on a secondary replica do not stick until you reconfigure there.
  • Maximum 40 resource pools on Managed Instance. SQL Server itself has the same hard cap (per Learn).
  • Azure SQL Database does not allow user-defined Resource Governor. It uses RG internally but the surface isn't exposed.

Sources:

Scenario 13 โ€” Correlate Extended Events with ETWโ€‹

Pattern: "You need to correlate SQL Server events with Windows OS or application traces in one timeline. Add what to your XE session?"

ALTER EVENT SESSION my_session ON SERVER
    ADD TARGET package0.etw_classic_sync_target;
GO
๐ŸŽฏ Target vs Action vs Predicate โ€” recall in one breath
  • Target = where the event data goes (file, ring buffer, ETW, histogram).
  • Action = extra columns captured when the event fires (sql_text, session_id, plan_handle). Costs CPU.
  • Predicate = filter โ€” drops events before they're written. Cheapest noise control.

For OS + SQL correlation, the only target that matters is package0.etw_classic_sync_target.

โšก ETW target is SQL Server only

The ETW target is available on SQL Server only. It is not available on Azure SQL Database or Azure SQL Managed Instance โ€” those instances expose only event_file, ring_buffer, event_stream, histogram, and event_counter. If a question puts ETW correlation on Azure SQL DB / MI, the answer is "not supported โ€” use the event_file target and external correlation".

Two more setup gotchas the exam likes:

  • The SQL Server service account must be a member of the Performance Log Users group for ETW to start.
  • The ETW output file lives at %TEMP%\XEEtw.etl and its path can't be changed after the first session starts.

Sources:

Power BI โ€” public vs private connection patternsโ€‹

Pattern: There are two Power BI โ†’ Azure SQL DB exam questions, and they have different right answers depending on how the question is worded.

Question wordingRight answer
"Power BI Service must read from Azure SQL DB โ€” what is the simplest way?"Allow the Power BI Service IP ranges on the server-level firewall (or check "Allow Azure services and resources"). Public endpoint, no gateway needed. Pro / shared capacity OK.
"What is the most secure way to connect Power BI Service to Azure SQL DB when public network access is disabled / private endpoint only?"VNet data gateway (Premium / Fabric) + private endpoint on the SQL server. See Scenario 5.
On-prem alternative (no Premium / Fabric)On-premises data gateway on a VM inside the same VNet as the private endpoint.
๐ŸŽฏ The keyword decides the answer

If the question says "simplest", "easiest", "default" โ†’ public + firewall. If it says "most secure", "private endpoint", "no public access", "compliance" โ†’ VNet data gateway. Picking VNet gateway on a "simplest" question or public+firewall on a "most secure" question is the most common 1-point loss.

SQL Server Agent and email โ€” quick recap across platformsโ€‹

The table below is the same content as Scenario 1 (Database Mail) cross-walked with Agent behavior, because the exam often combines them in one question.

CapabilitySQL Server on Azure VMSQL Managed InstanceAzure SQL Database
SQL Server Agent serviceWindows service. Set Automatic startup. Stop/start manually.Built in, always running. You cannot stop or start it.Does not exist. Use Elastic Jobs or Azure Automation.
Database MailFull. Configure profile in msdb, allow outbound SMTP from the subnet.Supported. Profile name must be literally AzureManagedInstance_dbmail_profile. Outbound SMTP relay on TLS port 587.Not supported. Use Logic Apps, Power Automate, or Azure Automation.
Operators + AlertsFull Agent Operators + Alerts.Supported (with the literal profile name above).N/A.
sp_send_dbmail from job logicWorks.Works.Not available.
โšก Don't drop Alerts/Operators on MI

Some study guides claim "MI only supports sp_send_dbmail inside job logic" โ€” that's incomplete. MI supports the full Operator + Alert configuration on SQL Agent as long as you use the literal profile name AzureManagedInstance_dbmail_profile. The exam pattern "configure Operator + Alert + Notification on MI" is a valid answer; you do not have to fall back to inline T-SQL.

Sources: Database Mail (Azure SQL Managed Instance) โ€” same as Scenario 1.

Dynamic Data Masking โ€” partial() general formulaโ€‹

The exam reuses this question with different "kept" widths and different middle masks. Memorize the formula, not one example.

ALTER TABLE T ALTER COLUMN C ADD MASKED WITH (
    FUNCTION = 'partial( <kept_start_chars> , "<literal_middle>" , <kept_end_chars> )'
);
Source valueMask stringResult
2223-3412-4121partial(0,"XXXX-XXXX-",4)XXXX-XXXX-4121
2223-3412-4121partial(0,"XXXXXX-XXXX-",4)XXXXXX-XXXX-4121
2223-3412-4121partial(4,"-XXXX-",4)2223-XXXX-4121
John.Smith@contoso.compartial(1,"XXX@",4)JXXX@.com (last 4 of full string)
โšก Three traps to memorize on this question
  1. The first argument is the number of chars kept at the start โ€” not the number hidden.
  2. The middle is a literal string in double quotes โ€” including any dashes you want to preserve.
  3. Always Encrypted cannot do partial reveal. If the question asks for "show last 4 only" the only acceptable answer is DDM.

Source: Dynamic data masking โ€” same as Scenario 7.

Failover topology โ€” 30-second recallโ€‹

Symptom in the questionPick
"Automatic failover, single endpoint, multiple DBs together"Auto-failover group
"Up to 4 readable secondaries, manual failover, per-DB endpoints"Active geo-replication
"Region-loss survival but no synchronous-cost replicas"Geo-restore from GRS / RA-GRS backups
"Lowest latency sync commit in one region"AG on VMs in same AS + PPG
"Survive a whole datacenter, still in one region"AG across Availability Zones
"Failover Cluster Instance with Entra auth"Not supported โ€” trick option
"MI: protect ALL user DBs together cross-region"Auto-failover group on the MI (all-or-nothing scope)
๐Ÿ”€ If you think in Data Guard
  • Auto-failover group โ‰ˆ Data Guard with Fast-Start Failover + a virtual broker name. The application sees one endpoint and never reconfigures.
  • Active geo-replication โ‰ˆ multiple physical standbys in Active Data Guard, but you flip them manually and the connection string per-replica is distinct.
  • AG in PPG + AS โ‰ˆ Data Guard with sync LogXptMode=SYNC between two RAC sites in the same building โ€” minimum latency, no datacenter-loss protection.

Flashcards โ€” high-yield recall setโ€‹

Multi-tenant Azure SQL DB, isolate 40 customers โ€” which two?
Click to reveal answer
Contained database users (one per customer DB) + database-level firewall rules. Microsoft Learn pairs these explicitly.
1 / 26

Reflex checks before exam dayโ€‹

๐Ÿง  Pre-exam 10-minute recall loop

Run this set in your head the morning of the exam. Whisper the reason, not just the option letter.

  1. RESTORE โ€ฆ WITH NORECOVERY whenever you add a DB to an AG.
  2. DBCC CHECKDB with no flags whenever you see "physical AND logical".
  3. 2:x:y โ†’ tempdb โ†’ multiple files, equal size, fixed autogrowth.
  4. Sync-commit AG โ†’ AS + PPG. Cross-DC survival โ†’ AZ.
  5. SaaS multi-tenant โ†’ contained users + database firewall.
  6. SQL VM Entra auth โ†’ SQL 2022 + IaaS extension + MI + Directory Readers.
  7. ALTER CERTIFICATE โ€ฆ WITH PRIVATE KEY (DECRYPTION BY 'โ€ฆ', ENCRYPTION BY 'โ€ฆ').
  8. DDM partial(prefix_count, "middle_literal", suffix_count).
  9. Power BI Service to private Azure SQL โ†’ VNet data gateway.
  10. Database Mail: VM yes, MI yes (literal profile name), Azure SQL DB no.

Source indexโ€‹

Every claim on this page was checked against the URLs below on the last_reviewed date in the frontmatter. If a section conflicts with current Microsoft Learn, the docs win โ€” update this page before the next retake.