[Reference:, https://docs.microsoft.com/en-us/sql/relational-databases/security/contained-database-users-making-your-database-portable?view=sql-server-ver15, , , , , , , Basic Concept: This question tests identity and authentication for Azure SQL and SQL Server workloads, including when to use contained users, directory identities, certificate validation, or authentication profiles., Why D is Correct: a contained database user from a Windows login for App1 on DB2 is a security-related control, but its value depends on whether the requirement is identity, encryption, auditing, network isolation, or data exposure reduction. In this scenario, the important constraint is: You need to ensure that App1 can access DB2. a contained database user from a Windows login for App1 on DB2 satisfies that constraint without adding an unrelated service or manual process., Why A is Wrong: a contained database user for App1 on DB2 is a security-related control, but its value depends on whether the requirement is identity, encryption, auditing, network isolation, or data exposure reduction. It is not the right enforcement point for this case; the scenario needs the control that governs the data or identity path being tested., Why B is Wrong: a login for App1 on Server1 is a security-related control, but its value depends on whether the requirement is identity, encryption, auditing, network isolation, or data exposure reduction. It does not satisfy the required identity, encryption, firewall, auditing, or data-exposure boundary described in the scenario: You need to ensure that App1 can access DB2., Why C is Wrong: a contained database user from an external provider for App1 on DB2 is a security-related control, but its value depends on whether the requirement is identity, encryption, auditing, network isolation, or data exposure reduction. It protects or manages a different security layer, so the required database access or protection behavior would still be incomplete., ]
