While preparing for the AZ-305 expert-level exam, many candidates struggle with designing secure and governable analytics platforms. In the enterprise world, this decision often hinges on balancing fine-grained data access control with development velocity and cost optimization. Let’s drill into a simulated migration scenario.
The Scenario #
Tailspin Analytics, a financial services firm, is modernizing their data platform to accelerate machine learning workflows while maintaining strict data governance. They plan to deploy Azure Databricks as their primary analytics engine, with Azure Data Lake Storage Gen2 as the data repository. Data engineers need access to specific folders within the data lake via Databricks File System (DBFS). The data lake folders contain sensitive financial datasets requiring strict compliance with data residency and access policies.
The company wants to ensure:
- Data engineers can only access the folders they have explicit permissions on.
- Development and administrative overhead are minimized.
- Overall solution costs are optimized for a controlled enterprise budget.
Requirements #
Which two of the following design components are recommended to meet the above requirements?
The Options #
- A) Use the Standard Azure Databricks SKU
- B) Use the Premium Azure Databricks SKU
- C) Authenticate access using Credential Passthrough
- D) Use Service Principal credentials for authentication
- E) Implement Unity Catalog for data governance
- F) Use Shared Access Signatures (SAS) for data access control
Correct Answer #
B) Use the Premium Azure Databricks SKU
E) Implement Unity Catalog for data governance
The Architect’s Analysis #
Correct Answer #
Option B (Premium SKU) and Option E (Unity Catalog)
Step-by-Step Winning Logic #
-
Premium Azure Databricks SKU is required to enable advanced security features such as Credential Passthrough authentication, which allows users’ Azure Active Directory identities to be passed through to Azure Data Lake Storage. This ensures data engineers can only access data they are explicitly permitted to, supporting Azure RBAC and ACL enforcement. Standard SKU lacks these capabilities, risking broader data exposure.
-
Unity Catalog is Microsoft’s unified data governance solution that provides a centralized metadata and access control layer across Databricks and multiple data sources. It enables fine-grained permissions at table, schema, and folder levels, making it easier to manage secure access without custom scripting or complex manual configurations — aligning strongly with CAF’s Governance and Security pillars.
This design ensures tight access controls with minimal development effort, preventing overprovisioning and limiting risk exposure, while keeping operational costs in check through efficient permissions management.
The Trap (Distractor Analysis) #
-
Option A (Standard SKU): lacks support for Credential Passthrough and other advanced security features, making it impossible to enforce folder-level access reliably.
-
Option C (Credential Passthrough): while essential, it’s a capability only available in the Premium SKU. Credential Passthrough alone does not fulfill governance without the Premium SKU; thus it cannot stand alone as an option.
-
Option D (Service Principal credentials): using a single app identity for data access creates broad permissions and doesn’t allow per-user data access control—a governance risk.
-
Option F (SAS tokens): while SAS tokens restrict storage access, managing them for each data engineer’s folder complicates administration and elevates cost and security risk, contrary to minimizing overhead.
The Architect Blueprint #
- Architecture Flow Diagram for Secure Azure Databricks Data Access
Diagram Note:
Data engineers authenticate via Azure AD; Databricks (Premium SKU) uses Credential Passthrough to enforce per-user access to storage, governed by Unity Catalog’s centralized access policies.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) Standard SKU | Low | Low | Lower cost SKU | No Credential Passthrough, weak governance |
| B) Premium SKU | Medium | Medium-High | Supports Credential Passthrough and fine-grain controls | Higher cost, but required for governance |
| C) Credential Passthrough | Medium (with Premium SKU) | N/A (feature) | Strong identity-based access | Only available on Premium SKU |
| D) Service Principal creds | Medium | Low | Easy to implement | Poor data access isolation, security risk |
| E) Unity Catalog | Medium | Medium | Centralized data governance, minimal dev | Requires Premium SKU, some operational overhead |
| F) Shared Access Signatures | High | Low | Flexible access tokens | Complex management, higher overhead |
Real-World Practitioner Insight #
Exam Rule #
“For the exam, always pick Premium SKU with Unity Catalog when you see a requirement for strict data governance and minimal administrative overhead on Azure Databricks workloads.”
Real World #
“In real deployments, large enterprises managing multi-tenant data access use Unity Catalog and Credential Passthrough to secure data without proliferating costly custom scripts or security workarounds. This aligns with Microsoft’s Cloud Adoption Framework pillars of Governance and Security while optimizing operational excellence.”