DRAG DROP
A new Azure Active Directory security principal named ReportUser@contoso.onmicrosoft.com should have
access to select all current and future objects in the Reporting database. You should not grant the principal
any other permissions. You should use your Active Directory Domain Services (AD DS) account to authenticate
to the Azure SQL database.
You need to create the new security principal.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:
Step 1:
To provision an Azure AD-based contained database user (other than the server administrator that owns the
database), connect to the database (here the Reporting database) with an Azure AD identity (not with a SQL
Server account) that has access to the database.
Step 2: CREATE USER … FROM EXTERNAL PROVIDER
To create an Azure AD-based contained database user (other than the server administrator that owns the
database), connect to the database with an Azure AD identity, as a user with at least the ALTER ANY USER
permission. Then use the following Transact-SQL syntax:
CREATE USER <Azure_AD_principal_name>
FROM EXTERNAL PROVIDER;
Step 3:
Grant the proper reading permissions.
https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication