Microsoft Azure Administrator Associate AZ-104 Practice Question

To have full control over the encryption keys for data at rest in Azure Storage, the administrator should configure the storage account to use customer-managed keys stored in Azure Key Vault. This approach allows the organization to manage key creation, rotation, and revocation, providing greater control over access to their data. Enabling Azure Disk Encryption is applicable to virtual machine disks, not storage accounts. Implementing client-side encryption requires additional application code and management overhead, and it does not leverage Azure's server-side encryption capabilities. Enabling server-side encryption with Microsoft-managed keys uses the default keys managed by Azure, which does not satisfy the requirement for the organization to use their own keys.