Microsoft Azure Administrator Associate AZ-104 Practice Question

To meet the requirement of company-controlled encryption keys, you should use Azure Disk Encryption with keys stored in Azure Key Vault backed by a customer-managed Hardware Security Module (HSM). This approach allows the company to maintain full control over the encryption keys while leveraging Azure's disk encryption capabilities. Azure Disk Encryption encrypts the OS and data disks of virtual machines, and integrating it with a customer-managed HSM in Key Vault ensures that the keys are not managed by Microsoft.

Enabling server-side encryption with platform-managed keys means that Microsoft controls the keys, which does not comply with the company's policy. Implementing BitLocker within each VM and managing keys locally is not recommended because it doesn't provide centralized key management and can be less secure. Using Azure Disk Encryption with Microsoft-managed keys also places key control with Microsoft rather than the company, violating the security requirements.