Crucial Exams

Microsoft Azure Security Engineer Associate AZ-500 Practice Question

Your company has an Azure SQL Database named SalesDB. Transparent Data Encryption (TDE) is enabled with a Microsoft-managed key. The security team must manage the TDE protector themselves and rotate it in Azure Key Vault without requiring data re-encryption. You plan to switch SalesDB to customer-managed TDE. Which prerequisite must you complete before you can set the database encryption protector to a Key Vault key?

  • Create an Azure Key Vault access policy that lists the public IP addresses of the SQL Database service.

  • Disable TDE on SalesDB, then re-enable it after configuring a new protector key.

  • Generate a new TDE certificate in the master database and export it to a .cer file for backup.

  • Grant the SQL server's managed identity the Key Vault Crypto Service Encryption User role (or equivalent key permissions) on the target key.

Microsoft Azure Security Engineer Associate AZ-500
Secure compute, storage, and databases
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot