Refer to the exhibit. You run the Azure CLI command to check if blob encryption is enabled for a storage account. The command returns 'false'. However, you know that Azure Storage encrypts all data at rest by default. What is the explanation?
When using Microsoft-managed keys, this property is false; encryption is still active.
Why this answer
Option C is correct because the property `encryption.services.blob.enabled` in the Azure CLI command `az storage account show` specifically indicates whether customer-managed keys (CMK) are enabled for blob encryption, not whether the default Microsoft-managed key encryption is active. Azure Storage automatically encrypts all data at rest using Microsoft-managed keys, and this default encryption is always enabled and cannot be disabled. The command returns 'false' because CMK has not been configured, but the underlying default encryption is still in effect.
Exam trap
The trap here is that candidates assume the `encryption.services.blob.enabled` property reflects the presence of any encryption (including default encryption), when in fact it only indicates whether customer-managed keys are in use, leading them to incorrectly conclude that encryption is disabled.
How to eliminate wrong answers
Option A is wrong because Azure Disk Encryption is a separate feature for encrypting OS and data disks of virtual machines, not for Azure Storage blob encryption, and it does not affect the `encryption.services.blob.enabled` property. Option B is wrong because `encryption.requireInfrastructureEncryption` is a different property that controls double encryption (infrastructure encryption) at the storage account level, not the blob encryption setting queried by the command. Option D is wrong because all Azure Storage accounts in all regions support default encryption at rest; there is no region that lacks this capability.