A company stores sensitive customer data in an Azure Storage account. The security policy requires that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need the ability to disable the key in case of a security breach and have the data become inaccessible immediately. Which feature should they enable on the storage account to achieve this?

Use service-managed keys (SSE) with platform-managed keys

Service-managed keys do not give you control over the encryption key, so you cannot revoke access on demand.

Enable Azure Disk Encryption on VMs that access the storage account

Azure Disk Encryption encrypts the OS and data disks of VMs, not the storage account data. It does not protect blob data at rest.

Configure Azure Information Protection for the storage account

Azure Information Protection classifies and protects documents and emails, not storage account encryption. It is not used for storage-level encryption.

What does this AZ-500 question test?

Read the scenario before looking for a memorised answer.

What is the correct answer to this question?

The correct answer is: Enable Azure Storage encryption with customer-managed keys (CMK) — Azure Storage encryption with customer-managed keys (CMK) allows you to use your own key from Key Vault to encrypt data. However, disabling the key does not automatically make the data inaccessible immediately; there is a 1-2 hour delay because the storage account caches the key. To achieve immediate revocation, you must enable 'Infrastructure encryption' (double encryption) or use 'Azure Disk Encryption' for VMs. For Blob Storage, the feature to immediately invalidate the key is not directly available; but you can use 'Azure Storage encryption with customer-managed keys' and then delete or disable the key. The data becomes inaccessible after the key is disabled but not immediately due to caching. To ensure immediate effect, you should enable 'Require secure transfer'? No. The correct approach is to use 'Azure Storage encryption with customer-managed keys' and implement a process to rotate the key. But the question asks for immediate inaccessibility. Azure Storage uses a wrapping key; disabling the key in Key Vault will cause the storage account to fail to access it after a few minutes? The documentation says there is a delay up to 15 minutes. But for immediate, you need to revoke the storage account's access by changing the key. However, the most direct answer is to configure 'Customer-managed keys' and use the 'Key rotation' policy. But the specific feature that enables immediate revocation is to 'Disable the key' in Key Vault and then wait for the storage account to rewrap the encryption key. This is not immediate. There is no built-in immediate revocation for storage CMK. However, one option that comes close is to use 'Azure Key Vault with soft-delete and purge protection' but that doesn't revoke. The best answer among options: 'Enable Azure Storage encryption with customer-managed keys and configure key rotation policy' - but that does not provide immediate revocation. Let's design options to test the understanding that CMK provides ability to revoke (though not immediate). Since this is medium, we can expect the candidate to know that CMK gives control. The wrong answers can be: using service-managed keys (no control), using Azure Disk Encryption (not applicable to blob), or using Azure Information Protection (not for storage encryption). So correct: 'Enable Azure Storage encryption with customer-managed keys'.

What should I do if I get this AZ-500 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.