Secure compute, storage, and databases

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is in the same region and has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. However, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required to allow the SQL server to access the Key Vault for TDE operations?

A company stores sensitive files in Azure Files shares. They require that data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault, and that all client connections use SMB 3.0 encryption for end-to-end encryption in transit. They create a premium Azure Files share in a storage account and configure encryption at rest with a CMK. However, clients are unable to connect without SMB encryption. What additional configuration is necessary to enforce SMB encryption for all connections?

A company stores sensitive files in Azure Files shares. They require encryption at rest using customer-managed keys (CMK) and encryption in transit using SMB 3.0 encryption. They have created a premium Azure Files share in a storage account and configured encryption at rest with a CMK. However, clients are able to connect without enforcing SMB encryption. What additional configuration is necessary to ensure that all connections to the file share are encrypted in transit?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and wants to use a customer-managed key (CMK) stored in Azure Key Vault. The security policy requires that the Key Vault be protected by a firewall and virtual network service endpoints to restrict network access. The storage account for TDE logs is in the same Azure region. Which additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for encryption operations?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key stored in Azure Key Vault. The Key Vault has a firewall enabled that blocks all public network access. The SQL server has a system-assigned managed identity with the 'Key Vault Crypto Service Encryption User' role assigned at the key scope. Despite this, TDE operations fail because the SQL server cannot access the Key Vault. What additional configuration is required?

A company uses Azure SQL Database. They want to ensure that all data at rest is encrypted using a customer-managed key (CMK) stored in Azure Key Vault. They also require that the key is automatically rotated every 12 months. Which two actions must be configured to meet this requirement? (Select two.)

A company plans to enable Azure Disk Encryption (ADE) on a set of Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have enabled soft-delete and purge protection on the Key Vault. The encryption fails with an error indicating that the key vault does not have the required permissions. Which additional configuration is most likely required for ADE to use the KEK?

A company uses Azure Disk Encryption (ADE) on Windows virtual machines. They use a key encryption key (KEK) stored in Azure Key Vault to wrap the disk encryption key. The security policy requires that the KEK be automatically rotated every 90 days. They need to ensure that after rotation, the OS and data disks of running VMs automatically get re-wrapped with the new KEK version. Which configuration should they implement?

An Azure Storage account is configured with server-side encryption (SSE) using a customer-managed key stored in Azure Key Vault. The security team requires that the storage account's identity be used to authenticate to the key vault for key access. Additionally, they want the identity to be automatically deleted when the storage account is deleted. Which type of identity should they assign to the storage account?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server has a system-assigned managed identity assigned the 'Key Vault Crypto Service Encryption User' role. However, TDE operations are failing because the SQL server cannot access the Key Vault. What additional configuration is needed?

A healthcare company stores sensitive patient data in Azure SQL Database. They want to encrypt specific columns containing Personally Identifiable Information (PII) so that even database administrators cannot view the data. The security team also needs to perform equality searches (e.g., WHERE SSN = '123-45-6789') on the encrypted columns. Which encryption technology should they implement?

A company uses Azure SQL Database to store customer data, including credit card numbers. The security policy requires that database administrators (DBAs) must not be able to view the credit card numbers in plaintext. The column containing the credit card numbers must be encrypted at rest and in transit, and only a specific application (using a dedicated client library) should be able to decrypt the data. Which technology should they implement?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall that blocks all public access. The SQL server is a managed service that needs to access the key to perform TDE operations. The Key Vault is in the same Azure region as the SQL server. Which additional configuration is needed?

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with the 'sysadmin' role cannot view the plaintext data. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

A company uses Azure SQL Database to store personally identifiable information (PII). They need to encrypt specific columns containing social security numbers so that even database administrators with the 'db_owner' role cannot view the plaintext. The application must be able to perform equality searches on the encrypted columns. Which encryption technology should they implement?

A company has an Azure SQL Database server. They want to allow an Azure Function with a system-assigned managed identity to access the database by using Azure Active Directory (Azure AD) authentication. Which two configurations are required to grant this access? (Choose two.)

An AKS cluster needs to pull container images from a private Azure Container Registry (ACR). The security policy requires that the AKS cluster identity should not have direct access to the ACR; instead, a service principal with the AcrPull role should be used, with credentials stored as a Kubernetes secret. Which authentication method should be configured on the AKS cluster?

A healthcare organization stores sensitive patient data in Azure SQL Database. They need to encrypt specific columns containing medical history so that even database administrators with highly privileged roles, such as 'sysadmin', cannot view the plaintext data. Additionally, they need to support complex queries on the encrypted data, including pattern matching and range comparisons. Which encryption technology should they implement?

A company wants to enable Azure Disk Encryption (ADE) on their Windows virtual machines using a Key Encryption Key (KEK) stored in Azure Key Vault. They have created the Key Vault with soft-delete enabled and a key. However, the encryption fails. What is the most likely missing configuration that prevents ADE from using the KEK?

A company uses Azure Key Vault to store secrets for their applications. They want to ensure that an application hosted on an Azure virtual machine can access secrets from only a specific Key Vault, and that all traffic between the VM and Key Vault remains within the Azure network and does not traverse the public internet. Which configuration should they implement?

A company is enabling Azure Disk Encryption (ADE) on Windows virtual machines. They have enabled soft-delete on Azure Key Vault and configured a Key Encryption Key (KEK). However, the disk encryption fails with an error indicating that the key vault does not have the required permissions. What is the most likely missing configuration?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall that denies all public access. The SQL server must be able to access the key for TDE operations. Which additional configuration is necessary in the Key Vault to allow this?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall and virtual network service endpoints. The storage account used for TDE logs is in the same Azure region. What additional configuration is necessary in the Key Vault to allow Azure SQL Database to access the CMK for TDE operations?

A company uses Azure Blob Storage to store archival data that is rarely accessed. The security policy requires that the data must be encrypted at rest using a unique Microsoft-managed key per storage account, and the data must be stored cost-effectively while allowing retrieval within 15 minutes. Which storage account type and encryption configuration should they choose?

A company stores sensitive financial records in Azure Blob Storage. They want to ensure that if a blob is deleted or overwritten, it can be recovered within 30 days. They also want to protect against accidental deletion of the storage account itself. Which two configurations should they implement? (Choose two.)

A company stores sensitive data in Azure Blob Storage. They want to enforce encryption at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they require that the key vault be in a different region than the storage account to protect against regional disasters. Can this be achieved, and if so, what is the implication?

A company stores business records in Azure Blob Storage. Due to a legal investigation, they must prevent any modification or deletion of the blobs for an indefinite period until the legal hold is released. They also need to ensure that even storage account owners cannot alter the data during the hold. Which blob storage feature should they enable?

A company uses Azure Blob Storage to store sensitive documents. The security policy requires that the storage account can only be accessed from a specific Azure virtual network (VNet) and that all access must use Azure Active Directory (Azure AD) authentication. They want to block any access that uses storage account keys or shared access signatures (SAS). Which configuration should they implement?

A company has an Azure SQL Database that stores personally identifiable information (PII) in columns. They need to encrypt those columns so that only authorized applications can decrypt the data, and even database administrators cannot view the plaintext. Additionally, they need to support equality comparisons (WHERE clauses) on the encrypted columns. Which encryption technology should they use?

A company stores sensitive customer data in an Azure Storage account. The security policy requires that all data be encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need the ability to disable the key in case of a security breach and have the data become inaccessible immediately. Which feature should they enable on the storage account to achieve this?

A company enabled Azure Disk Encryption on Windows virtual machines using Azure Key Vault to store encryption keys. They have enabled soft-delete and purge protection on the Key Vault. After a user accidentally deletes a key, the company tries to recover it but the recovery operation fails. What is the most likely reason for the recovery failure?

A company has an Azure Storage account with infrastructure encryption enabled. They configure the storage account to use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. Despite this configuration, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

A company is migrating a sensitive database to Azure SQL Managed Instance. The security team requires that the managed instance is not accessible from the public internet and that only specific Azure services, such as Azure Data Factory, can connect. Which configuration should the team implement to meet these requirements?

A company deploys a public-facing web application behind Azure Application Gateway. They want to enable the Web Application Firewall (WAF) to protect against SQL injection and cross-site scripting attacks. During the initial testing phase, they want to identify malicious requests without blocking them, to tune the WAF rules before enabling full protection. Which WAF mode should they configure?

A company stores sensitive healthcare data in Azure SQL Database. They need to encrypt specific columns containing patient diagnosis codes so that even database administrators with the 'sysadmin' role cannot view the plaintext. The application must be able to perform equality searches (WHERE clauses) on the encrypted columns. Which encryption technology should they implement?

A company stores sensitive data in Azure Blob Storage. They use customer-managed keys (CMK) stored in Azure Key Vault for encryption at rest. The security policy requires that the encryption keys be automatically rotated every 90 days. Which configuration should they implement to meet this requirement without manual intervention?

A company stores sensitive job processing messages in Azure Queue Storage. They have a web application running on an Azure virtual machine in a VNet that reads and writes to the queue. The security team requires that only the web application's VM can access the queue, and all access from the public internet must be blocked. Which configuration should they implement?

A company enables Azure SQL Database auditing to log database events to a storage account. The security policy requires that the audit logs be protected from tampering and deletion after they are written. Which storage account feature should the company enable to ensure that audit log files cannot be modified or deleted by anyone for a specified retention period?

A company stores critical business data in an Azure Storage account (Blob Storage). They want to ensure that all data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also need to be able to revoke access to the data quickly if a breach is suspected. Which feature should they enable on the storage account to enforce CMK?

A company stores sensitive financial documents in Azure Blob Storage. The security team needs to maintain an immutable log of all changes to the blob content, including the previous versions and the identity of the user who made the changes, for forensic analysis. Which Azure Storage feature should they enable on the storage account to meet this requirement?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) and a customer-managed key stored in Azure Key Vault. The Key Vault is configured with a firewall that denies all public access. The SQL server must be able to access the key. What additional configuration is necessary?

A company plans to enable Azure Disk Encryption (ADE) on their Windows virtual machines. They will use a Key Encryption Key (KEK) stored in Azure Key Vault. What additional configuration must be made in the Key Vault to allow the Azure platform to access the KEK for encrypting the VM disks?

A company uses Azure Key Vault to store keys and secrets. They want to ensure that even if an administrator accidentally deletes a key, it can be recovered for up to 90 days. Additionally, they want to prevent anyone from permanently purging the key during that period. Which two features must be enabled?

A company stores sensitive documents in an Azure Blob Storage account. They have enabled infrastructure encryption and configured the storage account to use a customer-managed key stored in Azure Key Vault for encryption at rest. Despite this, newly uploaded blobs are still encrypted with Microsoft-managed keys. What is the most likely cause?

A company uses Azure SQL Database with Transparent Data Encryption (TDE) protected by a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault has a firewall enabled that denies all public network access. The SQL server is a Microsoft service. How can the SQL server be granted access to the key vault to perform TDE operations?

A company stores sensitive data in Azure Blob Storage. They want to encrypt the data at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, they want the key to be automatically rotated every 90 days without manual intervention. Which configuration should they implement?

A company stores highly sensitive data in Azure Blob Storage. They require encryption at rest using a customer-managed key. Additionally, they want to ensure that the key can only be used from the same Azure region as the storage account. Which configuration must they implement?

A company uses Azure Managed Disks for their virtual machines. They want to ensure that all managed disks are encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. They also want to automatically revoke access to the disks if the key is disabled or deleted. Which feature should they configure?

A company uses Azure SQL Database for a critical application. Security policy requires that all client connections use at least TLS 1.2 encryption and that connections not meeting this requirement are rejected. Which configuration should they implement on the Azure SQL Server?

A company plans to enable Azure Disk Encryption (ADE) on a fleet of Windows virtual machines. They want to use a key stored in Azure Key Vault to encrypt the disks. Which additional access configuration must be made in the Key Vault to allow ADE to succeed?

A company stores highly sensitive data in Azure Blob Storage. The security policy requires that all data is encrypted at rest using a key that is stored in Azure Key Vault, and that the storage account uses its system-assigned managed identity to access the key. Which encryption configuration should they use?

A company uses Azure Key Vault to store secrets. They want to grant developers the ability to read secrets, but only for specific secret names (e.g., 'App--ConnectionString'). They also want to use Azure RBAC instead of the Key Vault access policy model. Which RBAC role should they assign, and at which scope?

A company stores confidential data in Azure Blob Storage. They need to ensure that all data at rest is encrypted and they must be able to quickly rotate the encryption key on demand in case of a security breach. They also want to minimize administrative overhead. Which encryption option should they use?

A company uses Azure SQL Database and wants to protect sensitive data (e.g., credit card numbers) from database administrators. They require that the data is encrypted at rest and in transit, and only a client application using a specific driver can decrypt it. Which technology should they implement?

A company uses Azure SQL Database and wants to periodically scan the database for vulnerabilities such as misconfigurations, excessive permissions, and missing patches. The scans should generate actionable reports that the security team can use to remediate issues. Which built-in Azure feature should they enable?

A company stores highly sensitive data in Azure Blob Storage. They want to ensure that the data is encrypted at rest using a key stored in Azure Key Vault, but they also want to prevent Microsoft Azure from having any access to the encryption key. Which encryption approach should they use?

A company uses Azure SQL Database with Azure Active Directory authentication. To meet compliance requirements, they need to audit all failed login attempts and store the audit logs in a storage account located in a different Azure region for disaster recovery. What should they configure?

A company generates shared access signature (SAS) tokens to grant time-limited access to blobs in an Azure Storage container. A security administrator needs the ability to immediately revoke all active SAS tokens for that container if a token is compromised. What should they use?

A company stores sensitive data in Azure Blob Storage. They want to ensure that the data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they need the ability to immediately make the data inaccessible in case of a security breach. Which configuration on the storage account enables this?

A company enables Azure Disk Encryption (ADE) on Windows virtual machines using a key encryption key (KEK) stored in Azure Key Vault. They want the KEK to be automatically rotated every 30 days to meet compliance requirements. Which Azure Key Vault feature should they enable?

A company uses Azure SQL Database for a critical application. Security policy requires that all client connections to the database use at least TLS 1.2 encryption. What configuration change must be made to enforce this requirement?

A storage account contains legal evidence that must not be modified or deleted for seven years. Which feature should be configured?

An Azure SQL Database contains salary data. Support analysts need to query employee records but must not see full salary values. Which feature is most appropriate when the application cannot be changed immediately?

A Kubernetes workload in AKS needs to pull images from Azure Container Registry without using admin credentials. Which configuration should be used?

A Key Vault should be accessible only from selected private networks and approved Azure services. Which two settings are most relevant?

A storage account contains regulated records. Which two features help protect against accidental or malicious deletion?

An AKS cluster must reduce risk from untrusted container images. Which two controls are most appropriate?

A SQL workload needs to protect sensitive column values from database administrators who should not see plaintext. Which two features may be relevant depending on the query requirement?