Question 657 of 846
Design and implement data storagehardMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to create a new storage account in the same region with infrastructure encryption enabled and customer-managed keys (CMK) configured, then use AzCopy to migrate data. This is necessary because infrastructure encryption, which adds a second layer of encryption at the storage infrastructure level, cannot be enabled on an existing Azure Blob Storage account—it must be set at creation time. On the DP-203 exam, this scenario tests your understanding of immutable storage configuration requirements and the distinction between encryption layers; a common trap is assuming you can simply update an existing account’s encryption settings. The key concept is that infrastructure encryption is a one-time choice during provisioning, so migration to a new account is the only path. For memory, remember: “New account for new encryption layer—AzCopy moves data without delay.”

DP-203 Design and implement data storage Practice Question

This DP-203 practice question tests your understanding of design and implement data storage. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A healthcare company stores patient records in Azure Blob Storage. The compliance team requires that all data be encrypted at rest using customer-managed keys (CMK) stored in Azure Key Vault. Additionally, the storage account must be accessible only from a specific virtual network (VNet) and must support versioning to protect against accidental deletion. The storage account is currently using Microsoft-managed keys and has public network access enabled. You need to implement the required changes with minimal downtime. Which course of action should you take?

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create a new storage account in the same region with infrastructure encryption enabled and customer-managed keys configured. Enable versioning and VNet access. Use AzCopy to copy data from the old account to the new one. Update applications to use the new storage account. Delete the old account.

Option A is correct because creating a new storage account with infrastructure encryption and customer-managed keys (CMK) is the only way to enable infrastructure encryption, which cannot be enabled on an existing account. Using AzCopy ensures minimal downtime by copying data in the background while applications continue to use the old account until the cutover. Enabling versioning and VNet access on the new account meets all compliance requirements without disrupting the existing environment.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create a new storage account in the same region with infrastructure encryption enabled and customer-managed keys configured. Enable versioning and VNet access. Use AzCopy to copy data from the old account to the new one. Update applications to use the new storage account. Delete the old account.

    Why this is correct

    This meets all requirements. The new account is created with CMK support, versioning, and VNet access. Data is migrated with AzCopy, and applications are updated.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Modify the existing storage account to use customer-managed keys by updating the encryption settings in the Azure portal. Then, enable versioning and configure firewall rules to allow access from the VNet.

    Why it's wrong here

    Existing storage accounts cannot be switched to customer-managed keys if they were not originally provisioned with infrastructure encryption. A new account is required.

  • Delete the existing storage account and recreate it with the same name, enabling customer-managed keys, versioning, and VNet access. Restore data from backups.

    Why it's wrong here

    Deleting the account causes full data loss if backups are not available or current. Restoring from backups may not capture recent changes and causes significant downtime.

  • Create a new storage account with the same name in a different region. Enable infrastructure encryption and customer-managed keys. Use Azure Data Factory to copy data from the old account to the new one. Then, delete the old account and update applications to point to the new account.

    Why it's wrong here

    Changing the region is unnecessary and adds latency. The account name can be reused after deletion, but this approach causes more downtime than necessary.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates assume infrastructure encryption can be enabled on an existing storage account, but it is a creation-time-only setting, making a new account the only viable path to meet the compliance requirement with minimal downtime.

Detailed technical explanation

How to think about this question

Infrastructure encryption (double encryption) uses two independent encryption layers: one at the service level (Azure Storage Service Encryption) and another at the infrastructure level (using a platform-managed key). This feature can only be enabled during storage account creation and cannot be retroactively applied. Customer-managed keys (CMK) in Azure Key Vault allow you to control the root key used for envelope encryption, providing an additional layer of compliance. Versioning in Blob Storage preserves previous versions of blobs, protecting against accidental deletion or overwrite, and must be explicitly enabled on the storage account.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related DP-203 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DP-203 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DP-203 question test?

Design and implement data storage — This question tests Design and implement data storage — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Create a new storage account in the same region with infrastructure encryption enabled and customer-managed keys configured. Enable versioning and VNet access. Use AzCopy to copy data from the old account to the new one. Update applications to use the new storage account. Delete the old account. — Option A is correct because creating a new storage account with infrastructure encryption and customer-managed keys (CMK) is the only way to enable infrastructure encryption, which cannot be enabled on an existing account. Using AzCopy ensures minimal downtime by copying data in the background while applications continue to use the old account until the cutover. Enabling versioning and VNet access on the new account meets all compliance requirements without disrupting the existing environment.

What should I do if I get this DP-203 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DP-203 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DP-203 exam.