Your company stores sensitive customer data in Azure SQL Database. You need to implement column-level encryption for the 'SSN' column using a customer-managed key stored in Azure Key Vault. Which feature should you use?
Always Encrypted provides column-level encryption with customer-managed keys.
Why this answer
Always Encrypted is the correct feature because it allows client-side encryption of sensitive columns, such as 'SSN', using a customer-managed key stored in Azure Key Vault. The encryption keys are never exposed to the database engine, ensuring that even database administrators cannot view the plaintext data. This meets the requirement for column-level encryption with customer-managed keys.
Exam trap
The trap here is that candidates often confuse Transparent Data Encryption (TDE) with column-level encryption, but TDE only protects data at rest and does not prevent database administrators or the cloud provider from reading the data in memory or during queries.
How to eliminate wrong answers
Option A is wrong because Azure Policy is a governance tool used to enforce organizational standards and compliance rules across Azure resources, not a data encryption feature for individual columns. Option C is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest (the storage layer), not at the column level, and it does not support customer-managed keys for column-specific encryption. Option D is wrong because Dynamic Data Masking obfuscates data at query time for unauthorized users but does not encrypt the underlying data; the masked values are still stored in plaintext and can be accessed by privileged users.