Option B is correct because Azure SQL Database geo-replication allows configuring a secondary replica in a different region, but the question asks to keep data within a specific region; however, the scenario is about ensuring data does not leave the region. Actually, to keep data within a region, you should not use geo-replication. But the correct answer is to use a single-region deployment; but among options, 'Geo-replication' would allow cross-region, so not that. 'Failover groups' also. 'Azure Policy' can enforce resource location, but not data. 'Data masking' is for security.
Wait, re-evaluating: The best answer is 'Azure Policy' to restrict resource creation to a region, but data still could be replicated? Actually, to ensure data remains within a region, you can use 'Geo-replication' to replicate to same region? No. Let's think: The requirement is to keep data within a specific region. Geo-replication is used for disaster recovery across regions, so that would violate.
The correct approach is to use Azure Policy to enforce that resources are only created in allowed regions, and also to disable geo-replication. Among options, 'Azure Policy' is the most direct. However, the stem implies a feature of SQL Database itself.
Actually, Azure SQL Database allows configuring a 'geo-replication' secondary in the same region? No, geo means different region. So 'Failover groups' also cross-region. 'Data masking' is irrelevant. 'Transparent Data Encryption' (TDE) is for encryption at rest, not residency. So 'Azure Policy' is the correct answer.