Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Microsoft Discussions

Exam AZ-301 topic 2 question 31 discussion

Actual exam question from Microsoft's AZ-301
Question #: 31
Topic #: 2
[All AZ-301 Questions]

Note: This question is part of series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an on-premises data center and an Azure subscription. The on-premises data center contains a Hardware Security Module (HSM).
Your network contains an Active Directory domain that is synchronized to an Azure Active Directory (Azure AD) tenant.
The company is developing an application named Application1. Application1 will be hosted in Azure by using 10 virtual machines that run Windows Server 2016.
Five virtual machines will be in the West Europe Azure region and five virtual machines will be in the East US Azure region. The virtual machines will store sensitive company information. All the virtual machines will use managed disks.
You need to recommend a solution to encrypt the virtual machine disks by using BitLocker Drive Encryption (BitLocker).
Solution: Deploy one Azure Key Vault to each region. Create two Azure AD service principals. Configure the virtual machines to use Azure Disk Encryption and specify a different service principal for the virtual machines in each region.
Does this meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
You would also have to import Import the security keys from the HSM into each Azure key vault.
References:
https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites-aad
by pw at Feb. 6, 2020, 6:15 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
TinyTrexArmz
Highly Voted 3 years, 8 months ago
Poorly worded question. The use of the on-prem HSM keys nor KEK is listed in the requirements. The only requirement is that it provides encryption using BitLocker Drive Encryption. The solution as given would provide that. Many times test questions provide more information than is needed so that they can reuse the scenario for other questions. Just because your on-prem has HSM doesn't imply that it is a requirement for an Azure solution.
upvoted 12 times
...
glam
Most Recent 3 years, 2 months ago
B. No.
upvoted 1 times
...
certmonster
3 years, 5 months ago
The solution is not complete so it's a NO for me.
upvoted 1 times
...
PhiIipp
3 years, 8 months ago
Dont see why this it not A) YES manual encryption works this way see link https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault-aad
upvoted 2 times
...
milind8451
3 years, 10 months ago
However managed disks already have data at rest encryption but you can use your own key instead of a managed key for added security. User managed key can be stored in azure key vault. Service principal not needed here. B is correct.
upvoted 1 times
...
Rajuuu
3 years, 11 months ago
B is correct but the description does not seem correct.
upvoted 4 times
...
pw
4 years, 2 months ago
I also think B, but for a different reason: Each VM need their own service principal, two service principals is not enough to solve this.
upvoted 4 times
dtvAzh
3 years, 10 months ago
User assigned managed identity can be used. Hence, that's not a concern. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#how-a-user-assigned-managed-identity-works-with-an-azure-vm
upvoted 4 times
tartar
3 years, 7 months ago
B is ok
upvoted 2 times
...
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel