ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-204 All Questions

View all questions & answers for the AZ-204 exam
Go to Exam

Exam AZ-204 topic 4 question 11 discussion

Actual exam question from Microsoft's AZ-204
Question #: 11
Topic #: 4
[All AZ-204 Questions]

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are developing a medical records document management website. The website is used to store scanned copies of patient intake forms.
If the stored intake forms are downloaded from storage by a third party, the contents of the forms must not be compromised.
You need to store the intake forms according to the requirements.
Solution:
1. Create an Azure Cosmos DB database with Storage Service Encryption enabled.
2. Store the intake forms in the Azure Cosmos DB database.
Does the solution meet the goal?

  • A. Yes
  • B. No
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Drgn at Feb. 6, 2021, 1:34 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cbn
Highly Voted 3 years, 10 months ago
I think the rationale is Azure Cosmos is not the best place to store blob data, like scanned patient intake forms. https://stackoverflow.com/questions/49343675/how-can-i-store-images-in-azure-cosmos-db
upvoted 31 times
iamstudying
2 years, 9 months ago
Although it's not ideal, it is still a valid solution (sort of)... media files are stored in blob storage https://docs.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest The key thing to point here is that the solution requires encrypted files when downloaded, but the solution here is only encryption at rest
upvoted 12 times
gmishra88
2 years, 2 months ago
One of those typical Microsoft questions that punishes people who know something. If you do not understand the question then you will answer No, correctly (don't store images in cosmos), but if you know encryption to the next level you think it is encrypted so it is Yes. But one more level if you think then server side encryption (at rest) is not enough if it is already downloaded.
upvoted 5 times
vizay
1 month, 2 weeks ago
✅ While Stored in Cosmos DB (Encryption at Rest) Azure automatically encrypts the data on disk. Even if someone gains unauthorized access to the storage system itself, they cannot read the raw data without the proper keys. ✅ This is encryption at rest — data is protected while stored. ❌ After Downloading the File Now imagine: A doctor downloads a patient’s form from the web app to their personal laptop. That laptop doesn't encrypt files by default. Now, the file is sitting unprotected on the laptop — not encrypted anymore. If that laptop is lost or hacked, the sensitive patient info can be read.
upvoted 1 times
vizay
1 month, 2 weeks ago
🔄 What Happens Step-by-Step: You encrypt the file yourself (using something like AES-256). Now the file is protected, and only someone with the right decryption key can read it. You upload the encrypted file to Azure Blob Storage. Azure automatically applies Storage Service Encryption (SSE) too — a second layer of encryption at rest. Later, when the file is downloaded, it's still encrypted from your side — because you encrypted it before uploading. 🔐 The person who downloads it can’t read it without the decryption key. ✅ This solves the problem of files becoming readable after download.
upvoted 1 times
...
...
...
...
pieronegri
3 years, 9 months ago
agreed
upvoted 2 times
...
...
mlantonis
Highly Voted 3 years, 6 months ago
Correct Answer: B - No If storage is encrypted by default but you need to encrypt the content so when downloaded, its useless to unauthorised party. Instead use an Azure Key vault and public key encryption. Store the encrypted from in Azure Storage Blob storage.
upvoted 30 times
TMakki
2 years, 3 months ago
Absolutely right. Data is encrypted at rest but when downloaded it is not.
upvoted 3 times
...
...
J_obando13
Most Recent 1 month ago
Selected Answer: B
Got this in the exam today! May 15, 2025. Went most voted. 940/1000. 50 of 51 from examtopics. Cases Munson’s Pickles and Preserves Farm (7) and Fourth Coffee (3)
upvoted 1 times
...
jobolesonihal
8 months, 3 weeks ago
Selected Answer: B
Azure Storage Service Encryption, also known as server-side encryption (SSE), is a form of transparent data encryption1. This means that data is automatically encrypted when it is written to Azure Storage, and automatically decrypted when it is read1.
upvoted 1 times
...
MysticalSam
1 year, 6 months ago
This question was in today's exam on 10-June-2023
upvoted 3 times
...
Saluk_DE
1 year, 8 months ago
Selected Answer: B
Question was in Exam 2023-03-30
upvoted 1 times
...
sarmaria
1 year, 9 months ago
Got this on 16/03/23. Chosen No. Make sure to prepare for case study. I got city and lights case study. No Kubernetes, Search, Logic Apps questions for me.
upvoted 2 times
...
hubekpeter
2 years ago
Selected Answer: B
For a god sake. This is an encryption at rest, where you are encrypting the underlying storage doesn't matter if it's with a azure or customer managed keys instead of encrypting each document itself on an upper layer.
upvoted 1 times
...
OPT_001122
2 years ago
Selected Answer: B
No - correct ans
upvoted 1 times
...
eX900
2 years, 2 months ago
If I have any doubts about the question, I would check these users (who are the top commenters) to be sure: - Eltooth - mlantonis - glam Thank you guys. 🤙
upvoted 4 times
Ciupaz
1 year ago
Good tip, thanks.
upvoted 1 times
...
...
TMakki
2 years, 3 months ago
Selected Answer: B
Data is encrypted at rest but when downloaded it is not. So when downloaded by third party it is not encrypted so instead use an Azure Key vault and public key encryption
upvoted 3 times
...
Knightie
2 years, 3 months ago
Selected Answer: A
It is encrypted at rest, but available (not encrypted) for third party to download the copy, so the third party can read, come on. regarding encryption on transfer, it's the job of https.. so that's the way for third party to get the scanned copy, right?
upvoted 2 times
alcideus
2 years, 3 months ago
Then why did you put A as your answer lol
upvoted 3 times
...
...
xRiot007
2 years, 6 months ago
The answer is No. Encrypting the storage itself only. If someone requests it, they will get plain data.
upvoted 3 times
...
Eltooth
2 years, 6 months ago
Selected Answer: B
B is correct answer.
upvoted 3 times
...
petitbilly
2 years, 9 months ago
Got it in exam 03/22
upvoted 2 times
...
altafpatel1984
3 years ago
I guess Cosmos DB is for semi-structured data, not for unstructured data. Here scanned copies of forms are pdf/image files which are unstructured files, hence they cannot be stored in CosmosDB. Instead should be stored in Blob Storage which also supports security for data in-transit and data at rest. And because of this B - No is correct.
upvoted 2 times
...
glam
3 years, 7 months ago
B. No..
upvoted 5 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel