Exam AZ-304 topic 2 question 38 discussion

D The storage account and the key vault or managed HSM must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions.

D. an Azure key vault in the same Azure region as the storage account

Answer is B and i have noticed many errors in discussions answers. Is the a mlantois for this exam? https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existing-account?tabs=azure-portal

https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-existing-account?tabs=azure-portal When you enable customer-managed keys for an existing storage account, you must specify a managed identity that will be used to authorize access to the key vault that contains the key. The managed identity must have permissions to access the key in the key vault. You can use a new or existing key vault to store customer-managed keys. The storage account and key vault may be in different regions or subscriptions in the same tenant. To learn more about Azure Key Vault, see Azure Key Vault Overview and What is Azure Key Vault?. So B

The documentation in Microsoft says - They can be in different region. https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview "You can either create your own keys and store them in the key vault or managed HSM, or you can use the Azure Key Vault APIs to generate keys. The storage account and the key vault or managed HSM must be in the same Azure Active Directory (Azure AD) tenant, but they can be in different regions and subscriptions."

I wonder what they'd mark us. I am pretty adamant the answer is D.

When you enable customer-managed keys for a storage account, you must specify a managed identity that will be used to authorize access to the key vault that contains the key. The managed identity must have permissions to access the key in the key vault. https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=portal D is wrong - Do not need to be in the same region Nothing to do with A.

B When you enable customer-managed keys for a storage account, you must specify a managed identity that will be used to authorize access to the key vault that contains the key. The managed identity must have permissions to access the key in the key vault. https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-configure-key-vault?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=portal

Nothing to do with the Cert.

Had seen this kind of question on AZ-500 . Answer is D.

D. an Azure key vault in the same Azure region as the storage account

i think it's D because is it not about cert?

D is correct

Answer should be D. same region

must be same reagion

https://docs.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview "You can either create your own keys and store them in the key vault or managed HSM, or you can use the Azure Key Vault APIs to generate keys. The storage account and the key vault or managed HSM must be in the same region and in the same Azure Active Directory (Azure AD) tenant, but they can be in different subscriptions."

A is the answer, the key word is custom. keyvault do not need to be in the same region as the storage account