AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Enable double encryption at the Azure Storage infrastructure level

Plan and implement security for storage

Implement and Validate Double Encryption

Double encryption adds two layers of protection for data stored in Azure. The first layer is service-level encryption, which encrypts data before it’s written to disk. The second layer is infrastructure encryption, which applies an extra 256-bit AES encryption at the storage hardware level. This approach guards against the compromise of any single key or algorithm, ensuring that even if one encryption layer is breached, the data remains secure. Together, these layers create a strong defense in depth for sensitive information.

Azure offers both platform-managed keys and customer-managed keys for the primary, service-level encryption. Customer-managed keys are stored in Azure Key Vault or hardware security modules (HSMs), giving you full control over rotation and access. Infrastructure encryption always uses Microsoft-managed keys, which are rotated automatically by Azure. This clear separation of key responsibilities helps meet strict compliance and regulatory requirements.

You must enable infrastructure encryption when you create a supported storage account or encryption scope. Once enabled, it cannot be turned off or modified, so plan carefully before deployment. You can configure it using:

  • Azure portal: select Enable infrastructure encryption on the Encryption tab
  • PowerShell: add -RequireInfrastructureEncryption with New-AzStorageAccount
  • Azure CLI: include --require-infrastructure-encryption with az storage account create
  • ARM template: set "requireInfrastructureEncryption": true in the account properties

After deployment, validate and monitor the double encryption setup using Azure’s built-in tools. Check the Encryption blade in the portal to confirm both layers are active. Use PowerShell or Azure CLI to view the RequireInfrastructureEncryption field in the storage account properties. You can also enable diagnostic logs and Azure Monitor metrics to detect any failures, and create alerts on operations like EncryptionRead and EncryptionWrite to ensure continuous compliance.

Conclusion

Double encryption at the Azure Storage infrastructure level provides two independent encryption layers—service-level and hardware-level—to protect data against a wide range of threats. By using both platform- and customer-managed keys, organizations maintain control over primary encryption while benefiting from Microsoft’s automated key management for the second layer. Enabling infrastructure encryption is a one-time, irreversible step configured during storage account creation via portal, PowerShell, CLI, or ARM templates. Finally, validating and monitoring encryption status with Azure tools ensures that any issues are quickly detected and addressed, helping maintain continuous security and compliance.

Configure Bring your own keyEnable Microsoft Entra database authentication